This work addresses the challenge of automating the discovery of cross-host privilege escalation (PE) and remote exploitation chains in penetration testing—a task traditionally hindered by framework dependency and combinatorial complexity. Methodologically, it introduces a framework-agnostic, AI-driven approach that integrates a CVE knowledge graph with network topology constraints to construct a symbolic vulnerability dependency model; it then applies optimized graph traversal coupled with a lightweight AI inference engine to enable the first global search for multi-hop exploit chains. Evaluated in realistic firewall-constrained environments, the method analyzes a 20-host network in just 0.01 seconds on average, successfully identifying and validating 12 previously unknown feasible exploit chains—including one empirically confirmed via execution. The approach significantly enhances red team operations in efficiency, scalability (supporting networks of 3–200 hosts), and analytical depth, establishing a novel paradigm for automated penetration testing.

We present ALFA-Chains, a novel method capable of discovering chains of known Privilege Escalation (PE) and Remote exploits in a network. It can assist in penetration-testing without being tied to any specific penetration-testing framework. We test ALFA-Chains' ability to find exploit chains in networks ranging from 3 to 200 hosts. It can discover a chain in a 20 host network in as little as 0.01 seconds. More importantly, it is able to discover 12 novel exploit chains in a realistic firewalled network. We demonstrate the execution of one of these chains, proving ALFA-Chains' capability to improve penetration-testing.