A chain is a sequence of findings that, taken together, produce a business-impact outcome — turning one bug into the path an attacker would actually walk. Chains are a primary output of Pentrova and the object your team will reason about day-to-day.
What a chain shows you#
A chain shows the ordered steps from the first foothold to the final impact, the evidence behind each step, and the resulting impact statement (for example, “account takeover” or “instance credential exposure”). Each step carries its own captured request/response so the path is auditable end to end.
Curated and dynamic#
Pentrova ships a curated catalog of escalation chains that encode well-understood attacker sequences — to file read to RCE, to cloud metadata, LFI to RCE, to , to RCE, to account takeover. When the catalog does not already encode a path between two findings, Pentrova builds the chain dynamically at scan time. Both kinds are held to the same evidence standard.
Chains vs findings#
A chain is reported when its impact is substantiated by evidence. A chain that cannot be completed against the target is not reported. Evidence first, always.