Jared Atkinson, CTO at SpecterOps
For years, defenders have focused on stopping an initial breach. Firewalls, endpoint tools, and phishing controls all aimed to keep attackers out. But that model no longer reflects how most modern intrusions occur. In fact, getting the initial access isn’t a challenge for most attackers – phishing a user or finding stolen credentials from a data breach dump is commonplace today. It’s so commonplace that the 2024 Verizon Data Breach Investigations Report found that around 80% of breaches involve compromised identity credentials. These tactics are working. Despite defenders’ best efforts, a recent survey from Omdia found that 100% of organizations have experienced a security incident in the last 12 months.
The real question: how far can these attackers move within or across an organization’s infrastructure once they have access?
To reach a desired asset, adversaries exploit these compromised identities and chains of privileges that already exist inside the environment. These chains connect users, service accounts, applications and infrastructure. Together, these elements form attack paths. To address the threat of attack paths, an emerging security discipline called Attack Path Management (APM) has emerged to help expose and reduce this risk.
The growth of invisible identity risk
Enterprise identity environments no longer sit still. New employees join. Contractors come and go. Cloud services spin up automatically. SaaS platforms integrate with each other. Non-human identities, such as service accounts, API tokens, automation credentials, AI agents, etc., multiply quietly in the background.
Each identity introduces permissions and each permission creates relationships. Over time, these relationships form long, complex privilege chains.
Most security teams don’t see these chains, and traditional identity tools focus on individual accounts or single systems. They rarely show how access in one platform can be combined with access in another to reach sensitive or tier zero assets.
The result is scale without visibility. To put this into perspective, research from SpecterOps’ State of Attack Path Management Report 2025 shows that organizations with 10,000 identities face 22 million potential attack paths. This growth is not linear. It is exponential.
As identity counts rise, so does the probability that at least one path leads to a critical asset.
Why attackers favour identity-based paths
Attack paths matter because they reflect how real attackers operate. Once inside, adversaries rarely exploit a single misconfiguration and stop. They chain together small, ordinary permissions that won’t raise alarms for defenders. A user can reset a password. A service account can read a token. A workload identity can access a management API. None of these looks dangerous in isolation. Together, they can lead to domain admin, cloud tenant admin, sensitive data stores and more.
Modern attacks also target identities in motion. Rather than breaking authentication outright, attackers steal session cookies, cached credentials and access tokens. These artifacts allow them to impersonate users without triggering login defences such as MFA. This approach bypasses controls that many organisations believe are sufficient.
The most damaging attack paths often cross multiple identity systems. On-prem directories, cloud identity providers, SaaS platforms, and CI/CD pipelines intersect in ways that are poorly mapped. The seams between them are where abuse thrives.
For example, the 2024 Salesloft data breach spanned GitHub, AWS, and Salesforce. Attackers initially got access to Salesloft’s GitHub, stole credentials from a repository that allowed them to assume a privileged role in Salesloft’s AWS, and then used that role to harvest OAuth Tokens to access customer Salesforce instances.
Limits of existing identity controls
Identity and access management teams are not ignoring these risks. Tools such as Privileged Access Management and Identity Threat Detection and Response provide meaningful protection. They reduce standing privileges, surface suspicious behaviour, and add friction to high-risk actions. But they’re not built to solve the problems of attack paths.
The main problem is scope. Most of these solutions operate within a single control plane. They manage accounts, alerts or policies in isolation. They don’t continuously model how privileges connect across the environment. As a result, teams remediate symptoms rather than structures. They rotate a credential, disable a role and respond to alerts after the activity has occurred.
What remains unaddressed are the paths that made that activity possible.
What Attack Path Management does differently
Attack Path Management shifts the focus from individual misconfigurations to the whole picture. At its core, APM builds identity graphs that represent how permissions, relationships and access rights connect across Microsoft Active Directory, Entra ID, and other systems like GitHub or AWS. These graphs show how attackers can use these relationships to move laterally and escalate privileges. Then it tracks how many of those attack paths lead to critical Tier Zero assets and finds “choke points” where small changes can remove a lot of risk.
This turns abstract identity sprawl into concrete, prioritized risk.
For example, here are three high-risk misconfigurations that APM can identify:
● Domain Controller objects owned by security principals other than domain admins
● Highly privileged users vulnerable to the “Kerberoast” attack
● Large AD groups like Domain Users with control over other objects
APM is not a one-time assessment. Identity environments change daily and new paths appear as roles are modified and services are added. Effective APM operates continuously, feeding detection, response, remediation and governance workflows. Organisations that adopt this approach see rapid risk reduction – in some cases 85% reduction in attack path in the first month.
The pressure ahead
The urgency around APM is increasing. AI, automation and machine identities are accelerating identity growth, with some forecasts predicting the current ratio of five identities per employee will reach a ratio of 1:20 or 1:40. Many of these identities will never log in interactively, yet they will hold meaningful access.
As this growth compounds and dramatically increases risk, the organizations lacking a structural view of their attack paths will simply fall further behind. Attackers already understand this terrain and map these environments patiently. They test these paths quietly and look for combinations that defenders have overlooked.
APM provides a way to compete on that same ground.
A new baseline for identity security
Attack Path Management does not replace IAM, PAM, or detection tools. It reframes how they are used. By revealing which paths matter most, APM helps teams focus limited resources where they reduce the most risk. It supports prevention by guiding remediation before exploitation. It supports response by explaining how attackers could have moved.
For security and identity professionals, this represents a shift in mindset. Identity risk is no longer just about who has access – it’s about how access connects. As the number of identities continue to expand, visibility into those connections will define whether defenders can truly protect critical assets.
Jared Atkinson is the CTO at SpecterOps. He is a security researcher who specializes in Digital Forensics and Incident Response. Recently, he has been building and leading private sector Hunt Operations capabilities. In his previous life, Jared lead incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks.
