Critical infrastructures and safety critical systems increasingly rely on the carefully orchestrated interactions between computers, networks and kinetic elements. The dominant formalisms for modeling such hybrid systems (those with discrete and continuous components) are geared towards simple reactive systems working in isolation. By contrast, modern cyber-physical systems depend on highly interconnected computational components and often function in potentially hostile environments. This paper describes linguistic and type extensions to the stateful attack graph, which models the functional nature of attacks on purely discrete information systems, to include continuous system elements and time evolution. The resulting formalism is called the hybrid attack graph, which captures an integrated view of the vulnerability space between information systems and a restricted but useful set of hybrid systems.