Remote network-based vectors are generally higher priority than local vectors that already require system access.
What is attack vector
An attack vector is a specific technical path or method that an attacker exploits to gain unauthorized access to systems, data, or networks. It represents the entry point or vulnerability chain that enables the threat. Attack vectors range from direct network exploits to social engineering tactics and are classified in vulnerability scoring systems like CVSS to prioritize remediation efforts.
Why it matters
Understanding attack vectors is fundamental to enterprise risk management. By mapping your organization's attack surface and identifying which vectors are actively exploited, you can allocate security resources effectively. In vulnerability management programs, attack vectors determine both severity scores and remediation priority—a remotely exploitable vector requires faster patching than one requiring local access. For CISOs, quantifying available attack vectors against your asset inventory informs incident response readiness and threat modeling.
Key points
Attack vectors include unpatched software, misconfigurations, credential exposure, weak authentication, supply chain compromises and physical security gaps.
CVSS scoring explicitly evaluates attack vector as a metric (AV: Network, Adjacent, Local, Physical) to standardise vulnerability severity across tools.
Zero-day vulnerabilities are dangerous not because they are new, but because the vector remains unpatched and broadly exploitable.
Third-party integrations and API endpoints are emerging vectors often missed in traditional perimeter-focused models.
Supply chain vectors deserve first-class attention: providers with privileged access, third-party libraries without a clear SBOM and software updates compromised at source.
Real-world attack vector scenario
During a vulnerability assessment, a CISO discovers that the company's Windows domain controllers accept RDP connections from any IP on the internal network (no network segmentation). An attacker who compromises a developer workstation via phishing can now laterally move to domain controllers. The attack vector is not the phishing itself—it is RDP access without segmentation.
The remediation is straightforward: restrict RDP to specific administrative subnets, enforce MFA and gate elevated access through a PAM workflow. Left open, this single vector could have handed attackers domain-wide control and set the stage for enterprise-wide ransomware—a reminder that most painful incidents do not come from exotic zero-days but from unglamorous control gaps that were never closed.
Common mistakes
- Treating all vectors as equally critical: a hardened, segmented cloud API is lower risk than an internet-facing legacy database with default credentials.
- Ignoring local and physical vectors in threat modelling: insiders with legitimate access can still exploit misconfigurations to escalate privilege.
- Failing to re-assess vectors after infrastructure changes: moving workloads to cloud introduces new ones (IAM misconfigurations, overly permissive security groups, long-lived service keys).
- Looking only outward. Many incidents start with an internal vector: a forgotten contractor account, an outdated legacy service reachable only via VPN, an unpatched NAS.
- Treating mapping as a one-off exercise. The attack surface changes every time a service is deployed, a supplier onboarded or a cloud environment added; without cadence, the inventory drifts fast.
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between an attack vector and an attack surface?
Attack surface is the total collection of entry points exposed by your systems (all APIs, ports, users, devices). Attack vector is a specific technical path through that surface. For example, your attack surface might include 500 public cloud APIs; an attack vector is the specific misconfiguration in one API that allows authentication bypass.
How does CVSS scoring use attack vector metrics?
CVSS v3.1 includes 'Attack Vector' as a base metric scored as Network (remotely exploitable), Adjacent (requires network proximity), Local (requires system access), or Physical (requires physical access). A vulnerability with AV:Network gets a multiplier increasing its base score, making it higher priority for patching because the barrier to exploitation is lower.
Should we prioritize patching based on attack vector alone?
No. Prioritize using attack vector combined with exploitability, asset criticality, and business context. A low-CVSS vector in your domain controller (critical asset) may warrant faster patching than a high-CVSS vector in a development sandbox. This is why organizations adopt risk scoring frameworks layered on top of CVSS.
How do zero-trust architectures reduce attack vectors?
Zero-trust doesn't eliminate vectors; it reduces their exploitability by enforcing continuous authentication, strict segmentation, and least-privilege access regardless of network location. This shrinks the effective attack surface—a compromised workstation can no longer freely access cloud resources just because it's 'inside' the network.