Attack Vectors in Cybersecurity: 12 Most Common Types & How to Defend Against Them

What an attack vector is, attack vector vs attack surface, active vs passive vectors, the 12 most common types, and how to protect against each.

June 12, 2023
9 min read
Attack Vectors

Attack Vectors in Cybersecurity: The 12 Most Common Types and How to Defend Against Them

An attack vector is the specific path a threat actor uses to gain unauthorized access to your systems, network, or data. Phishing emails, stolen credentials, unpatched software, a careless insider — each is a different door into the organisation. Security teams that can name their most likely attack vectors can defend them; those that can’t are defending everything vaguely and nothing well.

This guide explains what an attack vector is (and how it differs from an attack surface and a threat vector), walks through the 12 most common attack vectors we see used against organisations, and gives concrete security measures to close each one.

What is an attack vector?

An attack vector is the method or pathway an attacker uses to breach a system — the route from outside your defences to inside them. Every cyber attack starts with one. The attacker’s goal might be to steal data, deploy ransomware, hijack computing resources, or establish long-term access, but the first step is always an entry point: a phishing email that harvests a credential, a vulnerability the attacker can exploit, a misconfigured cloud bucket, a USB drive in a car park.

Attack vector vs attack surface vs threat vector

These three terms get mixed up constantly, and the difference matters:

  • Attack vector — the method of entry. Phishing, brute force, SQL injection.
  • Attack surface — the sum of all possible entry points: every exposed server, web application, account, API, device, and human. You reduce your attack surface; you defend against attack vectors.
  • Threat vector — used interchangeably with attack vector in most contexts; some teams use it more broadly to include the threat actor and motive.

Rule of thumb: the attack surface is every door and window in the building; an attack vector is the specific way the burglar gets in.

Active vs passive attack vectors

Attack vectors fall into two broad categories:

  • Active attack vectors alter or disrupt systems directly — malware, ransomware, denial-of-service attacks, exploiting an unpatched vulnerability, brute force attacks on passwords. They’re noisy but fast.
  • Passive attack vectors gather information without changing anything — eavesdropping on unencrypted traffic, session sniffing, reconnaissance of your attack surface, social engineering that quietly extracts sensitive information. They’re the quiet setup work that makes the active attack succeed.

Most real breaches chain the two: passive reconnaissance and credential harvesting first, then active exploitation.

The 12 most common attack vectors

1. Phishing and social engineering

Phishing remains the most common attack vector, full stop. A convincing email, text (smishing), or phone call (vishing) manipulates an employee into clicking a malicious link, opening an infected attachment, or handing over credentials on a spoofed login page. Modern phishing attacks are AI-written, personalised, and increasingly hard to spot. Business email compromise — a social engineering attack with no malware at all, just a fraudulent payment request — costs organisations billions per year. Defence: security awareness training paired with regular phishing simulation, MFA everywhere, and a one-click way for staff to report suspicious emails.

2. Compromised and stolen credentials

A valid username and password is the attacker’s favourite key: log in, don’t break in. Credentials leak through phishing, infostealer malware, and third-party data breaches, then get sold and replayed. Defence: multi-factor authentication, a password manager to eliminate reuse, and monitoring for your domains in credential dumps.

3. Weak passwords and brute force attacks

A brute force attack simply tries passwords until one works — trivially effective against short, common, or reused passwords, and against logins with no rate limiting. Credential stuffing does the same with previously breached password lists. Defence: strong password policy, MFA, account lockout and rate limiting, and blocking known-breached passwords.

4. Malware

Malicious software — trojans, infostealers, loaders, spyware — arrives via phishing attachments, malicious downloads, and compromised websites, then gives the attacker a foothold to escalate. Defence: endpoint detection and response (EDR), application allow-listing, and blocking macro-enabled documents from the internet.

5. Ransomware

Ransomware deserves its own entry because it’s the highest-impact payload: it encrypts systems and data, then extorts payment, increasingly with data theft and leak threats layered on. The ransomware itself usually enters through another vector on this list — phishing, exposed RDP, or an unpatched vulnerability. Defence: offline, tested backups; network segmentation; EDR; and closing the entry vectors above.

6. Unpatched software vulnerabilities

Attackers scan the internet for known vulnerabilities within hours of disclosure and exploit them before organisations patch. Edge devices — VPNs, firewalls, file-transfer appliances — have been the headline example for several years. Defence: risk-based patch management with SLAs for internet-facing systems, and a vulnerability management program that actually tracks closure.

7. Zero-day exploits

A zero-day is a vulnerability exploited before any patch exists. You can’t patch what has no patch, but you can limit the blast radius. Defence: defence in depth — segmentation, least privilege, EDR behavioural detection, and virtual patching via WAF/IPS rules.

8. Insider threats

An insider threat is a current or former employee, contractor, or partner who misuses legitimate access — maliciously (data theft, sabotage) or negligently (mishandling sensitive data, falling for social engineering). Insiders bypass perimeter defences entirely because they’re already inside. Defence: least-privilege access, prompt deprovisioning, data loss prevention, and user behaviour monitoring for anomalous access.

9. Misconfiguration and exposed services

Public cloud buckets, default admin passwords, open RDP ports, permissive firewall rules — misconfiguration is the attack vector that requires no skill at all to exploit, only a scanner. Defence: hardened baseline configurations, cloud security posture management, and regular external attack surface scanning to see what an attacker sees.

10. Web application attacks (SQL injection and XSS)

Web applications that fail to validate input let attackers inject their own commands: SQL injection reads or modifies your database directly, and cross-site scripting (XSS) runs malicious scripts in your users’ browsers to hijack sessions. Injection flaws are most dangerous where applications process untrusted input into queries or pages. Defence: parameterised queries, input validation and output encoding, a web application firewall, and regular application penetration testing.

11. Man-in-the-middle and session hijacking

On unencrypted or poorly configured connections, an attacker can silently intercept traffic — capturing credentials and session tokens or altering data in transit. Public Wi-Fi and rogue access points are classic settings. Defence: TLS everywhere (HSTS), secure cookie flags, VPN or zero-trust access for remote work, and certificate monitoring.

12. Supply chain and third-party compromise

Attackers increasingly breach one supplier to reach many victims: a poisoned software update, a compromised managed service provider, or a vendor with excessive network access. Your attack surface includes every third party you trust. Defence: vendor security assessment, least-privilege third-party access, software bill of materials (SBOM) awareness, and monitoring vendor connections like untrusted networks.

What are the 4 types of attacks?

A common framing groups cyber attacks into four types: passive attacks (interception and eavesdropping), active attacks (modification, malware, denial-of-service), insider attacks (misuse of legitimate access), and close-in / physical attacks (direct device or facility access). Similarly, the four most exploited categories of vulnerability are unpatched software, misconfiguration, weak or stolen credentials, and human error — which is why the vectors above keep recurring.

How attackers actually exploit attack vectors

A realistic breach rarely uses a single vector in isolation. A typical chain: the attacker maps your attack surface (passive), sends a targeted phishing email to five finance employees (social engineering), harvests one credential on a fake Microsoft 365 login page, logs in through a legacy protocol that skips MFA (misconfiguration), moves laterally using an unpatched internal server (vulnerability exploit), and stages ransomware (active payload). Defending any one link weakens the whole chain — defending several breaks it.

How to protect against common attack vectors

  • Train the humans. Phishing and social engineering front most breaches. Continuous security awareness training with phishing simulation measurably cuts click rates and builds a reporting culture — employees become sensors, not just targets.
  • Kill the credential vector. MFA on every account, password manager, breached-password blocking.
  • Patch by risk. Internet-facing and known-exploited vulnerabilities first, on strict SLAs.
  • Shrink the attack surface. Inventory exposed assets, close unused services, fix misconfigurations, monitor continuously.
  • Assume breach. Segmentation, least privilege, EDR, and tested backups so a successful entry doesn’t become a successful attack.
  • Test yourself. Penetration testing and red teaming find your real attack vectors before threat actors do.

Frequently asked questions

What is an attack vector in cyber security?

An attack vector is the specific method or pathway a threat actor uses to gain unauthorized access to a system or network — such as phishing, stolen credentials, malware, or exploiting an unpatched vulnerability. It answers the question “how did the attacker get in?”

What are the most common attack vectors?

The most common attack vectors are phishing and social engineering, compromised credentials, weak passwords and brute force attacks, malware and ransomware, unpatched vulnerabilities, misconfiguration, insider threats, web application attacks like SQL injection, and supply chain compromise.

What is the difference between an attack vector and an attack surface?

The attack vector is the method of entry (the “how”); the attack surface is the total set of points an attacker could target (the “where”). Reducing your attack surface removes doors; defending attack vectors locks the ones that remain.

What are the 12 most common types of cyber attacks?

Phishing, ransomware, malware, credential theft and stuffing, brute force attacks, denial-of-service, SQL injection, cross-site scripting, man-in-the-middle, insider threats, zero-day exploits, and supply chain attacks — each maps to one of the attack vectors covered above.

How does security awareness training reduce attack vectors?

It hardens the vector attackers use most: people. Trained employees click fewer phishing lures, choose stronger passwords, and report suspicious activity quickly — closing the human attack vector that no technical control fully covers.

Reviewed by the PhishGrid security team, 2026.

Ready to reduce your human risk?

PhishGrid helps you run phishing simulations and build a culture of security awareness across your organisation — for free.

Start Free