Skip to content

High-Value Targeting (HVT)

Release Date: October 10, 2025

Product: NodeZero (Internal Pentesting - Elite SKU)

Overview

High-Value Targeting (HVT) is a GenAI-powered capability in NodeZero that identifies the most critical assets, identities, and attack paths within your network—those that, if compromised, would pose the greatest business risk. These may include executive accounts, domain controllers, ERP systems, or exposed credentials tied to sensitive infrastructure.

HVT transforms raw findings into business risk narratives. By mapping exposures to categories like financial fraud, operational disruption, or reputational damage, it helps teams quickly understand why something matters - not just what was compromised.

This capability eliminates guesswork, allowing teams to: • Prioritize remediation around what's most impactful • Clearly communicate findings to leadership in plain business terms • Move beyond traditional vuln scoring or manual graph analysis tools

HVT is built to answer:

"What would an attacker go after first—and why does it matter?"


How To Use

  • Step 1: While creating an internal or phishing pentest, or an insider threat test, scroll to the High-Value Targeting section:

1-Click Verify

  • Step 2: Choose whether to enable high-value targeting, and if so, what level of targeting.
    • Disabled: Choose this option if you do not want to target high-value identities or assets for testing. If disabled, normal test will be run where all hosts and users are targeted in random order without context.
    • Comprehensive Targeting: Choose this option if you want to target high-value identities and assets for testing during an internal NodeZero pentest,
    • High Value Targeting Only: Choose this option if you only want to target high-value identities and assets for testing and exclude less valuable findings.
  • Step 3: Run the test.
  • Step 4: Once the test completes, you can view the results in any of these existing NodeZero workflows:
    • Pentest summary page: You'll see a new card that shows the total number of business risks, and the Sankey chart will show a new section with all the impacts associated with the business risks. You'll also see a new bar chart below the Sankey chart that will show the hosts and credentials associated with business risks found.
    • Impacts, Weaknesses, Credentials, Data, and Hosts sub tabs will show high-value target indicators that show why an asset matters.
    • Attack Graphs will show high-value assets and identities tagged and visually prioritized.
    • PDF Reports will include HVTs and explain business risks.

Why It Matters

The Problem

Security teams face an overwhelming volume of technical findings, but often lack clarity on which ones actually affect the business. Traditional tools answer "What can be exploited?" but not "What matters most to our organization?"

This leads to:

  • Inefficient remediation prioritization
  • Technical-to-business disconnect
  • Missed opportunities for faster wins

The Value of HVT

HVT closes this gap by:

  • Pinpointing crown jewels—executive accounts, production systems, critical paths.
  • Mapping technical findings to business risks using GenAI.
  • Prioritizing the top 5% of assets that carry 95% of business risk.
  • Providing explainable context for remediation and executive reporting.
  • Requiring zero configuration or expertise—built directly into NodeZero.

"We don't just show you what was found - we show you why it matters."


Key Benefits

Capability Benefit
GenAI-Powered Identification Detects executive accounts, critical systems, DCs, etc.
Business Risk Mapping Tags findings with labels like Payment Diversion, Ransomware
Context Scoring Prioritizes findings in UI and reports
Explainable Action Logs Shows why a target was flagged
Turnkey Integration No setup required—runs by default in internal tests

How It Works

1. Compromise & Data Collection

NodeZero collects real-time data on credentials, paths, hosts, and identities during a test.

2. GenAI Inference

GenAI engine identifies:

  • Executive or admin identities
  • Critical hosts (e.g., ERP, mail, domain controllers)
  • Chains findings into attacker-style paths
  • Tags each with mapped business risk

3. Action Logs

Every high-value tag includes a transparent explanation of:

  • How it was discovered
  • Why it matters
  • What risk it maps to

4. UI Integration

Results appear across:

  • Attack Graph
  • Impacts, Weaknesses, Credentials, Data, and Hosts tabs
  • Reports & Executive Summaries

5. Customer Controls

  • Default: Runs in Comprehensive mode
  • Optional: HVT-Only or disable per test

Example Use Cases

Scenario Business Risk Identified
Compromised CFO account Payment Diversion / Financial Fraud
ERP Server compromise Critical Business Process Shutdown
Domain Controller access Enterprise-wide Authentication Failure
Compromised dev environment Software Delivery Disruption
Vendor credential reuse Supply Chain Breakdown

Business Risk Categories

Credential Tags (Examples):

  • Executive Identity ➝ Executive Fraud & Impersonation
  • Identity Manager ➝ Ultimate Privilege Escalation
  • Developer ➝ Software Supply Chain Risk
  • Third-Party ➝ Supply Chain Disruption

Host Tags (Examples):

  • Domain Controller ➝ Authentication Collapse
  • Medical Systems ➝ Patient Care Disruption
  • Mail Server ➝ Reputational Damage (Leaked Comms)
  • Virtualization Infra ➝ Multi-System Shutdown

GenAI Architecture

Model Hosting

  • All LLM calls are containerized within Horizon3's AWS infra.

Data Flow

Component Description
Model Hosting AWS Bedrock (Llama 4 Maverick)
Data Sent Minimal metadata only (usernames, hosts, graph context)
Prompting Curated prompts analyze attacker context and relationships
Output Behavior Advisory only - never executes actions or modifies assets

All data is filtered, minimal, and not used for training.

Prompt Management

  • Custom prompts created by Horizon3.ai.
  • Model outputs are advisory only - no autonomous actions.

How GenAI Is Integrated and Secured

High-Value Targeting (HVT) leverage AWS Bedrock, a fully managed foundation model platform provided by Amazon. Specifically, NodeZero uses the Llama 4 Maverick model to perform semantic reasoning over structured metadata and sensitive content (depending on the feature).

The architecture is designed for security, explainability, and data isolation:

  • A dedicated container runs inside the NodeZero Kubernetes cluster, sitting adjacent to the Core service.
  • This container is responsible for communicating with AWS Bedrock and sending data for inference. • The data sent includes usernames, hostnames, and BloodHound-derived relationship metadata to prioritize targets based on attacker-accessible graph context.

Importantly:

  • No data is stored or used for training, by either Horizon3.ai or AWS.
  • AWS Bedrock provides strong data isolation guarantees.
  • The amount and type of data passed to the model is strictly controlled via configuration—ensuring minimal, targeted input for each use case.

For more on AWS foundation models, see: https://aws.amazon.com/what-is/foundation-models/


Reporting & Explainability

  • Action Logs: Exportable via UI, PDF, or API
  • Executive Summary: Business risks phrased in plain language
  • Context scoring boosts HVT results in dashboards and reports
  • Risk nodes added directly to the attack graph

Business Risk Mappings

NodeZero uses GenAI reasoning to map compromised credentials and hosts to specific Business Risk Categories, providing a shared language for security teams and leadership.

Credential-Based Business Risks

Credential Type Business Risk Description
Identity Manager Executive Fraud & Impersonation Enables attackers to forge tokens, create backdoor accounts, and impersonate users with full legitimacy.
Developer Software Delivery Disruption Allows injection of malicious code into CI/CD pipelines, affecting downstream customers.
Third Party / Vendor Supply Chain Breakdown Compromising vendor credentials disrupts dependencies like IT services and logistics.
Business Executive Executive Fraud & Impersonation Enables fraudulent wire transfers using compromised executive accounts.
Domain Administrator Operational Disruption Grants control over Active Directory, allowing attackers to lock out all users.
IT Department Operational Disruption Disabling IT infrastructure halts business operations.

Host-Based Business Risks

Host Type Business Risk Description
Backup Infrastructure Operational Disruption Attackers can destroy recovery paths, amplifying downtime from ransomware or outages.
Medical Systems Operational Disruption Disrupts patient care and triggers regulatory consequences.
Domain Controller Critical System Shutdown Enterprise-wide authentication failure from DC compromise.
Operational Technology Critical System Shutdown Shuts down physical operations like energy and manufacturing.
Virtualization Infra Critical System Shutdown Disables all workloads dependent on hypervisors or management servers.
Financial Systems Revenue Interruption Interrupts payroll, billing, and collections.
Development Environments Software Delivery Disruption Corrupts builds or introduces backdoors into product code.
Operations & Logistics Supply Chain Breakdown Cascades disruptions across inventory, suppliers, and partners.
Mail Server Leak of Sensitive Communications Exposes executive, legal, and HR email threads with reputational impact.

FAQs

Q: Which operations support HVT? A: Internal pentests, phishing, and insider threat. Not external-only or cloud tests (yet).

Q: Is it enabled by default? A: Yes - runs automatically in Comprehensive mode.

Q: Does it affect runtime or stability? A: No - metadata only is processed. Models are isolated.

Q: Is my data used to train the model? A: No. Your data is used at runtime only and never leaves your AWS environment.

Q: Does it integrate with ticketing? A: Not yet - planned in future releases.