diff --git a/docs/docs.json b/docs/docs.json
index 6c2fff3ad2..3ec056989f 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -131,6 +131,7 @@
"user-guide/tutorials/prowler-app-lighthouse-multi-llm"
]
},
+ "user-guide/tutorials/prowler-app-attack-paths",
"user-guide/tutorials/prowler-cloud-public-ips",
{
"group": "Tutorials",
diff --git a/docs/images/prowler-app/attack-paths/execute-query.png b/docs/images/prowler-app/attack-paths/execute-query.png
new file mode 100644
index 0000000000..3872f0de2f
Binary files /dev/null and b/docs/images/prowler-app/attack-paths/execute-query.png differ
diff --git a/docs/images/prowler-app/attack-paths/fullscreen-mode.png b/docs/images/prowler-app/attack-paths/fullscreen-mode.png
new file mode 100644
index 0000000000..c5156925ba
Binary files /dev/null and b/docs/images/prowler-app/attack-paths/fullscreen-mode.png differ
diff --git a/docs/images/prowler-app/attack-paths/graph-filtered.png b/docs/images/prowler-app/attack-paths/graph-filtered.png
new file mode 100644
index 0000000000..3ff4822a26
Binary files /dev/null and b/docs/images/prowler-app/attack-paths/graph-filtered.png differ
diff --git a/docs/images/prowler-app/attack-paths/graph-visualization.png b/docs/images/prowler-app/attack-paths/graph-visualization.png
new file mode 100644
index 0000000000..2ea160a6b2
Binary files /dev/null and b/docs/images/prowler-app/attack-paths/graph-visualization.png differ
diff --git a/docs/images/prowler-app/attack-paths/navigation.png b/docs/images/prowler-app/attack-paths/navigation.png
new file mode 100644
index 0000000000..d133c7f6b4
Binary files /dev/null and b/docs/images/prowler-app/attack-paths/navigation.png differ
diff --git a/docs/images/prowler-app/attack-paths/node-details.png b/docs/images/prowler-app/attack-paths/node-details.png
new file mode 100644
index 0000000000..9343eedd7d
Binary files /dev/null and b/docs/images/prowler-app/attack-paths/node-details.png differ
diff --git a/docs/images/prowler-app/attack-paths/query-parameters.png b/docs/images/prowler-app/attack-paths/query-parameters.png
new file mode 100644
index 0000000000..9f44f81838
Binary files /dev/null and b/docs/images/prowler-app/attack-paths/query-parameters.png differ
diff --git a/docs/images/prowler-app/attack-paths/query-selector.png b/docs/images/prowler-app/attack-paths/query-selector.png
new file mode 100644
index 0000000000..d8b7414156
Binary files /dev/null and b/docs/images/prowler-app/attack-paths/query-selector.png differ
diff --git a/docs/images/prowler-app/attack-paths/scan-list-table.png b/docs/images/prowler-app/attack-paths/scan-list-table.png
new file mode 100644
index 0000000000..092b539dd0
Binary files /dev/null and b/docs/images/prowler-app/attack-paths/scan-list-table.png differ
diff --git a/docs/user-guide/tutorials/prowler-app-attack-paths.mdx b/docs/user-guide/tutorials/prowler-app-attack-paths.mdx
new file mode 100644
index 0000000000..41047b8c2c
--- /dev/null
+++ b/docs/user-guide/tutorials/prowler-app-attack-paths.mdx
@@ -0,0 +1,203 @@
+---
+title: "Attack Paths"
+description: "Identify privilege escalation chains and security misconfigurations across cloud environments using graph-based analysis."
+---
+
+import { VersionBadge } from "/snippets/version-badge.mdx"
+
+
+
+Attack Paths analyzes relationships between cloud resources, permissions, and security findings to detect how privileges can be escalated and how misconfigurations can be exploited by threat actors.
+
+By mapping these relationships as a graph, Attack Paths reveals risks that individual security checks cannot detect on their own — such as an IAM role that can escalate its own permissions, or a chain of policies that grants unintended access to sensitive resources.
+
+
+ Attack Paths is currently available for **AWS** providers. Support for
+ additional providers is planned.
+
+
+## Prerequisites
+
+The following prerequisites are required for Attack Paths:
+
+- **An AWS provider is configured** with valid credentials in Prowler App. For setup instructions, see [Getting Started with AWS](/user-guide/providers/aws/getting-started-aws).
+- **At least one scan has completed** on the configured AWS provider. Attack Paths scans run automatically alongside regular security scans — no separate configuration is required.
+
+## How Attack Paths Scans Work
+
+Attack Paths scans are generated automatically when a security scan runs on an AWS provider. Each completed scan produces graph data that maps relationships between IAM principals, policies, trust configurations, and other resources.
+
+Once the scan finishes and the graph data is ready, the scan appears in the Attack Paths scan table with a **Completed** status. Scans that are still processing display as **Executing** or **Scheduled**.
+
+
+ Since Prowler scans all configured providers every **24 hours** by default,
+ Attack Paths data stays up to date automatically.
+
+
+## Accessing Attack Paths
+
+To open Attack Paths, click **Attack Paths** in the left navigation menu.
+
+
+
+The main interface is divided into two areas:
+
+- **Left panel:** A table listing all available Attack Paths scans
+- **Right panel:** The query selector, parameter form, and execute controls
+
+## Selecting a Scan
+
+The scans table displays all Attack Paths scans with the following columns:
+
+- **Provider / Account:** The AWS provider alias and account identifier
+- **Last scan date:** When the scan completed
+- **Status:** Current state of the scan (Completed, Executing, Scheduled, or Failed)
+- **Progress:** Completion percentage for in-progress scans
+- **Duration:** Total scan time
+
+To select a scan for analysis, click **Select** on any row with a **Completed** status.
+
+
+
+
+ Only scans with a **Completed** status and ready graph data can be selected.
+ Scans that are still executing or have failed appear with disabled action
+ buttons.
+
+
+## Choosing a Query
+
+After selecting a scan, the right panel activates a query dropdown. Each query targets a specific type of privilege escalation or misconfiguration pattern.
+
+To choose a query, click the dropdown and select from the available options. Each option displays:
+
+- **Query name:** A descriptive title (e.g., "IAM Privilege Escalation via AssumeRole")
+- **Short description:** A brief summary of what the query detects
+
+
+
+Once selected, a description card appears below the dropdown with additional context about the query, including attribution links to external references when available.
+
+## Configuring Query Parameters
+
+Some queries accept optional or required parameters to narrow the scope of the analysis. When a query has parameters, a dynamic form appears below the query description.
+
+- **Required fields** are marked with an asterisk (\*) and must be filled before executing
+- **Optional fields** refine the query results but are not mandatory
+
+If a query requires no parameters, the form displays a message confirming that the query is ready to execute.
+
+
+
+## Executing a Query
+
+To run the selected query against the scan data, click **Execute Query**. The button displays a loading state while the query processes.
+
+If the query returns no results, an informational message appears. Common reasons include:
+
+- **No matching patterns found:** The scanned environment does not contain the privilege escalation chain the query targets
+- **Insufficient permissions:** The scan credentials may not have captured all the data the query needs
+
+
+
+## Exploring the Graph
+
+After a successful execution, the graph visualization renders below the query builder in a full-width panel. The graph maps relationships between cloud resources, IAM entities, and security findings.
+
+### Node Types
+
+- **Resource nodes** (rounded pills): Represent cloud resources such as IAM roles, policies, EC2 instances, and S3 buckets. Each resource type has a distinct color.
+- **Finding nodes** (hexagons): Represent Prowler security findings linked to resources in the graph. Colors indicate severity level (critical, high, medium, low).
+
+### Edge Types
+
+- **Solid lines:** Direct relationships between resources (e.g., a role attached to a policy)
+- **Dashed lines:** Connections between resources and their associated findings
+
+A **legend** at the bottom of the graph lists all node types and edge types present in the current view.
+
+
+
+## Interacting with the Graph
+
+### Filtering by Node
+
+Click any node in the graph to filter the view and display only paths that pass through that node. When a filter is active:
+
+- An information banner shows which node is selected
+- Click **Back to Full View** to restore the complete graph
+
+
+
+### Graph Controls
+
+The toolbar in the top-right corner of the graph provides:
+
+- **Zoom in / Zoom out:** Adjust the zoom level
+- **Fit to screen:** Reset the view to fit all nodes
+- **Export:** Download the current graph as an SVG file
+- **Fullscreen:** Open the graph in a full-screen modal with a side-by-side node detail panel
+
+
+ Use **Ctrl + Scroll** (or **Cmd + Scroll** on macOS) to zoom directly within
+ the graph area.
+
+
+## Viewing Node Details
+
+Click any node to open the **Node Details** panel below the graph. This panel displays:
+
+- **Node type:** The resource category (e.g., "IAM Role," "EC2 Instance")
+- **Properties:** All attributes of the selected node, including identifiers, timestamps, and configuration details
+- **Related findings** (for resource nodes): A list of Prowler findings linked to the resource, with severity, title, and status
+- **Affected resources** (for finding nodes): A list of resources associated with the finding
+
+For finding nodes, a "View Finding" button links directly to the finding detail page for further investigation.
+
+
+
+## Fullscreen Mode
+
+To expand the graph for detailed exploration, click the fullscreen icon in the graph toolbar. The fullscreen modal provides:
+
+- The full graph visualization with all zoom and export controls
+- A side panel for node details that appears when a node is selected
+- All filtering and interaction capabilities available in the standard view
+
+