Bayesian attack graph example. Nodes with incoming edges connected by black curves are -type. The others are -type. For instance, activating -type node requires all exploits from nodes , , and to to be feasible and taken by the attacker. At the current time step, red nodes , , and are active. Other grey and green nodes are inactive. Thus, the attacker’s action can be any subset of green nodes and green exploits. For example, the attacker can directly activate the root nodes and . The attacker can also activate node by taking the feasible exploit . Conversely, the defender can choose any subset of nodes to protect. Suppose the attacker decides to activate node and node (via exploit ) while the defender decides to protect nodes and . Then node remains inactive. Node becomes active with an activation probability associated with exploit .