High-Value Targeting (HVT)
Release Date: October 10, 2025
Product: NodeZero (Internal Pentesting - Elite SKU)
Overview
High-Value Targeting (HVT) is a GenAI-powered capability in NodeZero that identifies the most critical assets, identities, and attack paths within your network—those that, if compromised, would pose the greatest business risk. These may include executive accounts, domain controllers, ERP systems, or exposed credentials tied to sensitive infrastructure.
HVT transforms raw findings into business risk narratives. By mapping exposures to categories like financial fraud, operational disruption, or reputational damage, it helps teams quickly understand why something matters - not just what was compromised.
This capability eliminates guesswork, allowing teams to: • Prioritize remediation around what's most impactful • Clearly communicate findings to leadership in plain business terms • Move beyond traditional vuln scoring or manual graph analysis tools
HVT is built to answer:
"What would an attacker go after first—and why does it matter?"
How To Use
- Step 1: While creating an internal or phishing pentest, or an insider threat test, scroll to the High-Value Targeting section:
- Step 2: Choose whether to enable high-value targeting, and if so, what level of targeting.
- Disabled: Choose this option if you do not want to target high-value identities or assets for testing. If disabled, normal test will be run where all hosts and users are targeted in random order without context.
- Comprehensive Targeting: Choose this option if you want to target high-value identities and assets for testing during an internal NodeZero pentest,
- High Value Targeting Only: Choose this option if you only want to target high-value identities and assets for testing and exclude less valuable findings.
- Step 3: Run the test.
- Step 4: Once the test completes, you can view the results in any of these existing NodeZero workflows:
- Pentest summary page: You'll see a new card that shows the total number of business risks, and the Sankey chart will show a new section with all the impacts associated with the business risks. You'll also see a new bar chart below the Sankey chart that will show the hosts and credentials associated with business risks found.
- Impacts, Weaknesses, Credentials, Data, and Hosts sub tabs will show high-value target indicators that show why an asset matters.
- Attack Graphs will show high-value assets and identities tagged and visually prioritized.
- PDF Reports will include HVTs and explain business risks.
Why It Matters
The Problem
Security teams face an overwhelming volume of technical findings, but often lack clarity on which ones actually affect the business. Traditional tools answer "What can be exploited?" but not "What matters most to our organization?"
This leads to:
- Inefficient remediation prioritization
- Technical-to-business disconnect
- Missed opportunities for faster wins
The Value of HVT
HVT closes this gap by:
- Pinpointing crown jewels—executive accounts, production systems, critical paths.
- Mapping technical findings to business risks using GenAI.
- Prioritizing the top 5% of assets that carry 95% of business risk.
- Providing explainable context for remediation and executive reporting.
- Requiring zero configuration or expertise—built directly into NodeZero.
"We don't just show you what was found - we show you why it matters."
Key Benefits
| Capability | Benefit |
|---|---|
| GenAI-Powered Identification | Detects executive accounts, critical systems, DCs, etc. |
| Business Risk Mapping | Tags findings with labels like Payment Diversion, Ransomware |
| Context Scoring | Prioritizes findings in UI and reports |
| Explainable Action Logs | Shows why a target was flagged |
| Turnkey Integration | No setup required—runs by default in internal tests |
How It Works
1. Compromise & Data Collection
NodeZero collects real-time data on credentials, paths, hosts, and identities during a test.
2. GenAI Inference
GenAI engine identifies:
- Executive or admin identities
- Critical hosts (e.g., ERP, mail, domain controllers)
- Chains findings into attacker-style paths
- Tags each with mapped business risk
3. Action Logs
Every high-value tag includes a transparent explanation of:
- How it was discovered
- Why it matters
- What risk it maps to
4. UI Integration
Results appear across:
- Attack Graph
- Impacts, Weaknesses, Credentials, Data, and Hosts tabs
- Reports & Executive Summaries
5. Customer Controls
- Default: Runs in Comprehensive mode
- Optional: HVT-Only or disable per test
Example Use Cases
| Scenario | Business Risk Identified |
|---|---|
| Compromised CFO account | Payment Diversion / Financial Fraud |
| ERP Server compromise | Critical Business Process Shutdown |
| Domain Controller access | Enterprise-wide Authentication Failure |
| Compromised dev environment | Software Delivery Disruption |
| Vendor credential reuse | Supply Chain Breakdown |
Business Risk Categories
Credential Tags (Examples):
- Executive Identity ➝ Executive Fraud & Impersonation
- Identity Manager ➝ Ultimate Privilege Escalation
- Developer ➝ Software Supply Chain Risk
- Third-Party ➝ Supply Chain Disruption
Host Tags (Examples):
- Domain Controller ➝ Authentication Collapse
- Medical Systems ➝ Patient Care Disruption
- Mail Server ➝ Reputational Damage (Leaked Comms)
- Virtualization Infra ➝ Multi-System Shutdown
GenAI Architecture
Model Hosting
- All LLM calls are containerized within Horizon3's AWS infra.
Data Flow
| Component | Description |
|---|---|
| Model Hosting | AWS Bedrock (Llama 4 Maverick) |
| Data Sent | Minimal metadata only (usernames, hosts, graph context) |
| Prompting | Curated prompts analyze attacker context and relationships |
| Output Behavior | Advisory only - never executes actions or modifies assets |
All data is filtered, minimal, and not used for training.
Prompt Management
- Custom prompts created by Horizon3.ai.
- Model outputs are advisory only - no autonomous actions.
How GenAI Is Integrated and Secured
High-Value Targeting (HVT) leverage AWS Bedrock, a fully managed foundation model platform provided by Amazon. Specifically, NodeZero uses the Llama 4 Maverick model to perform semantic reasoning over structured metadata and sensitive content (depending on the feature).
The architecture is designed for security, explainability, and data isolation:
- A dedicated container runs inside the NodeZero Kubernetes cluster, sitting adjacent to the Core service.
- This container is responsible for communicating with AWS Bedrock and sending data for inference. • The data sent includes usernames, hostnames, and BloodHound-derived relationship metadata to prioritize targets based on attacker-accessible graph context.
Importantly:
- No data is stored or used for training, by either Horizon3.ai or AWS.
- AWS Bedrock provides strong data isolation guarantees.
- The amount and type of data passed to the model is strictly controlled via configuration—ensuring minimal, targeted input for each use case.
For more on AWS foundation models, see: https://aws.amazon.com/what-is/foundation-models/
Reporting & Explainability
- Action Logs: Exportable via UI, PDF, or API
- Executive Summary: Business risks phrased in plain language
- Context scoring boosts HVT results in dashboards and reports
- Risk nodes added directly to the attack graph
Business Risk Mappings
NodeZero uses GenAI reasoning to map compromised credentials and hosts to specific Business Risk Categories, providing a shared language for security teams and leadership.
Credential-Based Business Risks
| Credential Type | Business Risk | Description |
|---|---|---|
| Identity Manager | Executive Fraud & Impersonation | Enables attackers to forge tokens, create backdoor accounts, and impersonate users with full legitimacy. |
| Developer | Software Delivery Disruption | Allows injection of malicious code into CI/CD pipelines, affecting downstream customers. |
| Third Party / Vendor | Supply Chain Breakdown | Compromising vendor credentials disrupts dependencies like IT services and logistics. |
| Business Executive | Executive Fraud & Impersonation | Enables fraudulent wire transfers using compromised executive accounts. |
| Domain Administrator | Operational Disruption | Grants control over Active Directory, allowing attackers to lock out all users. |
| IT Department | Operational Disruption | Disabling IT infrastructure halts business operations. |
Host-Based Business Risks
| Host Type | Business Risk | Description |
|---|---|---|
| Backup Infrastructure | Operational Disruption | Attackers can destroy recovery paths, amplifying downtime from ransomware or outages. |
| Medical Systems | Operational Disruption | Disrupts patient care and triggers regulatory consequences. |
| Domain Controller | Critical System Shutdown | Enterprise-wide authentication failure from DC compromise. |
| Operational Technology | Critical System Shutdown | Shuts down physical operations like energy and manufacturing. |
| Virtualization Infra | Critical System Shutdown | Disables all workloads dependent on hypervisors or management servers. |
| Financial Systems | Revenue Interruption | Interrupts payroll, billing, and collections. |
| Development Environments | Software Delivery Disruption | Corrupts builds or introduces backdoors into product code. |
| Operations & Logistics | Supply Chain Breakdown | Cascades disruptions across inventory, suppliers, and partners. |
| Mail Server | Leak of Sensitive Communications | Exposes executive, legal, and HR email threads with reputational impact. |
FAQs
Q: Which operations support HVT? A: Internal pentests, phishing, and insider threat. Not external-only or cloud tests (yet).
Q: Is it enabled by default? A: Yes - runs automatically in Comprehensive mode.
Q: Does it affect runtime or stability? A: No - metadata only is processed. Models are isolated.
Q: Is my data used to train the model? A: No. Your data is used at runtime only and never leaves your AWS environment.
Q: Does it integrate with ticketing? A: Not yet - planned in future releases.