> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Attacker Mind dashboard

> Cross-repository view of toxic combinations with interactive attack chains.

The **/attacker-mind** page surfaces [toxic combinations](/concepts/attacker-mind)
— sets of findings that together enable a higher-impact compromise — across
every connected repository's latest scan.

## Page structure

1. **Stat row** — three cards: *Toxic combinations* (total), *Critical*, and
   *High*.
2. **Filter & sort controls** — a repo-name search box, a criticality filter
   (*All* / *Critical* / *High*), and a sort toggle (*Criticality* or *Name*,
   ascending or descending). The criticality filter narrows the view to just
   combinations at the chosen level — repositories with none drop out, and the
   ones that remain show only their matching combinations; the stat row above
   stays at your account-wide totals.
3. **Per-repository sections** — each repository with at least one combination
   gets a section listing its combination cards. Repositories with no
   combinations are omitted.

Each **combination card** shows:

* a severity badge (`CRITICAL` / `HIGH`), the combination's name, and its scope
  (a workflow file, or *repository-wide*);
* a one-paragraph **impact** narrative;
* an interactive **attack-chain graph** — left-to-right nodes for each stage of
  the attack, ending in the compromise. Hover/pan to explore; each non-terminal
  node is numbered and the final node is the impact;
* a green **Break the chain** callout naming the single fix that defeats the
  whole scenario; and
* an expandable **contributing findings** list with each finding's rule ID,
  severity, and `file:line`.

## On a single repository

The same combinations also appear on each repository's detail page
(**/repositories/:id**), in an **Attacker Mind** card scoped to just that repo's
latest scan. It uses the identical combination cards — severity badge, impact,
attack-chain graph, break-the-chain fix, and contributing findings — and links
back to the cross-repo dashboard. When a repo's findings don't chain into a
higher-impact compromise, the card shows a reassuring empty state instead.

## How the data is computed

The page calls `GET /api/attack-paths`, which loads each repository's
latest-scan findings server-side and runs the shared detection engine
(`pkg/scanner`). Detection is identical to the [CLI](/cli/usage); the dashboard
only groups results by repository and rolls up the counts.

Because combinations derive from already-persisted findings, the page reflects
your most recent scans. Run a scan from the **Dashboard** or **Repositories**
view to refresh them. A combination never includes a finding from a rule you've
turned off in [Rule settings](/webapp/rule-settings).

## Empty state

If none of your repositories' findings chain into a higher-impact compromise,
the page shows a reassuring empty state. Fixing individual findings — especially
the *break-the-chain* one on any combination — keeps it that way.
