Rethinking Identity Risk Through Attack Paths

The 2025 State of Attack Path Management report from SpecterOps highlights a critical evolution in how organizations should approach identity risk, writes Sinisa Markovic of Help Net Security.

The tools that CISOs routinely employ to help manage access, such as identity governance, privileged access management (PAM), and multi-factor authentication, fail to address the broader threat posed by interconnected privileges that attackers can chain together.

Attack Path Management provides a continuous framework for mapping, understanding, and disrupting these chains, using the fact that breaches often exploit sequences of legitimate access rather than isolated credential compromises.

A central insight from the report is the distinction between access graphs and attack graphs.

Access graphs, commonly used for audits and compliance, show which users have access to which resources. Attack graphs, however, reveal how identities, sessions, and permissions can be combined to reach critical assets, even when individual links appear harmless.

This explains why detecting or preventing identity risk remains exceptionally challenging, particularly in complex environments where non-human identities, including service accounts, automation agents, and AI systems, can outnumber employees 20-to-1 or more.

Exponential growth in potential attack paths magnifies the risk surface, with organizations of 10,000 identities facing tens of millions of possible escalation paths.

Identities in transit are equally concerning. Active sessions, tokens, and cookies can be stolen to bypass authentication entirely, as seen in recent breaches involving Snowflake and the Russia-linked Void Blizzard group. 

Traditional tools such as PAM and identity governance often provide limited visibility, protecting credentials or observing behavior without detecting risky access combinations.