Defenders think in lists, attackers think in graphs (2015)

Original Article ↗ Hacker News Discussion ↗

Lists vs. graphs framing

  • Many see “lists vs. graphs” as a useful way to explain why checklist-based security misses multi-step attack paths across systems, identities, and trust zones.
  • Others argue the slogan is overhyped or dated; the underlying graph‑style thinking (attack paths, segmentation, clustering) has been around for years.

Role and limits of checklists and compliance

  • Several comments say checklists are necessary for operational hygiene and keeping controls in place over time; they’re not the security, just a way to sustain it.
  • Strong criticism of checkbox/compliance culture: tools and audits used mainly for CYA and liability shifting, with <1% signal-to-noise and little real risk reduction.
  • Some argue compliance is “table stakes” and the real failure is not progressing from lists to understanding dependencies and attack paths.

Asymmetry between attackers and defenders

  • Repeated theme: defenders must succeed everywhere, attackers only once.
  • Counterpoint: defense in depth means attackers also need to win multiple steps; defenders can limit blast radius even after an initial compromise.
  • Several stress that security is always a trade-off with usability and business goals; the “perfectly secure system” is useless.

Org incentives and security as cost center

  • Security is framed as a cost/insurance, often a “sideshow” vs. core business, leading to underinvestment and focus on regulatory checkboxes.
  • Debate over whether this is rational risk management vs. incompetence/short‑termism.
  • Some suggest only strong legal/market penalties (e.g., liability for breaches) would materially change incentives.

Do defenders already think in graphs?

  • Multiple commenters note that mature teams do use graph-based tools (e.g., AD attack path analyzers, cloud/IAM graphing, SBOM dependency graphs).
  • Others say most orgs still operate in list mode: CIS benchmarks, CVE lists, JIRA tickets, with little understanding of real attack paths.

Practical defensive perspectives

  • Suggestions: red teaming, honeypots, strict admin workstation practices, segmentation, least privilege, monitoring “diffs” (changes) rather than static inventories.
  • One thread emphasizes formal methods and model checking as graph reachability problems across programs and infrastructure.
  • Skepticism that full graph-based defense is computationally or organizationally realistic; graphs risk becoming yet another checklist input.