What is Attack Path Mapping?
Also: Attack Path Analysis · APA · Attack Chaining · Exposure Chaining
Definition
Attack path mapping is the practice of stitching individually validated exposures into the step-by-step route an attacker would actually walk to reach a high-value asset, so a defender knows not just that a weakness exists but where it leads. It turns a flat list of findings into a prioritized story of how a breach unfolds.
In depth
A traditional vulnerability scan answers the question 'what is wrong?' and hands you a list of issues, each rated in isolation. Attack path mapping answers the far more useful question 'what can an attacker do with these together?' It models how a foothold on an internet-facing asset connects to the next hop, and the next, until the chain terminates at something a defender cares about: a customer database, an admin console, a cloud identity with broad permissions. The unit of analysis is the path, not the single finding.
The reason chaining matters is that real intrusions rarely rely on one catastrophic bug. As frameworks like Lockheed Martin's Cyber Kill Chain and MITRE ATT&CK document, adversaries progress through phases, reconnaissance, initial access, execution, credential access, lateral movement, and impact, where each technique sets up the next. A path might read: an exposed .env file leaks a database connection string; those credentials authenticate to an internet-reachable database; the database holds session tokens that unlock an admin panel. None of those three is necessarily a 'critical' on its own, yet together they form a clean route from the open internet to full compromise.
This is where the concept of a 'toxic combination' comes in. Two or three medium-severity exposures can multiply into a high-severity path because the existence of one makes exploiting the next trivial. Attack path mapping makes those multipliers visible. It also exposes choke points: a single node, such as a shared dangling DNS record or one over-permissioned credential, that appears in many paths. Fixing the choke point collapses dozens of paths at once, which is why path-aware remediation is dramatically more efficient than burning down a CVSS-sorted backlog top to bottom.
It is worth differentiating attack path mapping from neighbouring ideas. An attack surface is the full set of points where an attacker could attempt entry; attack path mapping is what happens after entry, tracing movement through that surface. An attack graph is the underlying data structure, the nodes (assets, credentials, exposures) and edges (the moves between them) that a path traverses. A kill chain or ATT&CK matrix is the behavioral vocabulary that labels each move. Attack path mapping is the applied methodology that consumes validated findings and produces concrete, prioritized routes a defender can act on. Crucially, it only works on findings that have been validated; mapping a path through a false positive produces a fictional risk, which is why proof of exploitability must come before path construction.
Why it matters
Without attack path mapping you triage by severity score and hope you are fixing the things attackers actually use, but a backlog of fifty 'mediums' hides the three that chain into a breach. Defenders consistently learn after an incident that the route in was assembled from findings each individually deemed 'accept the risk', the exposed config file nobody prioritized that leaked the credential that opened the database. Loss aversion is the honest framing here: the cost of not mapping paths is paid as a breach you could have foreseen, where the post-mortem shows every link was visible in your own scan results, just never connected. Mapping converts a noisy list into a ranked set of routes to impact, so the limited hours your team has go to the exposures that sever an attacker's path rather than the ones that merely raise the count.
How Legba Recon uses it
Legba Recon never reports a path it has not earned. Discovery first enumerates your external footprint, the subdomains, hosts, certificates, cloud buckets, exposed services, and DNS records that form the nodes of the graph. Validation then proves which of those are genuinely exploitable rather than theoretical, because a path built on an unverified finding is fiction. Only validated nodes are connected into edges: a leaked credential in a public asset is linked to the service it unlocks, a dangling DNS record is linked to the takeover it enables, an exposed admin panel is linked to the data behind it. Recon surfaces the resulting routes ranked by proximity to impact and highlights the shared choke points whose remediation breaks the most paths, so your team fixes the link that matters first instead of working a flat list. The deliverable is a defender-readable narrative, this exposure leads to that asset via these steps, mapped to recognizable kill-chain and ATT&CK stages.
Explore Legba Recon →Methodology
Each finding-type guide is built from Legba Recon's real detection and validation logic, reviewed by a named security contributor, and cited against primary sources such as OWASP, CISA, NIST, and MITRE. We update pages when the underlying guidance changes. See our contributors and company.
FAQs.
References.
- 01MITRE ATT&CKMITRE
- 02
- 03The Cyber Kill ChainLockheed Martin
- 04
