Glossary · Security testing

What is Attack Path?

Also known as: Attack Chain, Kill Chain Path, Attack Route

An attack path is the chain of steps an attacker takes, from an initial foothold through exploitation and pivoting, to reach a high-value target. It combines privilege escalation and lateral movement to show real blast radius, revealing not just isolated weaknesses but how they connect into a route to crown-jewel assets.

Key takeaways

  • An attack path is the connected chain of steps from initial foothold to a high-value target.
  • It typically combines privilege escalation and lateral movement across multiple assets.
  • Thinking in paths reveals real blast radius, not just isolated vulnerabilities.
  • Cutting one choke point can break many paths at once, focusing remediation effort.

What is an attack path?

An attack path is the sequence of steps that carries an attacker from an initial foothold to a target that matters, such as a database of customer records or a domain administrator account. Each step relies on the one before it: a foothold enables an escalation, which enables a pivot, which enables access to the next system.

This matters because individual vulnerabilities are often rated in isolation, but attackers think in chains. A medium-severity misconfiguration can be the critical link that connects a foothold to a crown-jewel asset, and only a path-based view exposes that.

How attack paths are built: escalation and lateral movement

Two movements dominate almost every path. Privilege escalation gains higher access than the attacker started with, and lateral movement pivots from one compromised system to another. Together they turn a single foothold into broad reach.

Mapping these paths is the core of internal attack surface management, which models internal assets, identities, and permissions as a graph and computes the routes through it. The output is a concrete view of how an attacker would actually traverse the environment.

  • Initial foothold (the entry point)
  • Privilege escalation to gain higher access
  • Lateral movement to pivot between assets
  • Reaching the high-value or crown-jewel target

Why attack paths drive smarter remediation and evidence

Because a path is a chain, breaking any single link disrupts it. This lets teams focus on choke points, the steps that many paths share, rather than trying to fix every individual vulnerability with equal priority. Severing one well-chosen link can neutralize numerous routes at once.

Demonstrating that no viable path reaches sensitive data is strong evidence that segmentation, least privilege, and zero trust controls are working as intended, and that blast radius is genuinely contained.

Frequently asked questions

Why look at attack paths instead of individual vulnerabilities?
Attackers chain weaknesses together, so a low-severity flaw can be the critical link in a route to sensitive data. A path-based view shows real blast radius and reveals which issues actually matter in context.
What is a choke point in an attack path?
A choke point is a step that many attack paths share. Because breaking any link breaks the chain, fixing one choke point can neutralize numerous paths at once, making remediation far more efficient.
How do tools discover attack paths?
Internal attack surface management tools model assets, identities, and permissions as a graph, then compute the routes through it from foothold to high-value targets, surfacing the viable chains an attacker could follow.

Authoritative sources

← Back to the glossary