When a security incident hits, the first questions are always the same. How did the attacker get in? What can they reach from here? What do we lock down first?
Alert queues cannot answer those questions. You get a list of individual findings — a misconfigured NSG, an anomalous login, an over-permissioned service principal — each scored independently, each sitting in its own row. The relationships between them are invisible. The fact that the misconfigured NSG exposes a VM whose managed identity has Contributor access to a subscription containing production Key Vaults is something you have to piece together manually, across multiple tools, under time pressure.
That is where most IR workflows lose time. Not in detection — modern tooling catches signals fast — but in assessment.
A graph, not a queue
The TENET Security Graph treats your cloud environment as what it actually is: a network of connected resources. Every Azure resource, identity, role assignment, network security group, data store, and Microsoft 365 object becomes a node. Every relationship — a managed identity attached to a VM, an OAuth app consented to read mailboxes — becomes an edge.
When you traverse those edges, you stop asking "what fired?" and start asking "where does this lead?" That is the difference between knowing a port is open and knowing the open port is the first hop on a three-step path to your production secrets.
Toxic combinations
Most real breaches are not caused by a single critical vulnerability. They are caused by two or more conditions that each look manageable in isolation but combine into a viable attack chain.
An internet-exposed VM is common. A managed identity with Contributor access is not unusual. A Key Vault containing production secrets is expected. Any one of these might sit in a backlog for weeks. But when all three coexist on a single path — internet exposure at the entry point, Contributor-level identity in the middle, secrets at the destination — you have a control plane takeover path. The Security Graph surfaces these toxic combinations automatically, closing the gap that no severity score on a single finding can close.
A real-world walkthrough
The signal: TENET flags unusual activity on an AKS node pool. Port 10250 — the Kubelet API — is exposed to the internet.
Root cause. The IR team opens the Security Graph and queries the compromised node. The graph shows port 10250 is open on aks-nodepool-01 due to an NSG permitting inbound from 0.0.0.0/0. Initial access vector: MITRE T1190.
Blast radius. The graph traces every path outward: the AKS workload runs under a managed identity (svc-aks-mi) with Contributor access on sub-prod-core, granting access to a Key Vault with 14 production secrets. Reachable nodes: 47. Hops to the nearest crown jewel: 2. A cross-subscription role assignment on svc-aks-mi extends the blast radius into a second subscription — something no single-subscription alert view would surface.
Attack path. The full chain: Internet → Port 10250 → aks-workload → svc-aks-mi → kv-prod-secrets. Each hop tagged with a MITRE tactic: Initial Access, Credential Access, Privilege Escalation.
Containment. The team knows exactly what to lock down: block port 10250, scope down svc-aks-mi from Contributor to minimum required, rotate the 14 secrets. Each action goes to the Remediation board with blast radius, MITRE tactic, and owner attached. One remediation — removing Contributor from svc-aks-mi — breaks three active attack paths simultaneously.
Total time from alert to scoped containment plan: under fifteen minutes.
What changes
Scope is immediate. Blast radius is computed, not estimated — within minutes, the team knows how many resources are reachable and where the crown jewels sit.
Prioritization is by impact, not severity. A medium finding on a path to production secrets is more urgent than a critical finding on an isolated dev resource. The graph encodes that logic structurally.
Remediation is targeted. Fix the single node that breaks the most attack chains. Fix one thing, close three paths.
The TENET Security Graph connects Azure and Microsoft 365 identities, workloads, data stores, and findings into one map. See your environment the way an attacker would.