preloader
Resources

The Ever-Changing Moods Of Cybersecurity: Why Mapping Attack Paths Is Vital, But Problematic

RANT Edinburgh Roundtable May 2026

In Partnership With

The typical RANT roundtable is, in the best possible way, something of a free-for-all when it comes to cybersecurity leaders sharing their experiences and expressing their opinions. But one of the best things about these high-level conclaves of network defence excellence is that, once in a while, the assembled experts can surprise you.

So it was in Edinburgh recently, when a room full of senior cybersecurity practitioners gathered – alongside members of staff from event sponsors SpecterOps – to discuss attack-path mapping. Credit for the orderly way the ensuing discussion proceeded must go, in the main, to RANT’s guest host for the evening – Harry McLaren, head of cyber defence at Tesco – who had clearly mapped out his own path through the discussion beforehand, ensuring each and every expert at the table had an opportunity to contribute. But in part, too, the topic seemed to demand a well-planned and logically structured approach: not least because, with attendees coming from a wide range of industries and representing companies of differing sizes, structures and marketplaces, it was only by creating space within which subtle differences could be explored that each person present could learn something from their peers.

Money-Go-Round

After introductory remarks from SpecterOps’ director for Europe, the Middle East and Africa, Tony Sheldrake – who outlined the firm’s concept of identifying and neutralising “choke points”, the nodes within the digital estate where the majority of attacks need to pass through in order to succeed – and the company’s solution architect, Kay Daskalakis – who noted that attackers “don’t have to go down the noisy roads; they don’t have to compromise anything, use any exploits. There is no perimeter – that’s a misconception” – McLaren kicked the discussion off with a thoughtful outline of the point and the purpose of attack-path mapping. Anyone wondering why they should bother with what might, at first glance, look like a somewhat academic or self-sustaining exercise should consider how closely aligned it is with so many other parts of the security professional’s remit, he argued.

“What is the ultimate purpose of many of our roles? To help businesses manage risk,” he said. “Fundamentally, that’s about taking action to bring risk into tolerance. Being threat-led helps us do that. And to be threat-led you have to understand the adversary, and how they understand you. Then you need to understand yourself, your attack surface – all the things that make up your business in the digital world, and in OT and IT. And then the state of your controls: the things that are there to interact with your adversaries.

“This is all theoretical, and none of this is easy,” he continued, “It’s not a new concept, but it matters now more then ever because of prioritisation. As professionals, the one thing we can do is sort our to-do list. We can’t flood dev teams with hundreds of vulnerabilities; we can’t check for compliance across every endpoint. So understanding the reality of our environments becomes the means by which we can prioritise. Attack path mapping is all about prioritisation: Where can I make the smallest investment that has the biggest impact? Choke points are the same concept. You want to stop them early, but not at high cost or with high friction. When we’re talking about choke points and attack paths, it’s identifying the biggest bang for the buck – which baskets to put your eggs in. Nine out of 10 Red Teams would take this path, 10 out of 10 adversaries use it, and we just took it off the board.”

McLaren ended his round-up by posing a question to those around the table: does attack mapping matter to you, and if not, how do you prioritise?

Walls Come Tumbling Down!

“It feels, from my perspective, that it’s a good time to bring in solutions like this,” one CISO said, referring both to attack-path mapping in general and SpecterOps’ Bloodhound Enterprise system in particular. This was the case, they said, given conceptual changes such as the very welcome “push from the NCSC to describe this as ‘cyber resilience’, not ‘cyber security’ – that we need to use ‘resilience’ because we’re talking about constant attacks.”

As the discussion progressed, the consensus that mapping attack paths was a sensible and useful thing to do was never questioned. However, not every business is necessarily ready – or able – to take what can feel like quite so significant a step. Sheldrake had explained that Bloodhound Enterprise can carry out its initial mapping exercise and identify potential attack pathways within as little as 30 minutes, often flagging up hundreds of thousands of pathways. McLaren had pointed out that this can be a huge help when it comes to prioritising security work within the business, but even so, the sheer scale of the likely results poses problems to security teams who are already finding it impossible to deal with the incidents the enterprise is currently facing.

“Attack-mapping is on the to-do list perennially – but it either means bringing someone in, at a cost; or getting people to do it who are already doing other things,” one security leader said. “Sometimes we know where the big weaknesses are. The buzz phrase is ‘identity is the new perimeter’, and it’s kind of true: we know that’s a priority, so we’re working on it.

“I’d love to drill the Blue Team every month, but they’re always on incidents,” this leader continued. “We had more incidents in March than in the whole of last year. AI has helped attacks explode, but the agents on the defensive side aren’t there yet. Defence is always behind, but what do we do when we know [attackers] have access to tools we don’t know about yet? That’s the world that’s coming. We expected to have vulnerability scanning at scale, and it’s about to happen – but we’re not ready for it.”

Shout To The Top

Despite the appreciation of the huge help attack-path mapping can deliver, some other attendees flagged up problems that carrying it out could cause.

One CISO – their organisation’s sole cybersecurity practitioner – was finding that the board were being of great help, and had responded to mapping already done with great willingness and a ready supply of resources: “They know what the crown jewels are, but they’ve never known what paths can get there,” they said. “It’s a terrifying place to be! But it’s in the forefront of my organisation’s thinking.” Others argued that it would be difficult, perhaps impossible, to map when, where and how data may be being moved around inside the business through processes and tools that security teams didn’t have detailed insight into. Another leader argued that “traditional attack paths don’t apply” in their business, because of the nature of the business, and that their primary present concern was third-party and software supply-chain attacks.

Another concern was raised over the effect an attack-path mapping exercise may have on people inside the business, and their attitudes to risk going forward – particularly the board.

“We did attack-path identification six months ago with a vendor,” one leader recalled, “and the downside is the false sense of assurance. For a week or two, the Red Team tried to get in, and they couldn’t – so the CEO took huge assurance from that. But a persistent attacker wouldn’t give up after two weeks. So it’s not a really relevant metric to judge yourself by.”

This leader also raised a second concern, which spoke to the point raised earlier by one of the other attendees.

“In terms of our crown jewels, we don’t really know where they are,” they said. “We’ve got data here, a system there – we know they’re important, but are they that important? It’s difficult to arrange your defences appropriately.”

Another concern was raised by a CISO whose board have fully bought in to the security mission. In a way, it seemed related to the questions posed around the scale of discoveries uncovered by a mapping exercise: what if all that they reveal is a problem too vast to tackle?

“Our c-suite have been really supportive of Red Teams and tabletops, to the extent that they’re happy to be targeted by social engineering,” they said. “When you see the level that the Red Team goes to… in one case, they identified a particular executive was into support for the armed forces, they found an event in that space, got in touch with the executive and asked them to speak at the event. It’s so targeted. Being realistic means saying that they’re going to get in. And when you get to that level of targeting, and it becomes automatable, then that human line of defence has gone.”

The Whole Point Of No Return

As the discussion circled the table, these questions of scale kept bubbling back to the surface. It was clear that, while everyone agreed that it’s better to know where the potential problem may lie – and everyone in the room fully understood the choke-point concept, and how identifying a key node through which an attacker has to pass, and denying them the ability to do that, would dramatically reduce the number of pathways left open to them – surfacing a huge number of what the board would surely view as new security risks would be problematic given the personalities and the interpersonal dynamics at play inside their companies. This was an argument SpecterOps had heard before, and they have found instances where businesses have been able to adopt a different mindset which can help reframe the discussions at board level.

“Getting visibility into the sheer amount of attack pathways generally helps to prioritise attack path mapping as a project,” Sheldrake said. “And that then helps you sell that up the chain, and build it into a business case. Generally it’s hundreds of thousands, and sometimes we’ve found billions. At the end of the trial you’ve then got that ‘Oh shit’ realisation: ‘We’ve found all this, we’ve got to get other teams in; who’s going to own it and who’s going to do the remediation?’ But it certainly helps you to build an internal business case around the risk.”

As if implicitly using the same methodology to flag up a related challenge, another senior security leader identified a different pathway by which a similarly daunting amount of work could be surfaced in the enterprise – and noted the difficulties that come with that.

“We had a new CISO join at the beginning of last year,” they said, “and the first thing they wanted to do was a Red Team exercise. We’re still remediating! It gave us a massive list, which we prioritised, and then followed that with a risk assessment. But we’re still flooded with requests. A lot’s been done, but there’s a lot still to be done. Many of the records were very vague – we didn’t get the detail that we’d hoped to see. It’s going to be next year, realistically, before we can re-test.”

“It’s about appropriate defence in depth as well,” another CISO argued. “Assuming something is going to happen, how do you contain it and respond? You’ve got network segmentation; you can remove privileges; you can have just-in-time access – but it’s getting visibility of what’s the biggest risk, and knowing what you have to tackle first. That’s probably where the focus has to be.”

“Nothing’s new here,” said one of the other attendees. “We were having these discussions 20 years ago. All that’s changed is the pace. I really like the idea of the tool – it could make my life easier. But it isn’t going to fix anything. It’ll show you what needs to be done, which will help. But you’ve got to be doing the basics to reap the rewards of using tools like this.”

“I agree,” McLaren said. “Fundamental security best practices have always been the thing to solve first.”

The World Must Come Together

A RANT roundtable always ends with a summing-up from the host, and from the sponsor – but, just as this evening had proceeded rather differently to the norm, so the final contribution from Daskalakis stepped beyond what RANT’s “frequent flyer” attendees might have expected. After explaining that he’d had to rein himself in for the duration to make sure he was able to listen to, absorb and fully understand all the points being raised, Daskalakis opened with an admission.

“This has, honestly, been like therapy,” he said. “For far too long we’ve focused on protecting the attack surface outside the organisation, and the outcome is the conversation we’ve had tonight – which is problems, problems, problems, rather than solutions. But then the conversation shifts naturally.

“In different environments of different organisations in different verticals, in any industry – it doesn’t matter: it’s the same story,” he continued. “If you have AD [active directory], you are pre-compromised. Let me explain what I mean. There are structural and defensive impositions of AD that made it a fantastic solution for the ’90s. But attackers don’t care about the entry point – they care about the reach of the account. There are unlimited options. ‘One attack path is all that I need – then I’m moving from the perimeter to the calendar of the CEO’.”

And, he noted, when attackers are willing to buy credentials from disgruntled or cash-strapped employees – and when they are then able to identify and use pathways to move inside the business which weren’t envisaged by network defenders – the challenges only multiply. And while defence in depth can be helped by prioritisation, even that doesn’t go far enough. The challenge, ultimately, he argued, is to try to think like an attacker.

“I’m sure you all play around, you’re curious; you see things, you sign up for a subscription,” he said. “Attackers are not different. That’s the problem we’re facing. We’re facing people who look like everyone around this table. We need to be safe. Increasing difficulty doesn’t work – if it worked, we’d have solved the problem. Ninety percent of attacks are identity related. Why are we focused so much on networks, on assets? Every attack I’ve seen was identity based. If we focus there then we may not end this problem, but we can at least be more resilient.”