Glossary/Detection Engineering/Cyberattack
Detection Engineering

What Is a Cyberattack? Types and How to Defend

14 min readยทUpdated June 2026ยทCybersecurityBrute Force AttacksCredential-theftMan-In-The-MiddleData BreachBlue TeamThreat DetectionCCDL1 RelevantCCDL2 Relevant

An attacker scans the internet for a specific model of VPN appliance running a version with a known flaw. They find a few thousand. One belongs to a mid-sized company that has not patched. The attacker exploits the bug, lands a session on the device, and is now inside the network without phishing anyone or stealing a single password. From there it is recon, credentials, and lateral movement toward whatever is worth taking.

That is a cyberattack, and the opening move is the one defenders see most often now. In the 2026 Verizon Data Breach Investigations Report, exploiting a vulnerability overtook stolen credentials as the single most common way breaches begin, the first time that has happened in the report's 19 years.

A cyberattack is a deliberate attempt to gain unauthorized access to a computer system, network, or device in order to steal, expose, alter, disable, or destroy data and other assets. This guide covers what a cyberattack actually is, why they happen and who runs them, the main types you will see in a queue, how an attack unfolds stage by stage, and how defenders detect and stop them.

What is a cyberattack?

A cyberattack is any intentional effort to compromise the confidentiality, integrity, or availability of a system or its data. "Intentional" is the operative word. A failed disk or a fat-fingered config change is an incident, but it is not an attack, because no adversary chose to cause it. A cyberattack has a human or an automated tool acting on someone's intent behind it.

Three related terms get used interchangeably and should not be:

  • A threat is the potential for harm: a capability or actor that could cause damage. It has not happened yet.
  • A cyberattack is a threat in motion: someone actively trying to compromise a system.
  • A breach is a successful attack that resulted in unauthorized access to data. Every breach involves an attack; not every attack becomes a breach, because defenses sometimes hold.

That distinction matters operationally. Most of what a SOC handles every day is attacks that were blocked or contained before they became breaches. The job is to keep the second number far below the first.

Why cyberattacks happen

Every attack has a motive, and the motive shapes the behavior. Knowing why someone is in your network helps you predict what they will do next.

  • Financial gain. The largest category by far. Ransomware crews, data thieves, payment-card skimmers, and business-email-compromise scammers are running a business. They want money, fast, and they pick targets by return on effort.
  • Espionage. Nation-state intelligence services and their contractors steal secrets: intellectual property, classified data, negotiating positions, source code. They prize stealth and long-term access over speed, which is the hallmark of an advanced persistent threat (APT).
  • Disruption and sabotage. Some attacks exist to break things: wipe data, knock services offline, or pre-position in critical infrastructure for a future conflict. This is the cyberwarfare end of the spectrum.
  • Ideology (hacktivism). Attackers with a political or social cause deface sites, leak documents, or run denial-of-service campaigns to make a point.
  • Personal motives. Revenge from a disgruntled employee, the thrill of proving it can be done, or the reputation of pulling off a notable hit.

Who acts on these motives splits into a few groups: organized cybercriminal gangs, nation-state actors, hacktivists, and insiders. Insiders are the awkward case, because the access is already legitimate. A malicious insider abuses the keys they were given; a negligent one clicks the link or misconfigures the bucket. Either way there is no perimeter to cross, which is what makes insider activity hard to catch.

What cyberattacks cost

The case for taking this seriously is in the numbers. IBM's *Cost of a Data Breach 2025* report put the global average breach at USD 4.44 million, with the US average reaching a record USD 10.22 million. Ransomware now appears in 48% of breaches studied in the 2026 Verizon DBIR, up from 44% the year before, though 69% of victims refused to pay.

The cost is not only the ransom or the cleanup. It is downtime, lost customers, regulatory fines, and the months of staff time that incident response consumes. An attack that a defender catches at the VPN appliance costs a forensic afternoon. The same attack caught after the data is gone costs a year.

The main types of cyberattacks

Attacks come in families, and a handful of them account for most of what you will investigate. Here is the working set, with the first thing a defender does about each.

Attack type What it does First defensive move
Malware Malicious code that steals, damages, or controls a system EDR, application allowlisting
Ransomware Encrypts or steals data, demands payment Offline backups, segmentation, MFA
Phishing / social engineering Tricks a person into giving access or credentials MFA, user training, email filtering
Credential attacks Steals or guesses logins for account takeover MFA, credential monitoring, lockouts
Vulnerability / zero-day exploit Abuses a software flaw to gain access Fast patching, attack-surface management
Denial-of-service (DoS/DDoS) Floods a service to make it unavailable Traffic scrubbing, rate limiting
Man-in-the-middle Intercepts traffic between two parties TLS everywhere, certificate pinning
Injection (SQL, command) Feeds malicious input to a vulnerable app Input validation, parameterized queries
Supply chain attack Compromises a trusted vendor to reach you Vendor vetting, software bills of materials
Insider threat Misuse by an authorized user Least privilege, UEBA, monitoring

A few earn extra attention because of how often they show up.

Malware and ransomware

Malware is the umbrella term for any software written to do harm: viruses, worms, trojans, spyware, rootkits, and the loaders that deliver them. It is the payload behind a huge share of attacks because almost every objective, from theft to destruction, needs code running on the target.

Ransomware is the most disruptive branch. It encrypts a victim's data and demands payment for the key, and modern operators add double extortion: they steal the data first, so they can leak it even if you restore from backup. That single move attacks availability and confidentiality at once, which is why offline, tested backups are necessary but no longer sufficient on their own.

Phishing and social engineering

Social engineering attacks the human instead of the machine. Phishing, the most common form, uses a deceptive email, text, or voice call to trick someone into clicking a malicious link, opening a weaponized attachment, or handing over a password. Spear phishing targets a named individual with a researched lure; business email compromise impersonates an executive or supplier to authorize a fraudulent payment.

Attackers now generate convincing lures with generative AI in seconds, which is why training that teaches people to pause and verify beats training that teaches them to spot typos. The typos are gone.

Credential attacks and vulnerability exploitation

These two are the front doors, and the industry's biggest reports now disagree on which is in front, which tells you both are dominant. The 2026 Verizon DBIR found vulnerability exploitation behind 31% of breaches at the point of entry, edging past stolen credentials for the first time. IBM's X-Force 2026 index puts exploitation of public-facing applications first at 40% of incidents, with stolen or misused credentials second at 32%.

Credential attacks take several shapes. A brute force attack guesses passwords until one works. Credential stuffing replays username and password pairs leaked from one breach against other services, betting on reuse. Infostealer malware harvests saved logins by the thousand and sells them, which is why the DBIR found a large share of ransomware victims had an infostealer infection in the year before the attack. Vulnerability exploitation, meanwhile, abuses a software flaw directly. A zero-day is the dangerous subset: a flaw the vendor has not yet patched, so there is no fix to apply when the exploitation starts.

Denial-of-service and the rest

A denial-of-service attack does not steal anything. It overwhelms a website or service with traffic until legitimate users cannot get through. A distributed version (DDoS) uses a botnet of compromised devices to multiply the flood. Man-in-the-middle attacks sit between two parties to eavesdrop or alter traffic. Injection attacks, like SQL injection, feed malicious input into an application that fails to validate it, turning a login form into a database query. Supply chain attacks compromise a trusted vendor or software update to reach everyone downstream, the pattern that made SolarWinds infamous. Third-party involvement now features in nearly half of breaches in the 2026 DBIR, so the vendor's security is your security.

Active versus passive attacks

One useful way to sort attacks is by whether they change anything.

  Active attack Passive attack
What it does Alters data or disrupts operations Observes without altering
Examples Ransomware encryption, defacement, DoS flood, SQL injection Eavesdropping on traffic, quietly copying data, network mapping
Detectability Noisier; something visibly breaks Quiet; can run for months

The lesson for a defender is that the absence of damage is not the absence of an attacker. A network that looks healthy can still be hosting a passive intruder reading everything that crosses it.

How a cyberattack unfolds

Attacks are sequences, not single events, and that is the defender's biggest advantage. An attacker has to succeed at every stage; you only have to catch them at one. The Lockheed Martin Cyber Kill Chain describes the classic seven steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective.
 

The cyberattack lifecycle

In practice most intrusions move through recognizable phases:

  1. Reconnaissance. The attacker researches the target: exposed services, employee names, technologies in use.
  2. Initial access. They get in, by exploiting a vulnerability, phishing a user, or logging in with stolen credentials.
  3. Execution and persistence. Code runs, and the attacker installs a backdoor so a reboot does not evict them.
  4. Privilege escalation and lateral movement. They harvest credentials, gain admin rights, and move toward the systems that hold the objective.
  5. Actions on the objective. Data theft, encryption, or sabotage.

MITRE ATT&CK is the public knowledge base that maps these phases to the specific techniques attackers use, with real examples for each. Blue teams use it to write detections, measure coverage, and describe an incident precisely. Catching an attack at reconnaissance or initial access means handling an incident. Catching it after lateral movement means handling a disaster. Defense in depth works because it forces the attacker through more stages where you might see them.

How to prevent and defend against cyberattacks

You cannot prevent every attack, and a program built on the assumption that you can is the one that gets breached. A realistic defense reduces the attack surface, detects the intruder who gets through, and responds fast enough to limit the damage.

  • Patch and manage the attack surface. Vulnerability exploitation is now a leading entry point, so patch internet-facing systems quickly and inventory what you expose. You cannot defend what you do not know is online.
  • Enforce strong identity. Multi-factor authentication, least privilege, and monitoring for abnormal logins blunt the credential attacks that drive the other half of intrusions. Phishing-resistant MFA is the goal.
  • Layer detection. A SIEM aggregating logs, EDR on endpoints, and a firewall plus network segmentation give you the visibility to spot an attack in progress and the barriers to slow it down.
  • Hunt for what alerts miss. Threat hunting looks proactively for the behavior of an intruder who is evading signature-based tools, using known indicators of compromise and attacker techniques to guide the search.
  • Train people. Since social engineering targets the human, regular awareness training that teaches verification turns the most-targeted layer into a reporting layer.
  • Back up and plan to respond. Tested, offline backups defeat ransomware's leverage, and a written incident response plan decides whether an attack becomes a contained event or an uncontrolled one. When activity surfaces, how fast you contain it sets the cost.

The thread through all of it: prevention reduces the odds, but detection and response decide the outcome.

How to actually learn this

Reading the list of attack types does not build the ability to recognize one in a flood of logs. That skill comes from doing the work: pulling apart real malware, reconstructing an intrusion from the evidence, and tracing an attacker stage by stage until the pattern becomes familiar.That is the gap between knowing what a cyberattack is and being able to catch one, and it closes only with hands-on repetition against realistic scenarios.

Frequently asked questions

What is the most common way cyberattacks start?

In the 2026 Verizon Data Breach Investigations Report, exploiting a software vulnerability became the most common initial access vector for the first time, narrowly ahead of stolen credentials. IBM's X-Force 2026 index similarly ranks exploitation of public-facing applications first. Both findings point to the same shift: unpatched internet-facing systems and stolen logins are the two dominant doors in.

Can cyberattacks be prevented?

Not entirely. You can sharply reduce the risk by patching quickly, enforcing multi-factor authentication and least privilege, training people, and segmenting networks. Because some attacks will get through, a mature program also invests in detection and a tested incident response plan to catch and contain intruders fast.

Who is behind most cyberattacks?

Most are run by organized cybercriminal groups after money, nation-state actors after secrets or strategic access, hacktivists pushing a cause, and insiders who misuse legitimate access. Financially motivated crime is the largest category by volume.

What is a cyberattack in simple terms?

<p>A cyberattack is a deliberate attempt by a person or group to break into a computer system, network, or device to steal, expose, change, disable, or destroy data. Unlike an accidental outage, an attack is intentional and driven by a motive such as money, espionage, or disruption.</p>

What are the most common types of cyberattacks?

<p>The most common types are malware (including ransomware), phishing and other social engineering, credential attacks like brute force and credential stuffing, vulnerability and zero-day exploitation, denial-of-service (DoS/DDoS), man-in-the-middle, injection attacks such as SQL injection, supply chain attacks, and insider threats.</p>

What is the difference between a cyberattack and a data breach?

<p>A cyberattack is an active attempt to compromise a system. A data breach is a cyberattack that succeeded in gaining unauthorized access to data. Every breach starts with an attack, but many attacks are blocked or contained before they reach data, so they never become breaches.</p>

Practice track
SOC Analyst Tier 1
Build your foundational skills to monitor, detect, and escalate security alerts. This track includes essential tools, basic log analysis, and introductory incident response labs.
Browse SOC Analyst Tier 1 Labs โ†’
Practice track
Threat Hunting
Develop proactive detection skills by analyzing security logs, identifying advanced attack patterns, and uncovering hidden threats across enterprise environments.
Browse Threat Hunting Labs โ†’