Remote attack vectors (network-based) are generally higher priority than local vectors requiring system access already granted
What is attack vector
An attack vector is a specific technical path or method that an attacker exploits to gain unauthorized access to systems, data, or networks. It represents the entry point or vulnerability chain that enables the threat. Attack vectors range from direct network exploits to social engineering tactics and are classified in vulnerability scoring systems like CVSS to prioritize remediation efforts.
Why it matters
Understanding attack vectors is fundamental to enterprise risk management. By mapping your organization's attack surface and identifying which vectors are actively exploited, you can allocate security resources effectively. In vulnerability management programs, attack vectors determine both severity scores and remediation priority—a remotely exploitable vector requires faster patching than one requiring local access. For CISOs, quantifying available attack vectors against your asset inventory informs incident response readiness and threat modeling.
Key points
Attack vectors include unpatched software, misconfigurations, credential exposure, weak authentication, supply chain compromises, and physical security gaps
CVSS scoring explicitly evaluates attack vector as a metric (AV: Network, Adjacent, Local, Physical) to standardize vulnerability severity across tools
Zero-day vulnerabilities are dangerous not because they're new, but because attack vectors remain unpatched and widely exploitable
Third-party integrations and API endpoints represent emerging attack vectors often missed in traditional perimeter-focused security models
Real-world attack vector scenario
A CISO discovers during a vulnerability assessment that the company's Windows domain controllers accept RDP connections from any IP on the internal network (no network segmentation). An attacker who compromises a developer workstation via phishing can now laterally move to domain controllers. Here, the attack vector is RDP access without network segmentation. The remediation is to restrict RDP to specific administrative subnets and require MFA. This single vector could have given attackers domain-wide access, potentially leading to ransomware deployment across the enterprise.
Common mistakes
- Treating all attack vectors as equally critical: a hardened, segmented cloud API is lower risk than an internet-facing legacy database
- Ignoring local/physical attack vectors in threat modeling: insiders with legitimate access can still exploit misconfigurations to escalate privileges
- Failing to re-assess attack vectors after infrastructure changes: moving workloads to cloud introduces new vectors (IAM misconfigurations, overly permissive security groups)
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between an attack vector and an attack surface?
Attack surface is the total collection of entry points exposed by your systems (all APIs, ports, users, devices). Attack vector is a specific technical path through that surface. For example, your attack surface might include 500 public cloud APIs; an attack vector is the specific misconfiguration in one API that allows authentication bypass.
How does CVSS scoring use attack vector metrics?
CVSS v3.1 includes 'Attack Vector' as a base metric scored as Network (remotely exploitable), Adjacent (requires network proximity), Local (requires system access), or Physical (requires physical access). A vulnerability with AV:Network gets a multiplier increasing its base score, making it higher priority for patching because the barrier to exploitation is lower.
Should we prioritize patching based on attack vector alone?
No. Prioritize using attack vector combined with exploitability, asset criticality, and business context. A low-CVSS vector in your domain controller (critical asset) may warrant faster patching than a high-CVSS vector in a development sandbox. This is why organizations adopt risk scoring frameworks layered on top of CVSS.
How do zero-trust architectures reduce attack vectors?
Zero-trust doesn't eliminate vectors; it reduces their exploitability by enforcing continuous authentication, strict segmentation, and least-privilege access regardless of network location. This shrinks the effective attack surface—a compromised workstation can no longer freely access cloud resources just because it's 'inside' the network.