Attack-path overlay — which obligation did the step blow through?
Wiz / Tenable / XM Cyber show an attack path. This page renders, for a CISA-advisory-sourced path on a given sector, the full chain per step. The differentiator: every step pins to the regulatory clock it broke (when one exists). The Black Basta path on Healthcare or Retail renders the typed CISA BOD 22-01 / KEV obligation diamond on step 2 — not as narrative, as data with a source pin.
House Rule 1
Every rendered claim pins to a primary source. Trust Failures without an
in-scope hardening control surface as uncovered — not as silence. The
obligation diamond cites a real framework + provision id; if no
regulatory clock applies, the slot renders empty rather than fabricating.