Attack path mapping

Trace how an adversary could move through your systems.

Why attack paths matter

Threats rarely succeed in one step. They usually follow a chain: an entry point, some pivoting, and a final target. Mapping this out shows where to defend.

Exercise instructions

  1. Choose one adversary persona.

  2. Draw the possible entry points on a whiteboard or sticky notes.

  3. Extend paths step by step: what would they try next?

  4. Stop when you reach an asset that would hurt if lost, stolen, or disrupted.

Quick tips

  • Keep it simple: you want a sketch, not a compliance report.

  • Highlight chokepoints — the steps that appear in multiple attack paths.

  • Chokepoints are often the most efficient places to strengthen defences.