Blast Radius
The blast radius for an agent is the set of other agents that it can reach via TCP/UDP connections, hop-by-hop. In an incident, this is the first question: “what has it been able to reach?”
Building the Graph
The agent periodically sends a list of its own open TCP connections to the hub (agent_connections table: src_agent_id, dst_agent_id, port, last_seen). A background worker builds a directed graph from this.
In dashboards, the Topology tab on an agent page displays:
- Green — agent is online and healthy
- Amber — degraded (heartbeat incomplete)
- Red — isolated (network isolation active)
- Gray — offline > 24h
Use During Incident Response
- Open the agent detail of the compromised host.
- Tab Topology.
- Toggle “Simulate compromise” → all reachable nodes turn red.
- For each critical node:
- Check
Inventory → Open Portsto see which services are exposed. - Consider pre-emptively isolating high-value servers with
IsolateNetwork.
- Check
Limitations
- Connections are only visible when they are active at the time of collection (15s cadence). One-time RPCs can be missed.
- UDP connections without bidirectional traffic are not detected.
- DNS / public load balancers are not visible as separate nodes.