Meaning in the Signal

Attack Paths, Not Attack Surfaces

securityattack surface managementattack pathsexposure managementsignalinvestment

The attack surface management market will be worth several billion dollars by the time you read this. Dozens of vendors, a wave of acquisitions, a category that went from niche to mainstream in less time than most security programmes take to complete a risk assessment. The marketing is confident, the investor interest is real, and the logic is superficially compelling: you cannot protect what you do not know you have.

I consider it, on balance, a well-intentioned mistake.

Not useless. Not wrong in its diagnosis. But optimised, with considerable commercial enthusiasm, for the wrong question - and in a world where the constraint is no longer detection but comprehension, that distinction matters rather a lot.

A Surface Tells You Where. A Path Tells You How.

Here is the conceptual problem. An attack surface is a catalogue of exposure - a map of everything external and accessible: domains, IP ranges, cloud assets, open ports, unpatched systems, shadow IT that found its way onto the network whilst nobody was watching. It is, in the language I have been using across this series, signal. Abundant, accurate, and in most organisations I have encountered, growing faster than anyone’s capacity to act on it.

An attack path is something quite different. It is not a catalogue of what exists - it is a model of what is possible. Specifically, it is the sequence of steps an adversary would take to move from an initial access point to a target of value: the crown jewel we discussed last week, the thing that would genuinely damage the business if compromised. It asks not “what is exposed?” but “given this environment, this adversary, and this objective, how do you actually get there?”

Attackers do not think in surfaces. They think in paths.

When a threat actor compromises a perimeter asset, their immediate question is not “what else is exposed on this network?” It is “where can I go from here, and does that path lead anywhere interesting?” They are, in a very real sense, solving a routing problem - finding the sequence of lateral movements, privilege escalations, and trust relationship abuses that connects their foothold to the thing worth stealing. The Cyber Kill Chain, developed by Lockheed Martin and still the most useful framework for thinking about intrusion sequencing, is path-based almost by definition. So is MITRE ATT&CK. The adversary community thinks in paths because paths are how breaches actually happen.

Most of our defensive tooling still thinks in surfaces.

The Signal Problem Compounds

The practical consequence of this misalignment is not merely conceptual. It is operational, and it is expensive.

Attack surface management tools generate findings. Many findings. An organisation of meaningful scale - a few thousand employees, a reasonably mature cloud footprint, a decade of accumulated digital infrastructure - might easily surface tens of thousands of exposed assets or potential exposure points in an initial scan. Some of these will be known and accepted. Some will be surprises. Some will be genuinely critical. The great majority will be none of the above: valid findings, accurately detected, representing real exposure, but lying on paths that lead nowhere of consequence.

This is the signal problem in concentrated form. The attack surface approach produces a comprehensive inventory of where you could be hit, but it provides almost no information about which of those exposure points sits on a path to something that matters. A forgotten subdomain pointing at a decommissioned server may light up every ASM dashboard in your organisation. The question worth asking - does this subdomain lie on any plausible path to your crown jewels? - is one that attack surface tooling, by design, does not answer.

I have sat with security teams who had achieved genuine ASM maturity - clean asset inventories, continuous monitoring, well-tuned alerting - who could not tell me with any confidence how an attacker would move from their internet-facing estate to their most sensitive systems. They had solved the surface problem. They had not begun to solve the path problem.

The Counter-Argument, and Why It Does Not Save ASM

The strongest defence of attack surface management is also the most obvious one: you cannot analyse paths through assets you do not know exist. Inventory is foundational. If your attack path analysis begins from a partial or outdated asset register, the paths it models will be incomplete - and an adversary will find the path you failed to include.

This is true. I accept it entirely.

But there is a significant gap between “necessary” and “sufficient,” and the ASM industry has a tendency to blur it. Knowing that an asset exists and is exposed is a precondition for understanding its path-based significance - it is not the same thing as understanding that significance. The inventory is the starting point, not the answer. And the security programmes I consider genuinely mature are the ones that treat ASM as an input to path analysis rather than a destination in its own right.

The academic literature on attack graphs - formal models of the sequences of vulnerabilities an attacker can chain together to reach a target - has been reasonably rich since at least the early 2000s. Researchers like Sushil Jajodia at George Mason University built rigorous frameworks for reasoning about multi-step attack sequences before attack surface management existed as a vendor category. The practical tooling has arrived later than the theoretical foundation, but it is arriving: automated attack path analysis, breach and attack simulation, exposure management platforms that attempt to contextualise findings within an adversarial model. These are the right direction. They are asking the right question.

What This Means For How You Invest

If you accept the argument, the implication for security investment is straightforward, if uncomfortable. Money spent on expanding attack surface coverage, on reducing your “external footprint score,” on achieving ASM completeness, is money spent on signal. It is not money spent on meaning. And if the constraint has moved - as I argued in week two, and continue to believe - then optimising for signal production is optimising for the old bottleneck.

This does not mean abandon ASM. It means subordinate it. Use it as the foundation layer it is, and then invest in the tools, processes, and analytical capacity that can transform that inventory into path intelligence. Ask, for every finding your ASM tooling surfaces: does this lie on a path to something that matters? If the answer is no, or if you cannot determine the answer, you have a comprehension problem, not a coverage problem.

The security industry spent a decade and several billion dollars teaching itself to see everything. The next decade belongs to those who learn to understand what they are seeing - and in particular, which of the ten thousand things they can see are the three that will actually get them breached.

Attack surfaces are where the signal lives. Attack paths are where the meaning is.

If you have achieved genuine completeness in your attack surface coverage, I would invite you to sit with a single question: can you trace, step by step, the path an adversary would take from your most exposed asset to your most valuable one? If you cannot - if that question produces uncertainty rather than a confident answer - what does that tell you about where your investment has actually gone?