Engineering·7 min read

Understanding Blast Radius: Why Graph-Based Security Matters

Traditional security tools scan in isolation. EchelonGraph uses graph databases to answer the question every CISO asks: 'If this one server gets compromised, what else is at risk?'

E

EchelonGraph Team

Security Research

What Is Blast Radius?

In cloud security, blast radius refers to the scope of damage that could result from a single security incident. If an EC2 instance gets compromised, what other resources can the attacker reach? What data can they exfiltrate? How far can they move laterally?

Traditional security tools can't answer this question because they scan resources in isolation. They'll tell you that a server has an unpatched CVE, but they won't tell you that the server has a security group rule allowing access to an RDS instance that stores customer PII, which has a cross-account IAM role granting access to an S3 bucket containing financial reports.

Why Graphs?

The breakthrough insight behind EchelonGraph is that cloud infrastructure is fundamentally a graph problem. Resources are nodes. Connections between them — network routes, IAM permissions, VPC peering, security group rules — are edges.

Once you model your infrastructure as a graph, blast radius becomes a simple graph traversal:

MATCH p = allShortestPaths(
  (entry:Asset {internet_facing: true})-[*..10]->(target:Asset {sensitive: true})
)
WHERE entry.tenant_id = $tid
RETURN p
ORDER BY p.risk_score DESC
LIMIT 100

This Cypher query finds all shortest paths from internet-facing entry points to sensitive data stores, traversing up to 10 hops through VPC topology, security groups, IAM roles, and Kubernetes network policies.

Real-World Example

Consider a typical AWS deployment:

  • An ALB exposes port 443 to the internet
  • The ALB forwards to an ECS service running a web application
  • The ECS service has an IAM task role with permissions to read from S3
  • The S3 bucket contains customer data backups
  • The same IAM role has sts:AssumeRole permission to a cross-account role
  • The cross-account role has rds:* permissions on a production RDS instance

    • A traditional scanner would flag the ALB's SSL certificate expiry and the ECS task's overly permissive IAM role separately. EchelonGraph connects the dots: a single exploited web vulnerability could cascade through 6 hops to reach production databases in another AWS account.

    Attack Path Analysis

    EchelonGraph goes beyond simple blast radius to identify exploitable attack paths. Our attack path engine uses BFS graph traversal with 4 edge types:

  • EXPLOITABLE_FROM: CVE on a reachable service
  • LATERAL_MOVE: Network connectivity (VPC, security group, firewall rule)
  • PRIVILEGE_ESCALATION: IAM permission granting elevated access
  • DATA_EXFILTRATION: Access to sensitive data stores

    • Each path gets a risk score: CVSS × exposure × asset_criticality. The engine also identifies optimal remediation nodes — fix one asset to block the maximum number of attack paths.

    Getting Started

    Try EchelonGraph free. Connect your AWS, GCP, or Azure account and see your blast radius in under 60 seconds.

    Start your free trial →

    Next

    Introducing EchelonGraph: Cloud Security Intelligence for the Modern Enterprise

    Protect your infrastructure before the breach

    Map your attack surface, automate compliance, and detect insider threats in real time.

    Start free trial →
    ← Back to all articles