An attack path is the sequence of weaknesses, opportunities, or trust relationships an attacker could combine to reach a target.
An attack path is the sequence of weaknesses, opportunities, or trust relationships an attacker could combine to reach a target. In plain language, it is the route from an initial foothold to a more valuable outcome, such as privileged access, sensitive data, or service disruption.
Attack path matters because serious security problems often come from combinations of issues rather than from one isolated flaw. A weak password, an overly broad network trust relationship, and an overprivileged service account may not each look catastrophic on their own, but together they can create a path to critical systems.
It also matters because attack-path thinking helps defenders prioritize. Instead of only listing standalone vulnerabilities, teams can ask which combinations most plausibly lead to important assets or broad organizational harm.
Attack path appears in Threat Modeling, identity review, cloud architecture, segmentation design, and Attack Surface analysis. Teams connect it to Attack Vector, Defense in Depth, Blast Radius, and Crown Jewels because the value of path analysis depends on where the path might lead.
Security teams use attack-path thinking to see how separate controls work together and where a layered defense is thin.
An attacker first obtains access to a low-privilege user account, uses that access to reach an internal application with weak authorization, discovers an exposed service account secret, and then uses that service account to reach a more privileged administrative system. That sequence is an attack path.
Attack path is not the same as Attack Vector. The vector is the entry method. The path is the broader sequence of steps or relationships that can lead from entry to impact.
It is also different from Attack Surface. Attack surface is the set of exposed points and opportunities. Attack path focuses on how those exposures can be linked together.