Introduction
Cybersecurity teams today face an overwhelming volume of potential threats, alerts, and hypothetical scenarios. The digital landscape is vast, dynamic, and ever-shifting, especially as organizations increasingly operate across complex cloud infrastructures. When every signal is treated with equal weight, security practitioners risk drowning in noise, losing sight of what truly matters: the most urgent, externally sourced threats poised to leave a meaningful impact.
Our goal is simple: reducing risk. That’s why our focus stays on the core problem — not just listing misconfigurations but showing how attackers could actually exploit them. Over the past year, we’ve evolved our exposure management strategy so that security issues, from Defender (https://learn.microsoft.com/en-us/defender) are no longer viewed in isolation, but connected through attack paths to tell a complete story.
It’s time to rethink how risk is defined and how defenses are prioritized, as this directly shapes the proactive security steps that follow.
We’re excited to share important updates to our platform that bring more clarity and focus on how organizations understand, respond to, and mitigate real-world risks. This post will walk you through the key changes to attack paths, including enhancements for cloud environments, and explain what this means for security teams.
What Is an attack path?
An attack path represents how an attacker could move through your environment — from an entry point, across misconfigurations or vulnerabilities, toward critical assets. It highlights exploitable sequences across your cloud and on-prem architecture, showing how risks connect.
Historically, attack paths also included many potential or low-probability scenarios, which, while thorough, sometimes distracted teams from urgent threats.
Cloud Attack Paths: Enhanced Visibility and Precision
The most significant changes in this release center on cloud environments, where the attack surface is vast and interconnected. Here’s what cloud security teams can expect: attack paths now surface only the most urgent, exploitable, and externally initiated threats, dramatically reducing informational noise and boosting operational efficiency.
This change means that security teams can focus their efforts where it matters, defending the cloud assets most likely to be targeted and exploited in real attacks. The streamlined interface ensures that critical risks rise to the top, enabling rapid response and reducing the cognitive load on analysts.
Under the Hood: How This New Model Exposes Real-World Cloud Risks
This change is more than attack path triage refinement. It's a structural shift in how cloud threats are discovered and prioritized. Behind the scenes, we’ve expanded our detection logic to analyze a broad spectrum of cloud resource exposures across storage accounts, containers, serverless environments, unprotected repositories, unmanaged APIs, and even AI agents. These components often fall outside traditional scanning scopes, where scanning tools typically focus on virtual machines, known CVEs and perimeter services, yet they represent high-value entry points for attackers. By anchoring attack paths to externally observable signals—like exposed endpoints, misconfigured access controls, or leaked credentials—we ensure that each surfaced path begins with a demonstrable, exploitable weakness that an attacker could realistically use as a foothold.
To support the passive analysis of cloud configurations, that is, inspecting resource metadata and configuration settings without sending traffic to the asset, we’ve launched an active scanning mechanism to validate the actual reachability of identified exposures. While passive analysis helps map potential misconfigurations across resources, active scans confirm whether exposures are truly reachable from an external attacker’s perspective. This dual-layered approach reduces noise and false positives, ensuring that the attack paths we surface reflect real-world, actionable threats, not just theoretical risks.
On-Premises Attack Path Update: End Game Asset Termination
While our main update is cloud-centric, we’ve also introduced a significant configuration change for on-premises attack paths. Attack routes are now configured to terminate automatically upon reaching any of the following asset types:
- Domain Admins
- Enterprise Admins
- Domain Controllers
These assets are classified as “End Game”—if an adversary compromises any of them, they effectively gain full control over your domain. This automatic termination ensures consistency and clarity, helping defenders visualize high-impact scenarios and prioritize accordingly.
Why This Matters: Operational Impact
For security professionals, time and attention are precious resources. The difference between a theoretical risk and an actionable threat can mean the difference between prevention and breach. By sharpening the focus of attack paths, we empower defenders to:
- Respond more quickly to genuine risks.
- Allocate resources to the threats most likely to result in compromise.
- Reduce fatigue and cognitive overload.
This evolution isn’t just about filtering noise—it’s about enabling security teams to make strategic decisions with confidence, clarity, and speed.
Looking Ahead: Future Research and Exploratory Experiences
While this update narrows focus to urgent threats, we recognize the value of long-term planning. In future releases, we’ll introduce exploratory tools that allow teams to simulate scenarios like:
- What happens if this user is compromised?
- Which assets would be at risk if this service is breached?
These tools will support strategic planning while keeping the main interface focused on real-time risk.
Stay Focused, Stay Secure
The attack path experience has always been about empowering defenders with the context and clarity needed to protect what matters most. With this update—especially the sharpened focus on cloud attack paths—we’re taking a step forward in helping organizations cut through the noise, visualize real risk, and act with purpose.
Security teams can now stay focused on the most urgent, externally sourced threats—without losing sight of the broader strategic picture. As we move forward, research and community input will be vital in shaping the next generation of attack path intelligence, ensuring our solutions remain both actionable and adaptable.
Stay tuned for more updates, and as always, stay focused—stay secure.
To learn more: https://learn.microsoft.com/en-us/security-exposure-management/whats-new#refined-attack-path-experience
Microsoft