> ## Documentation Index
> Fetch the complete documentation index at: https://specterops-bed-7559-api-key-exp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# OpenGraph Graph Theory

> Attack Graph Model Design Requirements and Examples

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/Q9Jppg_Pu54SydxZ/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=Q9Jppg_Pu54SydxZ&q=85&s=dab889e863a05e09b1378befc30bbb10" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

# Introduction

For several years, one of the biggest pain-points with contributing to BloodHound has been in getting nodes and edges ingested and correctly displayed in the GUI. BloodHound OpenGraph changes that. Now it is easy for anyone to add nodes and edges into BloodHound through the easy-to-use `/file-upload/` endpoint.

However, while the process of adding nodes and edges to the product is greatly simplified, the product will not function as expected without a well-designed attack graph model. This document seeks to educate users on attack graph model design theory, best-practices, and requirements.

An attack graph is a tool - a powerful force multiplier when wielded correctly, a frustrating and confusing hazard when not. This document aims to equip you with the knowledge and skills necessary to effectively wield this tool.

<Info>
  At this time, OpenGraph nodes and edges are not supported in the Search or Pathfinding tab, so the Cypher tab **must** be used to query the data manually.
</Info>

# Basic Attack Graph Vocabulary and Design Theory

Graphs are [well-understood](https://en.wikipedia.org/wiki/Graph_%28discrete_mathematics%29), well-studied mathematical constructs. You can find thousands of guides, tools, and academic papers that make use of graphs. This document will not replace a proper education or time spent working with graphs. But in this section we will touch on the most fundamental aspects of a graph you must understand in order to effectively get BloodHound to work with your nodes and edges.

Every graph is constructed from two fundamental components: vertices (nodes) and edges (relationships):

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-1.png?fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=2601bc977058239311edc09ec52f7b9f" alt="Node1 -- Edge1 --> Node2" data-og-width="1012" width="1012" data-og-height="508" height="508" data-path="assets/og-bp-1.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-1.png?w=280&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=954a0610f8167a45f7a9e835d795b5e7 280w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-1.png?w=560&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=dd4b86d84400b8fbc49e76ac7b5422e9 560w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-1.png?w=840&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=831aec32b1163003ec4810e7345969bb 840w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-1.png?w=1100&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=b6121a231cd79f3bb4a2e8814a106b6e 1100w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-1.png?w=1650&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=809d74772dd673892946788894f0cd1e 1650w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-1.png?w=2500&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=af519455590cd11c8e358967e61f53d2 2500w" />

The above graph has two nodes and one edge. The edge is **directed**. The source node of the edge is “Node 1”. The destination node of the edge is “Node 2”.

**Every** edge in a BloodHound attack graph is **directed**, and is **one-way**. There are no bi-directional (“two-way”) edges in a BloodHound graph.

In a BloodHound attack graph, the direction of the **edge** must match the direction of **access** or **attack**. Let’s look at an example with Active Directory group memberships.

In the BloodHound attack graph, we model Active Directory security group memberships like this:

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-2.png?fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=6cd585a2d8ec1a0a86281c49a2b9f208" alt="User -- MemberOf --> Group" data-og-width="1024" width="1024" data-og-height="432" height="432" data-path="assets/og-bp-2.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-2.png?w=280&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=18a67b7ab948de414639c7a2227ba2dc 280w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-2.png?w=560&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=45c16880aa7f9e9b9698f4e161c3e01a 560w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-2.png?w=840&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=6cbb8dee95b63d54ee666bae91f8c05c 840w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-2.png?w=1100&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=618b45a0507313884bb1bf96cb7bed5f 1100w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-2.png?w=1650&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=40c1befec56f9af6f12e63e7811febc1 1650w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-2.png?w=2500&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=c57525a0b75b59cdee49950a6175f831 2500w" />

Think about the direction of the edge. Now think for a moment and try to figure out why we don’t model AD security group memberships like this instead:

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-3.png?fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=e0c1dbd17c69d7274231657b5a447c84" alt="Group -- HasMember --> User" data-og-width="1018" width="1018" data-og-height="424" height="424" data-path="assets/og-bp-3.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-3.png?w=280&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=f3c3c07d044d56b06895f0005428a367 280w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-3.png?w=560&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=06cb3d0926840542f33ff0c418144ecc 560w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-3.png?w=840&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=e1c5b7edfd36b7f48855b2ac8030f0d5 840w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-3.png?w=1100&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=0247c04912eb8df630ed320f798c936b 1100w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-3.png?w=1650&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=55e0ff80e8f87189eafbb580db47ae08 1650w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-3.png?w=2500&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=82b2f4a5411fdc6976d15a7d8a2321e2 2500w" />

This seems perfectly reasonable at first glance, does it not? But remember that we are constructing an **attack graph** in order to discover **attack paths**. Edge directionality must serve attack path discovery.

The direction of the edge going from the group to the user does not expose any attack path. Just because a user is a member of a group does not mean the group has any “control” of the user. But when the direction of the edge is from the user to the group, that DOES serve attack path discovery.

Why? Because in Windows and Active Directory, members of security groups gain the privileges held by those groups. Let’s extend the model a bit to make this easier to see:

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-4.png?fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=8bc65e2f004a69d3cb4a56440727265d" alt="User -- MemberOf -> Group -- GenericAll --> Domain" data-og-width="1582" width="1582" data-og-height="414" height="414" data-path="assets/og-bp-4.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-4.png?w=280&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=f68581af054cb1d0527e494c054ad400 280w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-4.png?w=560&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=061bb0bf740ff8ed6db3d2c5b927e7fe 560w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-4.png?w=840&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=3698f4edff3091780785797019839f80 840w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-4.png?w=1100&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=628f804eb225786fed4c248ae0b3fbb5 1100w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-4.png?w=1650&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=5a7b71087c1973896f4a815f960303ef 1650w, https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-4.png?w=2500&fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=e6bd9c515ec5c0734039f33e64c2bbb1 2500w" />

The user is a member of a group, and the group has full control of the domain. When the user authenticates to Active Directory, their Kerberos ticket will include the SID of the group. When the user uses that ticket to perform some action against the domain object, the security reference monitor will inspect the ticket, see the group SID, and grant the user all the permissions against the domain that the group has.

**In reality the process is much more involved than this, but work with me here, people.**

The above diagram shows a **path** connecting two **non-adjacent** nodes. **Adjacent** nodes are those that are connected together by an edge. In the above diagram, the adjacent nodes are:

1. “User” and “Group” via the “MemberOf” edge

2. “Group” and “Domain” via the “GenericAll” edge

The “User” and “Domain” nodes are non-adjacent, yet there is a **path** connecting the “User” node to the “Domain” node.

When designing your attack graph model, you **must** be aware of the **patterns** that will emerge from your design. There are many examples out there of people who want to make a contribution to the BloodHound graph who do not seem to be aware of this. Instead of proposing nodes/edges that create multi-node patterns, they propose nodes/edges that result **only** in one-to-one patterns:

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-5.png?fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=2bfcaa138e567b9d9c34f1bfcf058f71" alt="Badly connected nodes" width="1012" height="772" data-path="assets/og-bp-5.png" />

In the above graph there are two patterns:

1. From the red (top left) to the pink (top right) node

2. From the blue (bottom left) to the green (bottom right) node

What’s wrong with this design?

Think of the graph as a map of **one-way streets**. In the above graph we have two one-way streets. But this map kinda sucks, doesn’t it? You can only start in two places and you can only go to two places. You can’t go from the red (top left) node to the blue (bottom left) node because there is no **path** connecting those nodes.

This is a much better map:

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-6.png?fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=b80546bcb9af517737ba45010fd516ec" alt="Well connected nodes" width="1002" height="770" data-path="assets/og-bp-6.png" />

Now is there a **path** from the red (top left) node to the blue (bottom left) node? Yes! It goes **through** the green (bottom right) node!

The difference in the two graphs is the level of **connectedness**, or how well-linked the nodes are to one another.

Let’s belabor the point a little more to make it even more clear. The top model would be analogous to having a node represent both a **person** and the **address** where they live, with the edge representing the fact that they live at that address:

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-7.png?fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=2628c3d0318fa7c261fe958fb442af1a" alt="Badly connected nodes" width="980" height="808" data-path="assets/og-bp-7.png" />

While the bottom graph would be analogous to having the nodes represent the **addresses** and the edges represent **streets**:

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/-57i80HTHwG9ARPC/assets/og-bp-8.png?fit=max&auto=format&n=-57i80HTHwG9ARPC&q=85&s=a05995d6d1f85be1afac217e7d5d22c6" alt="Well connected nodes" width="1004" height="826" data-path="assets/og-bp-8.png" />

It should be obvious that for the sake of **pathfinding**, the **second** model is the **only** model that will work.

**This is actually how Google Maps works under the hood – it is a graph where locations are nodes and streets are edges.**

<Note>
  This article is adapted from [Andy Robbins](https://www.linkedin.com/in/robbinsandy/)’ blog post, “[Attack Graph Model Design Requirements and Examples](https://specterops.io/blog/2025/08/01/attack-graph-model-design-requirements-and-examples/),” which goes beyond what’s described here.
</Note>
