Status DataClose notification

What Is an Attack Vector?

TL;DR: An attack vector is the specific path or method an attacker uses to gain unauthorized access to a system, network, or application. It's how an attack is delivered — phishing emails, unpatched software, stolen credentials, malicious APIs — as opposed to where the exposure exists. Understanding which vectors are available to an attacker is fundamental to knowing what to defend, in what order.

Types of Attack Vectors and Examples

Attack vectors are broadly grouped by the layer they target and the access they require. The most common categories in practice:

Network-based vectors: Exploiting weaknesses in network protocols, services, or infrastructure — open ports, unencrypted traffic, misconfigured firewalls, or vulnerable network services like SMB. Network-based attacks don't require physical access or user interaction, making them particularly dangerous at scale. The EternalBlue exploit behind WannaCry is a well-known example of a network-based attack vector.

Phishing and social engineering: Manipulating people rather than systems — malicious email links, spoofed login pages, pretexting calls, or SMS-based smishing. Phishing remains one of the most consistently successful attack vectors because it bypasses technical defenses by targeting human behavior directly.

Credential-based vectors: Using stolen, leaked, guessed, or reused credentials to authenticate as a legitimate user. Credential stuffing — running leaked username/password pairs against login endpoints at scale — falls into this category. Weak or default credentials on exposed admin interfaces are another persistent entry point.

Software vulnerabilities: Unpatched software, outdated dependencies, and known CVEs in applications or operating systems that haven't been remediated. This is the vector that automated scanning tools are most effective at detecting, and the one script kiddies most frequently exploit using off-the-shelf tools.

Supply chain vectors: Compromising a third-party vendor, software dependency, or update mechanism to reach a target indirectly. The SolarWinds attack is the defining example — attackers inserted malicious code into a legitimate software update that was then distributed to thousands of organizations.

Insider threats: Employees, contractors, or partners with legitimate access who intentionally or accidentally expose systems. Insider vectors are particularly difficult to detect because the access itself appears authorized.

Physical vectors: Direct physical access to hardware — USB drops, device theft, shoulder surfing, or bypassing physical security controls to reach servers or networking equipment.

How an Attack Vector Works

An attack vector works by giving an attacker a mechanism to interact with a target system in a way it wasn't intended to be used. In practice, that usually involves three phases: gaining initial access through the vector, establishing a foothold (persistence or privilege escalation), and then pursuing the actual objective — data exfiltration, lateral movement, ransomware deployment, or disruption.

The vector itself is typically just the entry point. What happens after depends on what's reachable from there, which is why access controls, network segmentation, and least privilege all matter even once an initial vector has been closed.

Attack Vector vs. Attack Surface

These two terms describe related but distinct concepts, and the distinction matters for how you act on each.

An attack surface is the total set of potential entry points available to an attacker — the full inventory of exposure across an organization's systems, applications, and people. An attack vector is the specific method used to exploit one of those points.

The relationship is directional: your attack surface defines what vectors are available to an attacker. Reducing your attack surface — removing unused services, patching known CVEs, disabling unnecessary access — eliminates entire categories of vectors before any one of them can be used.

Attack Vector vs. Threat Vector

The two terms are often used interchangeably, and in practice they frequently mean the same thing. Where a distinction is drawn — usually in formal frameworks — a threat vector refers to the source or type of threat (a nation-state actor, an insider, a malware campaign), while an attack vector refers specifically to the technical or procedural method used to execute the attack. In day-to-day security work, the difference rarely matters, but it's worth knowing when reading formal threat intelligence documentation.

Conclusion

An attack vector is how an attack gets in, which is why understanding the vectors available to an attacker against your specific environment is more actionable than generic threat awareness. The most useful question isn't "what attack vectors exist" in the abstract, but "which ones are currently viable against our infrastructure, and which are we prioritizing?" That's the question a vulnerability assessment, penetration test, or active bug bounty program is designed to answer concretely.