What is an attack vector?

An attack vector is a pathway or method through which hackers gain unauthorized access to target systems to commit a cyberattack. Common attack vectors include social engineering attacks, insider threats and supply chain compromises.

Together, an organization’s attack vectors (also known as threat vectors) and cybersecurity vulnerabilities comprise its attack surface. Attack surfaces have expanded as businesses engage in digital transformation, such as artificial intelligence (AI) adoption, cloud and data center migration, Internet of Things device use and remote work enablement. With so many assets now part of increasingly complex and decentralized technology landscapes, cybercriminals have more entry points through which to infiltrate networks and operating systems.

Meanwhile, the scope and sophistication of attack vectors have also evolved. Threat actors take advantage of newer technologies like AI to manipulate users and elude conventional security measures.

Fortunately, enterprise security teams can leverage cybersecurity disciplines such as attack surface management (ASM) to thwart these attackers. ASM helps organizations identify potential attack methods and defend against attack vectors—key steps in mitigating cybersecurity risk.

In epidemiology, vectors are agents that transmit infectious diseases. They can range from living things (mosquitoes, bats) to inanimate objects (syringes, paper money).¹ Understanding these vectors informs disease prevention and transmission efforts in the realm of public health.

Similarly, understanding the versatility of cyberattack vectors helps organizations (and the cybersecurity professionals working with them) to devise and deploy strategies and tools for cyber threat detection and remediation.

Without such detection and remediation, grave consequences may follow. Attack vectors often enable data breaches, in which threat actors gain access to sensitive or confidential information.

According to the IBM Cost of a Data Breach 2025 report, the average cost of a data breach is USD 4.44 million. Costs stem from breach investigations and audits; reporting breaches to customers, regulators and stakeholders; settlements and legal fees; and lost customers. Incidents tend to be especially costly in highly regulated fields where data breaches can result in regulatory fines. For instance, according to the IBM report, the average cost of a healthcare data breach in 2025 is USD 7.42 million.

Attack vectors can also be deployed by hackers to disable or destroy assets, causing significant business and economic disruptions. In September 2025, for example, a cyberattack on airport check-in systems caused flight cancellations and delays at airports in major European cities. Earlier in the same month, a cyberattack forced a weeks-long shutdown at a large British automaker.

As with mutating pathogens, the cyber threat landscape is evolving. For instance, two decades ago, the attack vector responsible for roughly half of data breaches was a lost or stolen device, such as a laptop or a thumb drive. Today, device theft accounts for less than 10% of all data breaches, with an array of other vectors—from phishing to compromised supply chains—implicated in the rest, according to the IBM Cost of a Data Breach Report 2025.

Cybercriminals are using new technology to streamline their approach to vectors. For example, they’re increasingly deploying AI to craft convincing phishing emails and web pages, among other deceptive activities. According to the IBM Cost of a Data Breach Report 2025, on average 16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).

Hackers are also browsing the dark web to purchase crime as a service (CaaS) software to power cybercrime activities ranging from using spyware to password cracking. Equipped with advanced tools, “shape-shifting cyber adversaries gain more access, move across networks more easily, and create new outposts in relative obscurity,” according to the 2025 IBM® X-Force® Threat Intelligence Index.

Tracking threat actors’ evolving attack vectors can help enterprises counteract them. “The more you know about what hackers are doing, the better job you can do in building defenses,” Jeff Crume, an IBM Security Distinguished Engineer, explained in a recent IBM Technology video. “Information is power.”

While different organizations classify attack vectors in different ways, common categories include:

• Social engineering
• Third-party vendor and supply chain compromise
• Denial-of-service
• Compromised credentials
• Insider threats
• Vulnerability exploitation
• Malware
• Physical attacks

Social engineering attacks manipulate people into believing they’re communicating with a trusted party and convince them to compromise the security of their personal data (bank passwords, credit card numbers), or organizational assets (proprietary information, trade secrets).  

One of the most common social engineering attacks is phishing, which entails the use of fraudulent emails, text messages, phone calls or websites. In the IBM Cost of a Data Breach Report 2025, phishing ranked as the most common vector for data breaches, accounting for 16% of breaches at a cost of USD 4.8 million per attack on average. Phishing attacks often involve spoofing, in which an attacker disguises their email addresses or other communications methods to impersonate a trusted source.

Hackers will try to infiltrate third-party vendors to gain access to their partners, making supply chains a popular target for cyberattacks. Modern supply chain ecosystems are increasingly vulnerable through their digital systems and communication technologies, which create a vast attack surface.

Supply chain cyberattacks can halt production, disrupt transportation and logistics, damage critical infrastructure, steal intellectual property and more. According to the IBM Cost of a Data Breach Report 2025 supply chain compromise is the second-most prevalent vector for data breaches as well as the second costliest on average, at USD 4.91 million per attack.

Attacks against software supply chains, in particular, have garnered increasing concern as more companies rely on open source software for their computer systems. According to one study, software supply chain threats from open source package repositories increased 1,300% over three years.²

Denial-of-service (DoS) attacks are cyberattacks that slow or stop applications or services. Most of the time, DoS incidents manifest as attackers flooding a network server with traffic, ultimately overloading the server and stopping it from processing legitimate requests. According to the IBM Cost of a Data Breach Report 2025, denial-of-service attacks accounted for more than 12% of data breaches.

A powerful type of DoS attack is a distributed denial-of-service attack (DDoS.) In a DDoS attack, attack traffic comes from multiple sources all at once—potentially making them harder to recognize and defend against. DDoS attacks are often carried out through botnets, which are groups of connected devices that hackers have hijacked for their criminal activities.

Compromised credential attacks occur when hackers gain unauthorized access to a system through legitimate users’ login credentials such as usernames and passwords. According to the IBM® X-Force® Threat Intelligence Index, 30% of cyberattacks involve the theft and abuse of valid accounts.

Hackers have different options for mounting compromised credential attacks. For example, they can use stolen user credentials revealed during prior data breaches or deploy phishing to persuade victims to share credentials. They can also use brute force attacks, which leverage computing power and automation to deduce passwords through trial and error, with weak passwords generally proving easier to pinpoint.

Insider threats are cybersecurity threats that originate with authorized users, such as employees, contractors and business partners, who intentionally or accidentally misuse their legitimate access, or have their accounts hijacked by cybercriminals.

There are various types of insider threats, including malicious insiders (disgruntled employees intent on revenge), negligent insiders (employees who inadvertently create security threats through ignorance or carelessness) and compromised insiders (employees whose credentials are stolen).

According to the IBM Cost of a Data Breach Report 2025, malicious insider attacks stand out as the most costly cause of data breaches among all attack vectors, at USD 4.92 million per incident.

Vulnerability exploitation occurs when internal or external threat actors exploit security weaknesses in an organization’s digital environment. According to the X-Force Threat Intelligence Index, the exploitation of vulnerabilities in public-facing apps is one of the top cyberattack vectors.

Examples of vulnerabilities include:

• Unpatched software: Security weaknesses that occur when patching (the application of software updates) has not taken place.
  
  
• Misconfiguration: Improperly configured network ports, channels, wireless access points, firewalls or protocols serve as entry points for hackers.
  
  
• Open port vulnerabilities: Attackers exploit weaknesses in network communication endpoints.
  
  
• SQL injection vulnerabilities: Attackers use specially designed queries to access data.
  
  
• Cross-site scripting (XSS): A web application improperly handles user input, allowing attackers to inject malicious scripts into web pages.

Despite the existence of security vulnerabilities catalogs like the Common Vulnerabilities and Exposures (CVE) list, many vulnerabilities remain unknown and go unaddressed. Such security weaknesses are called zero-day vulnerabilities because a software provider or device vendor has zero days to fix the flaw before malicious actors can take advantage of it. The resulting attacks are known as zero-day attacks.

While malware, or malicious software, is often a component of other attack vectors—such as social engineering or supply chain compromises—it can also be considered its own vector category. In 2024, ransomware made up the largest share of malware cases (28%), according to the IBM® X-Force® Threat Intelligence Index.

Other examples of malware include remote access malware (which provide remote access to hackers), trojan horses (malicious programs disguised as useful ones) and spyware (programs that gather sensitive information and send it to hackers).

Infostealer malware, which is designed to steal valuable information, is a growing threat in the space. According to the X-Force Threat Intelligence Index, the number of infostealers delivered weekly through phishing emails has surged by 84%.

While hackers have a cornucopia of digital tools at their disposal, physical intrusions remain a real concern in cybersecurity. For instance, attackers can forge badges, impersonate vendors or follow an authorized person into a business’s secure area (a practice known as tailgating). From there, they can steal laptops and other devices, download malware or leave USB drives loaded with malware around the office (so that curious employees plug in the drives and inadvertently upload malware themselves).

According to the IBM Cost of a Data Breach Report 2025, physical theft or security issues cost organizations more than USD 4 million on average, per incident.

Cyberattacks often encompass two or more attack vectors. For instance, attackers might use phishing to trick a user into allowing ransomware to be downloaded onto their computer. Then, the attacker might threaten a DDoS attack if the victim doesn’t pay the ransom demanded. Or, they might exploit a vulnerability in a vendor’s system to access their customers’ systems (a supply chain compromise attack) and inject malicious code into those systems to scan for credentials that hackers can then use to exfiltrate data.

Another way of organizing vectors is dividing them into two groups: passive or active.

Cybercriminals use passive attack vectors to gain access to information without altering the system. An example of a passive attack vector would be a Wi-Fi network lacking encryption, rendering it vulnerable to eavesdropping by hackers.

In contrast, hackers use active attack vectors to gain control over, disrupt or otherwise impact systems. Active attack vectors include denial of service attacks and ransomware attacks.

Sometimes, the delineation between what constitutes an active attack vector and what constitutes a passive one isn’t clear cut. For instance, phishing might be considered a passive attack vector when it is used solely to procure information from a target without altering the target’s system. However, phishing that tricks a victim into downloading ransomware onto a system could be considered an active attack vector.

While cybersecurity professionals have a variety of tools and strategies at their disposal, attack surface management (ASM) is especially important for addressing potential attack vectors. Unlike other cybersecurity disciplines, ASM is conducted from a hacker’s perspective, assessing a system for opportunities that could be appealing to a cybercriminal.

ASM consists of four core processes: