Catalog
concept#Security#Architecture#Software Engineering

Attack Vector

An attack vector denotes the specific path or entry point an adversary uses to compromise a system. It is used to classify threats and to prioritize defensive measures.

An attack vector is a concrete mechanism or path by which an attacker achieves access, data exfiltration, or unauthorized actions.
Established
Medium

Classification

  • Medium
  • Technical
  • Architectural
  • Intermediate

Technical context

CI/CD pipelines for automated security checksSIEM systems for detection of exploit-related activityAsset management tools for inventorying

Principles & goals

Identify and prioritize attack vectors earlyAlign defense-in-depth layers to prioritized vectorsContinuously review and adapt as threats evolve
Discovery
Enterprise, Domain, Team

Use cases & scenarios

Compromises

  • Focusing on known vectors may leave zero-day attacks undetected
  • Lack of DevOps integration delays mitigation rollout
  • Excessive defense complexity can impair operational reliability
  • Regular threat modeling workshops with stakeholders
  • Automated scans complemented by manual tests
  • Enforce least privilege and network segmentation consistently

I/O & resources

  • System architecture and network diagrams
  • Access and permission lists
  • Logs of past security incidents
  • Catalog of prioritized attack vectors
  • Actionable mitigations and ownership
  • Test cases for security testing

Description

An attack vector is a concrete mechanism or path by which an attacker achieves access, data exfiltration, or unauthorized actions. The concept enables systematic threat analysis, risk assessment, and prioritization of countermeasures across architecture, processes, and implementation. It is central to threat modelling and security decision making.

  • Targeted risk and resource allocation for security measures
  • Improved effectiveness of testing and penetration tests
  • Better understanding of dependencies and entry points

  • Cannot fully cover dynamic or unknown vectors
  • Requires high-quality input data and inventories
  • Prioritization remains subjective without measurable criteria

  • Number of identified vectors

    Counts all documented attack vectors for a system and measures coverage.

  • Mean Time to Mitigate

    Average time from detection of a vector to implementation of a mitigation.

  • Residual risk after controls

    Quantitative or qualitative assessment of remaining risk after controls.

Phishing as an attack vector

Users are lured via crafted emails to credential theft, enabling lateral access.

Exposed SSH port

A misconfigured SSH access allows brute-force attacks and unauthorized access.

Supply chain trojan

Tampering with a third-party library results in code injection into production systems.

1

Inventory attack surfaces and interfaces

2

Categorize and prioritize by exploit likelihood and impact

3

Define and implement targeted mitigations

4

Integrate into testing and deployment pipelines

5

Establish continuous monitoring and review cycles

⚠️ Technical debt & bottlenecks

  • Unpatched libraries and outdated protocols
  • Monolithic interfaces without isolation mechanisms
  • Missing automation for security checks
lack of inventoryincomplete permission modelsinsufficient automation
  • Relying solely on automated scanners without review
  • Ignoring physical and organizational vectors
  • Prioritizing by effort instead of risk impact
  • Underestimating internal vectors via privileged users
  • Stale inventories lead to blind spots
  • Overreliance on perimeter security
Fundamentals of IT security and networkingThreat modeling and risk analysisKnowledge of hardening and mitigation measures
Minimize attack surfaceSegmentation and least privilegeObservability and forensics
  • Limited access to operational data
  • Legacy systems without modern security features
  • Regulatory requirements for third-party software