Skip to main content
Application Security Standards
Category: Threat Modeling

Attack Vector

Also known as: threat vector
Simply put

An attack vector is the method or pathway that an attacker uses to gain unauthorized access to a system, network, or application. Common examples include social engineering, stolen credentials, and exploiting software vulnerabilities. Understanding attack vectors helps organizations identify where they are most exposed to threats and prioritize their defenses accordingly.

Formal definition

An attack vector refers to the specific pathway, technique, or combination of techniques a threat actor employs to gain unauthorized access to a target system, network, application, endpoint, or cloud environment, typically by exploiting one or more vulnerabilities. Attack vectors may operate at different layers of the technology stack and can be categorized by their point of entry, such as network-based, application-based, or human-targeted (social engineering). In the Common Vulnerability Scoring System (CVSS), 'Attack Vector' is a categorical base metric that classifies the context required for exploitation into discrete values (Network, Adjacent, Local, Physical), rather than representing a numeric score on its own. Identifying and cataloging relevant attack vectors is a foundational step in threat modeling, penetration testing, and risk assessment workflows.

Why it matters

Understanding attack vectors is essential because they represent the concrete pathways through which organizations are breached. Without a clear picture of these pathways, security teams risk spreading resources too thin or focusing on low-probability threats while leaving high-exposure entry points undefended. By systematically identifying and cataloging attack vectors relevant to their environment, organizations can move from reactive incident response to proactive risk reduction, prioritizing controls where they will have the greatest impact on reducing real-world exposure.

Attack vectors are not static; they evolve as technology stacks change and as threat actors develop new techniques. For example, the proliferation of cloud environments and APIs has introduced application-based attack vectors that did not exist in traditional on-premises architectures, while social engineering vectors like phishing continue to be refined. Organizations that fail to revisit their attack vector landscape regularly may find that their defenses are optimized for yesterday's threats rather than today's. This makes ongoing attack vector analysis a core activity in threat modeling, penetration testing, and risk assessment workflows.

Frameworks like CVSS formalize the concept of attack vectors by classifying the context required for exploitation. In CVSS, the Attack Vector metric is a categorical value (Network, Adjacent, Local, or Physical) that describes the proximity a threat actor needs to exploit a vulnerability. This classification directly influences how organizations assess and prioritize vulnerabilities during remediation, making the concept operationally significant well beyond theoretical threat modeling.

Who it's relevant to

Application Security Engineers
Application security engineers use attack vector analysis to identify how adversaries might exploit vulnerabilities in the applications they protect. By understanding whether threats originate from network exposure, user input handling, or third-party dependencies, they can prioritize code reviews, security testing, and architectural mitigations at the most impactful points.
Threat Modelers and Risk Analysts
For practitioners building threat models, attack vectors are a foundational element. Cataloging and categorizing vectors by entry point and technique allows risk analysts to systematically evaluate which pathways pose the greatest organizational risk and to recommend proportionate controls.
Penetration Testers and Red Teams
Penetration testers simulate real-world attack vectors to evaluate an organization's defenses. Understanding the full spectrum of vectors, from social engineering to network exploitation to application-layer attacks, enables testers to design realistic engagement scenarios and identify gaps that automated tools may miss.
Security Leaders and CISOs
Security leaders need a clear understanding of the attack vectors most relevant to their organization in order to make informed decisions about resource allocation, control investments, and risk acceptance. Attack vector analysis feeds directly into strategic planning and board-level risk communication.
Cloud and Infrastructure Security Teams
Teams responsible for cloud and infrastructure security must account for attack vectors specific to their environments, such as misconfigured cloud services, exposed APIs, and lateral movement within cloud networks. Understanding these vectors helps them design secure architectures and implement effective monitoring.

Inside Attack Vector

Network (N)
The vulnerability is exploitable remotely through the network stack, such as via the internet or a LAN, without requiring any special proximity or local access to the target system.
Adjacent (A)
Exploitation requires the attacker to have access to a shared physical or logical network segment, such as Bluetooth, Wi-Fi, or a local subnet, but not full remote network reachability.
Local (L)
Exploitation requires the attacker to have local access to the target system, typically through a local session, a shell, or by enticing a user to open a malicious file.
Physical (P)
Exploitation requires the attacker to have physical access to the target device or hardware, such as plugging in a malicious USB device or directly interacting with the physical machine.
CVSS Base Metric Role
Attack Vector is one of the categorical metrics in the CVSS Base Score group. It characterizes the context required for exploitation, which in turn influences the overall computed severity score.
Threat Modeling Context
Beyond CVSS, attack vector is used broadly in threat modeling and risk assessment to describe the path or means by which an attacker gains access to a target, informing prioritization and mitigation strategies.

Common questions

Answers to the questions practitioners most commonly ask about Attack Vector.

Is an attack vector the same thing as an attack surface?
No. An attack vector is the specific path or method an attacker uses to reach and exploit a vulnerability, while an attack surface refers to the total set of points where an attacker could attempt to interact with a system. The attack surface represents the aggregate exposure; an attack vector is one particular route through that exposure. Reducing the attack surface typically reduces the number of available attack vectors, but the concepts are distinct.
Does identifying an attack vector mean a vulnerability has actually been exploited?
No. An attack vector describes a potential path or method that could be used to exploit a vulnerability. Identifying an attack vector indicates a possible route for compromise, not that exploitation has occurred. Threat modeling and vulnerability assessments routinely catalog attack vectors as part of proactive risk analysis, independent of any actual attack taking place.
How should teams prioritize remediation when multiple attack vectors exist for a single vulnerability?
Teams should consider the accessibility and exposure of each vector. For example, a vulnerability reachable via a network-based attack vector with no authentication requirement typically warrants more urgent remediation than one requiring physical access. The CVSS Attack Vector metric, which categorizes vectors as Network, Adjacent, Local, or Physical, can help inform this prioritization alongside factors such as asset criticality and existing compensating controls.
How can organizations systematically identify attack vectors during threat modeling?
Organizations typically map data flows, entry points, and trust boundaries within their systems, then enumerate the methods by which an attacker could traverse those boundaries to reach sensitive components. Frameworks such as STRIDE or attack trees can structure this analysis. It is important to revisit the exercise as the system evolves, since new integrations, APIs, or deployment changes may introduce previously unrecognized attack vectors.
Can static analysis tools identify all relevant attack vectors in an application?
Static analysis tools can identify many code-level attack vectors, such as injection points, insecure deserialization patterns, or hardcoded credentials. However, they typically cannot detect attack vectors that depend on runtime context, deployment configuration, or network topology. For example, vectors arising from misconfigured cloud permissions or inter-service communication patterns usually require dynamic analysis, infrastructure scanning, or manual review to uncover. A layered approach combining multiple testing methodologies provides more comprehensive coverage.
How does mitigating one attack vector affect overall application security posture?
Mitigating a single attack vector reduces risk along that specific path but does not necessarily eliminate the underlying vulnerability if other vectors can still reach it. For instance, applying network segmentation may block a network-based vector, but if the same vulnerability is also reachable through a local attack vector, the risk persists. Effective remediation strategies should account for all identified vectors to a given vulnerability and, where possible, address the root cause rather than only constraining individual paths.

Common misconceptions

Attack Vector is a numeric score that can be ranked as high or low.
In CVSS, Attack Vector is a categorical metric with defined values (Network, Adjacent, Local, Physical), not a numeric score. Each category influences the computed Base Score differently, but the metric itself is not expressed as a number.
A Network attack vector means the vulnerability is always exploitable from the public internet.
Network as an attack vector means the vulnerability is exploitable through the network stack, but this may include internal networks or restricted environments. It does not inherently imply exposure to the public internet; actual exploitability depends on deployment context, firewall rules, and network segmentation.
Attack vector and attack surface are interchangeable terms.
Attack vector refers to the specific path or method an attacker uses to reach and exploit a vulnerability, while attack surface describes the sum of all points where an attacker could attempt to interact with a system. A single attack surface may expose multiple distinct attack vectors.

Best practices

When triaging vulnerabilities, always consider the CVSS Attack Vector category alongside your deployment context, since a Network-vector vulnerability on an air-gapped system may carry less practical risk than its Base Score suggests.
Use Attack Vector classifications to prioritize patching: vulnerabilities exploitable via the Network vector typically warrant faster remediation timelines than those requiring Physical access, assuming equivalent severity.
Incorporate attack vector analysis into threat models by mapping each vector category to the relevant controls in your environment, such as network segmentation for Network vectors or endpoint hardening for Local vectors.
Avoid conflating a Network attack vector with guaranteed internet reachability; validate whether the vulnerable component is actually exposed beyond internal networks before escalating severity assessments.
When communicating risk to stakeholders, clearly distinguish the categorical nature of the Attack Vector metric from the overall numeric CVSS score to prevent misinterpretation of vulnerability severity.
Regularly review and update your asset inventory to ensure that changes in deployment topology, such as newly exposed services, are reflected in your understanding of which attack vectors are practically relevant.