Attack Management uses attack path graphs to show how attackers could breach your environment—from an Internet-exposed entry point, through lateral movement, to a high-value internal target. Use this page to prioritize remediation, investigate path details, and suppress confirmed false positives with whitelist policies.
Prerequisites
Before you begin, make sure you have:
Access to the Security Center console with the required permissions
Assets managed in Security Center
Key concepts
Attack path: A potential attack sequence that Security Center deduces based on asset associations, network reachability, and vulnerabilities or risky configurations on your assets. An attack path represents a deduced potential risk, not an actual attack event.
Start asset: Usually an asset exposed to the Internet, such as an ECS instance with a public IP address. It serves as the attacker's entry point.
Destination asset: Usually a high-value internal asset, such as a core database or an internal application server. It is the target the attacker wants to control or extract data from.
View the overall attack risk posture
The Attack Surface tab gives you a snapshot of your environment's overall exposure.
Log on to the Security Center console. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland. In the left navigation pane, choose Risk Governance > Attack Management.
On the Attack Surface tab, review the following sections:
Top 5 Risk Paths: Lists the five highest-risk attack paths, ranked by a comprehensive risk score that factors in vulnerability severity, asset importance, and exposure scope. Preview an Attack Path inline, or click View Now to open the risk details page.
Attack Path Type: Shows the distribution of attack path types—such as intrusions from Internet exposure, lateral movement through cloud product access, and lateral movement through host vulnerabilities—so you can identify the dominant risk patterns in your environment.
Assets:
At-risk Asset Type: Breaks down the types of assets involved in active attack risks and their relative percentages.
Top 10 Exposed Component: Lists the ten components with the highest exposure risk, helping you pinpoint specific sources of risk.
Exposure Method: Shows how assets are exposed—for example, directly via a public IP address or indirectly through Server Load Balancer (SLB). For more information, see Attack Surface Management overview.
Analyze and remediate attack risks
View attack risk details
Go to the Attack Risk tab, locate the target asset, and click Details in the Actions column.
On the risk details page, two sections are available:
Paths: Lists all attack paths for the current risk. Each entry represents a complete attack chain from a start asset to a destination asset.
Attack Path: Click an attack name in Paths to display the corresponding attack path graphically. Click any path node to view its associated details, including Basic Information, Exposed Component, Vulnerability Details, Alert Handling, Agentless Detection, and CSPM.
Handle attack risks
Choose a remediation approach based on the nature of the risk:
| Scenario | Recommended approach | Where to start |
|---|---|---|
| The risk has an identifiable root cause (vulnerability, misconfiguration, or network exposure) | Remediate and reinforce | Click the path node in Attack Path |
| The attack path is complex and you need automated analysis | AI Analysis | Click AI Analysis in the expanded attack description |
| The risk is a confirmed false positive or an acceptable risk | Add to Whitelist | Click Handle in the expanded attack description |
Remediate and reinforce
Click a path node in the Attack Path section and address each risk point:
Vulnerability Details: Click the vulnerability name or the handling button to go to the Vulnerability Management module. Follow the remediation suggestions to fix the vulnerability.
CSPM: Click the risk item to go to the Cloud Security Posture Management (CSPM) module and apply the recommended configuration reinforcement.
Network exposure: If a security group opens vulnerable ports to the Internet, go to the ECS or VPC console and tighten the security group rules. Restrict access to specific trusted IP addresses.
Use AI Analysis
For complex attack paths, the Security AI Assistant can generate an automated analysis with step-by-step remediation guidance.
On the risk details page, click an attack name in Paths.
In the expanded attack description section, click AI Analysis.
The Security AI Assistant analyzes the attack path and generates Remediation Suggestions that include:
Attack path overview: A summary of how the attack path was formed and the basis for its determination.
Attack path analysis: A detailed breakdown of the path formation and the evidence behind it.
Affected assets and risk assessment: An assessment of the affected instances and their risk levels.
Remediation suggestions: Step-by-step instructions for resolving the risk.
Add to whitelist
Adding a path to the whitelist does not fix the underlying risk. Use this option only for confirmed false positives or risks your team has explicitly accepted. After whitelisting, Security Center stops generating risk alerts for the path from the current Source Assets to the Destination Assets.
On the risk details page, click an attack name in Paths.
In the expanded attack description section, click Handle. In the panel that appears, set Disposition to Add to Whitelist.
Configure the following fields:
Field Description Effective Assets Defaults to the start and destination assets of the current attack path Whitelist Policy Name Enter a descriptive name that reflects your business context, for easier maintenance To view and manage whitelisted entries, click Scan Policy in the upper-right corner of the Attack Management page, then go to the Whitelist Rule tab.
Manage whitelist policies
From the Attack Management page, click Scan Policy in the upper-right corner. On the Whitelist Rule tab, you can create, modify, and delete whitelist policies.
Create a policy
Click Create Policy above the list.
Enter a name in the Whitelist Policy Name field.
Select Source Assets and Destination Assets:
Switch the list type to Asset List. From the Attributed assets, select the assets to include. You can select multiple assets.
Switch the list type to Change List to review and confirm your selections.
Modify a policy
Click Edit in the Actions column of the target policy.
Update Source Assets or Destination Assets as needed:
In the Selected List view, review the assets currently saved in the policy.
Switch to Asset List to add or remove assets by selecting or clearing them.
Switch to Change List to confirm the changes. Selected items indicate assets newly added to the whitelist; cleared items indicate assets removed from it.
Delete a policy
Click Delete in the Actions column of the target policy. Deleting a policy has the following effects:
All previously whitelisted attack paths are included in the detection scope again.
If the related risks have not been fixed, Security Center regenerates the corresponding attack risk data.