14. EvoGraph Attack Chain Evolution
EvoGraph (Evolutive Attack Chain Graph) is RedAmon's persistent, evolutionary graph that tracks everything the AI agent does during exploitation sessions. While the Attack Surface Graph captures what exists on the target, EvoGraph captures what the agent did about it — every tool execution, every discovery, every failure, every strategic decision — across the entire attack lifecycle.
Every time you chat with the AI agent, EvoGraph builds a structured record of the session in Neo4j. This is not a flat log — it's a graph where steps link to findings, findings link to CVEs, failures record lessons learned, and decisions capture strategic turns. Everything is connected, queryable, and persistent across sessions.
The key insight: each new session starts with the accumulated intelligence from all prior sessions. The agent knows what was tried before, what worked, and what failed — so it builds on prior work rather than starting from scratch.
Each chat conversation with the AI agent creates an AttackChain — the root node that represents the session. As the agent works:
- You send a message — the agent creates an AttackChain node linked to the target (IP, domain, CVE)
- The agent uses a tool — each tool execution creates a ChainStep node, linked sequentially via NEXT_STEP
- Something is discovered — a ChainFinding node branches off the step (credential found, vulnerability confirmed, exploit succeeded)
- Something fails — a ChainFailure node records what went wrong and what lesson was learned
- A phase transition happens — a ChainDecision node records the strategic turn (informational → exploitation, user approved/rejected)
- The session ends — the AttackChain is updated with the final outcome, step counts, and phases reached
| Node | What It Captures | Created When |
|---|---|---|
| AttackChain | The session itself — objective, target, status, outcome | You start a new conversation with the agent |
| ChainStep | A single tool execution — what tool, what arguments, what result | Each time the agent uses a tool (metasploit_console, query_graph, kali_shell, etc.) |
| ChainFinding | Important intelligence — vulnerabilities found, credentials discovered, exploit successes | The agent discovers something significant during a step |
| ChainDecision | A decision point — phase transitions, strategy changes | You approve or reject a phase transition |
| ChainFailure | A failed attempt — what was tried, why it failed, what lesson was learned | A tool execution fails or an exploit doesn't work |
Findings are classified by type and severity (critical / high / medium / low / info):
| Type | Example |
|---|---|
vulnerability_confirmed |
"CVE-2021-41773 confirmed exploitable on target" |
credential_found |
"root:toor discovered via SSH brute force" |
exploit_success |
"Meterpreter session 1 opened on 192.168.1.1:443" |
access_gained |
"SSH shell established as admin user" |
exploit_module_found |
"exploit/multi/http/apache_normalize_path_rce matches target" |
service_identified |
"Internal MySQL discovered on port 3306" |
defense_detected |
"WAF detected, blocking payloads" |
EvoGraph and the recon graph are connected through bridge relationships — typed connections that link attack chain activity to the infrastructure it targets:
| What Happens | Bridge Created | Example |
|---|---|---|
| Agent targets an IP |
CHAIN_TARGETS / STEP_TARGETED → IP |
AttackChain → 192.168.1.1 |
| Agent exploits a CVE |
STEP_EXPLOITED → CVE |
ChainStep → CVE-2021-41773 |
| Finding relates to an IP |
FOUND_ON → IP / Subdomain |
ChainFinding → target.example.com |
| Finding relates to a CVE |
FINDING_RELATES_CVE → CVE |
ChainFinding → CVE-2021-41773 |
| Credential found for a service |
CREDENTIAL_FOR → Service / Port |
ChainFinding → SSH on port 22 |
This means you can:
- Click on any IP in the graph and see all attack chains that targeted it
- View which CVEs have been successfully exploited across all sessions
- See the full history of attempts against any part of your attack surface
- Trace from a credential finding back to the exact step and tool that discovered it
This is the most powerful feature of EvoGraph. When you start a new agent session, the agent automatically loads summaries of previous sessions for the same project:
- Objectives — what was attempted in prior sessions
- Key findings — critical and high-severity discoveries (credentials, exploit successes, confirmed vulnerabilities)
- Failure lessons — what was tried and why it failed ("rockyou-top1000 wordlist insufficient for SSH", "port 80 filtered, use 443 instead")
- Outcomes — whether previous chains succeeded or were aborted
This context is injected into the agent's system prompt before the first reasoning step, so the agent starts with accumulated intelligence rather than a blank slate.
Example: If Session A discovered that port 80 is filtered and SSH brute force with a small wordlist failed, Session B will:
- Skip port 80 and try port 443 directly
- Use a larger wordlist for SSH
- Build on any credentials or access already discovered
EvoGraph uses a dual-recording pattern for maximum reliability:
| Layer | Purpose | Speed | Persistence |
|---|---|---|---|
| In-memory lists (AgentState) | Fast working memory for the current session's LLM context | Instant | Session only |
| Neo4j graph (EvoGraph) | Long-term persistent memory for cross-session queries | Async (fire-and-forget) | Permanent |
Both are populated at the same moment — when the agent analyzes a tool's output. The in-memory lists are used by format_chain_context() to build the structured prompt that the LLM sees every iteration. The Neo4j graph is used by query_prior_chains() to load cross-session context at the start of new sessions.
This means:
- The agent's reasoning is never blocked by a slow or unavailable graph database
- The graph writes are idempotent (MERGE operations) so retries are safe
- Cross-session learning works even if the current session's in-memory data is cleared
You can ask the AI agent about attack chain history through the chat interface:
- "What attack chains have been run against this project?"
- "What findings were discovered in previous sessions?"
- "What exploits have succeeded on 10.0.0.5?"
- "What approaches failed against the SSH service?"
- "Show me all credentials found across all sessions"
The agent translates these into Cypher queries against the EvoGraph in Neo4j and returns structured summaries.
Instead of showing the LLM a flat chronological list of every tool execution, EvoGraph structures the session context into four semantic sections:
- Findings — what has been discovered, sorted by severity (critical first)
- Failed Attempts — what went wrong and what lesson was learned
- Decisions — strategic turns (phase transitions, strategy changes)
- Recent Steps — only the last 5 tool executions in compact form
This means the LLM sees the most important information first — key discoveries and lessons learned — rather than having to scan through dozens of identical-looking step entries to find what matters.
For full implementation details, see:
- Agentic System Documentation — EvoGraph section — complete node taxonomy, mermaid diagrams, relationship tables, dual memory architecture, orchestrator integration, and data flow
-
Attack Paths Architecture — how attack path classification (
cve_exploit,brute_force_credential_guess, unclassified) maps to theattack_path_typeproperty on AttackChain nodes
- AI Agent Guide — learn how to use the agent that builds these chains
- Attack Surface Graph — understand the recon graph that EvoGraph bridges to
- The Graph Dashboard — explore the graph visualization