Identity-based attack paths are now the primary vector in most breaches, yet most organizations don’t have visibility into the millions of hidden privilege chains connecting their systems. In our recently published report¹, we show that traditional Identity Security approaches are inadequate for modern threats due to the sheer scale and complexity of managing identities. This calls for a better approach in addressing identity risk: Attack Path Management (APM).

The growth in identity risk can be attributed to the fact that organizations constantly evolve, and the identity fabric continues to move with this motion. This includes the provisioning and removal of human identities and known and unknown service accounts, and contending with an interconnected web of software-as-a-service (SaaS) applications, the adoption of hybrid environments, and an impending growth of Non-Human Identities (NHI). This results in more identities, more privileged relationships, and more attack paths for attackers to abuse.

While security teams focus on preventing initial compromise, the combination of hidden privilege chains and user behavior that create attack paths remain invisible to traditional security tools.

Our BloodHound Enterprise (BHE) data shows that organizations with 10,000 identities face 22 million potential attack paths, highlighting the sheer scale of the problem.

As the number of identities in an organization grows, so does the number of attack paths. In fact, attack paths multiply exponentially. BHE data reveals that organizations with approximately 1,000 employees are typically exposed to more than 5 million attack paths—scaling the risk to out of control levels if not properly addressed.

This challenge is further accelerated by the adoption of Artificial Intelligence (AI) and NHIs. According to industry predictions², this will significantly push the current ratio from five identities per employee towards a 1:20, or in some cases even 1:40 ratio. This imminent surge of identities, with an expected 20% growth in the next year, makes today a critical moment to start addressing identity risk systematically.

¹ https://specterops.io/state-of-APM

² https://www.appviewx.com/blogs/key-takeaways-from-the-2024-esg-report-on-non-human-identity-nhi-management/

While historically Security and Identity and Access Management teams could address the matter by hardening authentication, the threat is also evolving. Adversaries steal active sessions such as browser cookies, tokens, and cached credentials. By focusing on these identities in transit, rather than identities at rest, adversaries can bypass every deployed login control. We detail how these attacks work in case studies and our experiences from Red Team operations in the report.

To further complicate the matter, the most devastating attack paths often traverse multiple identity systems and exploit the seams where they connect.

A New Approach Privileged Access Management (PAM) and Identity Threat Detection and Response (ITDR) solutions provide valuable security layers, but they are difficult to implement correctly and primarily address individual components rather than the interconnected attack paths that span multiple systems. There is a clear need for an improved and continuous approach to addressing Identity Risk, addressing not just individual vulnerabilities or misconfigurations but rather the chained identity attack paths they create.

This is where identity APM becomes a practice, not a point-in-time project. It is where identity graphs and privilege maps evolve from helpful visuals to functional inputs across detection, response, remediation, and governance. Organizations implementing an APM program report significant reductions in critical attack paths soon after deployment.

A recent APM adopter showed an 85% reduction in findings within the first month by implementing an APM practice and focusing on remediating critical attack paths.

To learn all about the State of Attack Path Management, read our full report and discover how to eliminate these attack paths before an attacker exploits them. Get the technical playbooks, real-world case studies, and implementation roadmap that leading organizations use to reduce their attack surface by 60-80% within the first quarter of adoption.