Webinar: From Alert Overload to Automated Triage

Register Now
Get a Demo




D3 Security · Security Operations Glossary

What Is Attack Path Discovery?

A standalone glossary definition, part of the D3 Security Operations Glossary.

Definition

Attack Path Discovery is D3 Morpheus‘s proprietary autonomous investigation engine. It performs L2-depth investigation on every security alert, tracing threats horizontally across 800+ connected tools and vertically through 90 days of historical telemetry, reconstructing the complete attack path before any analyst intervention.

What Attack Path Discovery Does

Attack Path Discovery, D3’s investigation engine, traces threats horizontally across identities, endpoints, cloud, and email infrastructure, and vertically through 90 days of telemetry, reconstructing the full attack timeline before your analyst opens the case.

APD assembles the story behind every alert. It maps blast radius. It drafts the remediation. Morpheus does the legwork. Your analyst does the analysis.

Two Hunting Dimensions

Horizontal investigation queries multiple security tools simultaneously at the same point in time. For a single suspicious sign-in alert, APD returns parallel evidence from your identity provider, EDR, cloud security platform, and email security tool in one consolidated view, not a list of links to separate consoles.

Vertical investigation reaches backwards through historical telemetry to determine whether the current alert is a one-off or part of a pattern. APD reaches back 90 days by default; configurable up to 365 days.

What an APD Investigation Produces

Every alert that enters Morpheus receives a complete investigation package. The analyst opens the case and finds:

  1. A ranked attack timeline. One chronologically ordered narrative of every correlated event, each tagged by data source, timestamp, and confidence weight.
  2. The data sources APD reached. Every integration queried, with response time and result set size. If a tool returned no relevant data, that fact is visible.
  3. The attack path graph. A visual representation of correlated entities, including users, hosts, files, and domains, connected by relationship edges.
  4. The MITRE ATT&CK mapping. Every event mapped to its ATT&CK technique ID and tactic.
  5. The recommended next action. A deterministic step or Agentic Task option, ranked by confidence and tagged with its command-risk tier.
  6. The audit trail. Every reasoning step, every tool call, every source consulted, in a single document.

What the analyst does not see: a wall of unprocessed log lines. A list of links to other consoles. A request to manually correlate. APD’s job is to do those things before the analyst opens the case.

Vulnerability Chainability

Attack Path Discovery is not limited to alert investigation. The same engine that traces threats across your security stack also processes vulnerability findings, mapping chainable exploit paths across multiple findings that individually score below threshold but together form a critical attack path.

A CVSS 5.3 information leak plus a CVSS 6.1 privilege escalation plus a CVSS 4.8 sandbox escape individually pass any static filter. Together, they are remote code execution. Static prioritization cannot detect this. Attack Path Discovery does, on every finding, every time.

Also see:
SOAR Ceiling
Agentic SOC

Frequently asked questions

What does Attack Path Discovery do?
Attack Path Discovery is Morpheus’s autonomous investigation engine. It runs L2-depth investigation on every alert, querying 800+ connected security tools simultaneously and reaching back 90 days through historical telemetry. The result is a complete attack timeline, MITRE ATT&CK mapping, and recommended response, assembled before any analyst opens the case.

How is Attack Path Discovery different from legacy SOAR?
Legacy SOAR platforms execute pre-authored playbooks that engineers must build and maintain. Attack Path Discovery generates its investigation from live alert context, no pre-built playbook required. Where SOAR executes a fixed script, APD reconstructs the actual attack path behind each specific alert.

What does “horizontal” investigation mean?
Horizontal investigation means APD queries multiple security tools simultaneously at the same moment in time. Rather than pivoting manually from SIEM to EDR to identity provider, APD correlates evidence from all connected tools in a single pass, returning a unified view of what was happening across your environment at the time of the alert.

What does “vertical” investigation mean?
Vertical investigation means APD queries backwards through historical telemetry, 90 days by default, configurable up to 365 days. This surfaces whether the current alert is an isolated event or part of a longer attack pattern that crossed your alert thresholds at a single point but was building for weeks.

How fast does Attack Path Discovery run?
Investigations typically open within 30 seconds of the originating alert. Up to 95% of alerts receive L2-depth investigation in under 2 minutes.

Does APD work for vulnerability triage?
Yes. The same engine that investigates alerts also processes vulnerability findings, mapping chainable exploit paths across multiple CVEs that individually score below threshold but together represent a critical attack path. Static CVSS scoring cannot detect chainability. Attack Path Discovery does.

Is Attack Path Discovery a black box?
No. Every reasoning step APD performed, every tool call, every source consulted, and every confidence weight is recorded in a single audit trail per investigation. Analysts can inspect, challenge, verify, or override any conclusion. The audit trail is exportable and meets the evidence requirements of regulated industries.

What security tools does Attack Path Discovery reach?
APD queries any of Morpheus’s 800+ bidirectional integrations, including SIEM, EDR, identity providers, cloud security platforms, email security, and vulnerability scanners. The specific tools queried depend on which integrations are active in your environment.

Related terms

SOAR Ceiling — The point at which legacy SOAR’s playbook maintenance burden exceeds its operational value.

Agentic SOC — A SOC architecture in which AI agents perform investigation and response tasks autonomously.

Bounded Agentic Reasoning — AI reasoning constrained to specific decision boundaries defined by deterministic governance.

Autonomous SOC — A security operations center in which AI systems perform alert triage, investigation, and response without requiring analyst intervention for routine cases.

Unified Intelligence Model — D3’s architectural principle of running all AI reasoning through a single engine with one audit trail.

Further reading

How APD Works
APD Architecture Whitepaper
Security Operations Glossary

Last updated: May 2026