Table of Contents
Identity-based attack paths are behind most breaches today, yet many organizations can’t actually see how those paths form. The 2025 State of Attack Path Management report from SpecterOps makes the case that traditional tools like identity governance, PAM, and MFA aren’t enough. They help manage access, but they miss the bigger problem: how identity and privilege sprawl across the environment in ways that attackers can string together.
Attack Path Management (APM) is a continuous security practice, not a one-time project. It helps organizations map, understand, and dismantle the chains of access and control that attackers exploit.
The real problem is privilege chaining
Researchers contrast two models: access graphs and attack graphs. Access graphs show who has access to what, often for audits or compliance. But attackers don’t care about who’s authorized, they care about what’s reachable. Attack graphs show how identities, sessions, and permissions can be chained together to reach critical assets, even when each link looks harmless on its own.
This shift in perspective helps explain why identity compromise is so hard to detect or prevent. Most tools can tell you whether a credential is being used. Few can show whether that credential is just one hop away from Domain Admin.
More identities, more attack paths
The report points to explosive growth in identities, especially non-human identities (NHIs) like service accounts, automation agents, and now AI systems. A 1:20 ratio of identities to employees is now common, with some environments heading toward 1:40. Since attack paths grow exponentially as identities multiply, this creates an unmanageable risk surface without better visibility.
Data shows that organizations with 10,000 identities typically face over 22 million potential attack paths. In some cases, a single new service account or misconfigured group can open up critical escalation paths.
Identities in transit are the blind spot
Many security controls are built around protecting credentials (identities at rest). But attackers increasingly go after identities in transit: active sessions, tokens, and cookies that live in memory or browsers. These tokens bypass authentication entirely.
Recent incidents illustrate this. In the Snowflake breach, attackers harvested static credentials from a contractor’s machine. Defensive actions focused on MFA and password rotation, but the real risk was in the sessions that may have already been active on the machine. In another case, the Russia-linked group Void Blizzard used adversary-in-the-middle phishing infrastructure to steal session tokens, bypassing MFA and appearing as normal users.
Why current tools fall short
The report critiques commonly used tools:
- IGA shows assigned access but not how permissions combine.
- PAM protects initial credential use but not what happens once a session begins.
- EDR and ITDR watch for malicious behavior but can miss valid use of legitimate access in risky combinations.
Without visibility into attack paths, these tools often leave organizations reacting to alerts instead of preventing exposure.
