Attack Path Management in Peacetime and Wartime

One map, two cost functions

There is a version of attack path management that lives in slide decks and quarterly reviews, and there is a version that lives at 3am on day four of an incident when someone asks whether cutting the backdoor you can see will flush the adversary toward the one you cannot, and detonate. These are usually discussed as if they were different fields. They are not. They are the same map, read with two different cost functions.

Attack path management maps your environment exactly as an adversary sees it: a continuous graph connecting any initial foothold to your crown jewels. Every open path is a liability, and the objective in both scenarios is identical: eliminate it. An adversary does not need a million attack paths, they only need one. What changes between peacetime and wartime is how you close them.

In peacetime you close them in priority order, on your own schedule. In wartime, you kill what forensic data surfaces, guided entirely by the brutal urgency of an AD Takeback to contain and eradicate. The definition holds. Everything else about the work does not.

The paths here are identity paths: Active Directory and Entra, extended by ADCS, GPO links, and the OpenGraph community edges, the graph of accounts, groups, sessions, and the rights that bind them. That is where this discipline lives, because identity is how an attacker actually moves. In identity compromise, everything else they achieve, every implant on a server, every foothold that outlasts the first one, is reached by walking that graph.

The lens does not change between them. The attacker's perspective is the only honest way to see your own environment, and it is honest whether or not anyone is currently inside it. The graph of how an identity reaches a domain controller exists on a quiet Tuesday exactly as it exists during a live intrusion. What changes is not the terrain and not the way you read it. What changes is how you price the edges, and therefore which ones you choose to cut and when.

To price an edge is to ask what cutting that path would cost you right now: the effort to make the change, the risk of breaking something that depends on it, and the room to document what was unknown and what broke while you still control the conditions. The same edge is cheap to cut on a quiet Tuesday and ruinous to cut mid-intrusion, when time has run out and the damage is already in avalanche.

The path did not change. The price did.

That distinction is the whole argument. Get it right and proactive work stops looking like insurance and starts looking like the only phase in which you hold every advantage at once. Get it wrong and you discover, at the worst possible moment, that the work did not disappear. It just moved.

The Map

Strip away the tooling and an identity environment is a directed graph. Nodes are principals, computers, and the objects that grant power over them. Edges are the rights and relationships that let one node act on another: group membership, an ACL granting GenericAll, a session a privileged account left behind on a workstation, a certificate template that issues on behalf of someone else, a trust that carries authority across a boundary.

The attacker does not see your org chart. The attacker sees this graph, and walks it.

Most of the graph is uninteresting. The part that matters is the small set of edges that collapse distance to Tier 0, the choke points through which a disproportionate number of paths run. Cut one of those and you do not remove a single attack. You remove the entire fan of attacks that depended on traversing it.

This is the map. It is the same map in both disciplines. Everything that follows is about what it costs to act on it.

Peacetime: Patrolling Outside the Fence

Peacetime is the proactive discipline. You stand outside your own perimeter, and then you walk the interior, with an attacker's eyes, and you enumerate the paths before anyone is standing on them. Nobody is reacting to you. The graph is yours to study and yours to change. This is an enormous and underappreciated luxury, and the cost function makes it clear why:

• The cost function is completeness. Because time is yours, the objective is to find every path that matters, rank them by choke-point value, and remediate systematically. You are not triaging. You are surveying. You can afford to ask the expensive question (which of these edges is load-bearing for the largest number of paths to crown jewels) and act on the answer in the right order.
• Tempo is yours. There is no adversary watching your moves, so you can sequence remediation properly: test a change, validate that nothing legitimate broke, document, roll back if it did, fix it again, document again. The graph holds still while you work on it.
• Mistakes are cheap. A misjudged remediation in peacetime is an inconvenience, a ticket, a short outage in a maintenance window. It is not a breach. You get to be wrong and recover for free.

And the work compounds, in two directions at once. Every path you cut in peacetime is a permanent contraction of the surface the next intruder inherits. You are not buying a feeling of safety. You are shrinking the graph itself, structurally, so that the version of it an attacker eventually loads is smaller, flatter, and poorer in choke points than the one you started with. This is investment in the literal sense: present effort that reduces future cost.

But there is a second return, and it accrues to you rather than the environment. The more you survey your own attack paths, the more you learn about the structural gaps in your walls and the precise ways an attacker would circumvent your alarms and tripwires. That knowledge is not abstract. You are developing your own capability in the act of uncovering, eliminating, and fixing the flaws that would otherwise lead to organisation-wide compromise. The surveyor who walks the graph a hundred times in peacetime is the person you want holding the map when it turns into wartime. The skill is built before it is needed, which is the only time it can be built cheaply.

And what makes all of this credible rather than aspirational is that the graph is forensic. It does not show you a bleak probability or a scenario that might unfold if a chain of unlikely things happens. It shows you what exists right now: the paths that are present in the environment this minute, walkable by anyone with the attacker's lens, whether or not anyone is walking them today. It deals in facts, not forecasts. That is what makes it priceless to both you and the business. You are not asking a board to fund a hypothetical. You are showing them a path that is already there, and telling them you intend to remove it before someone else finds it first.

Wartime: Taking Contested Ground

Wartime is the reactive discipline, and it begins the moment the graph stops being yours alone. The adversary is on it. They are moving along edges you may or may not have mapped, and crucially, they are watching what you do. Every property of the peacetime cost function has just inverted:

• The cost function is triage under observation. You cannot cut every path, because you do not have time and cutting takes effort you need to spend elsewhere. So you cut the paths the adversary is found on and the paths they will reach next, entering an arena where a direct showdown proves whether your Tiering holds, or was merely conceptually documented. Completeness is no longer the goal. Sequence and selection under fire are the goal.
• Tempo is contested. Every change you make is a signal. Sever the wrong piece of persistence and you have told a capable adversary that you can see them, and a capable adversary who knows they are seen does not slow down. They accelerate, or they vanish. The remediation that would be routine in peacetime becomes a move in a game where the other player responds, and your timing is dictated by theirs as much as your own.
• Mistakes are expensive and visible. A wrong cut in wartime burns hours you do not have, may reveal your hand, and can push an intruder from quiet persistence toward destruction. The free recovery of peacetime is gone. You are being graded live, and the adversary is one of the graders.
• The graph is mutating while you work. Their lateral movement creates new edges (fresh sessions, new footholds, freshly minted certificates). Your remediation closes others. You are both editing the same map simultaneously, and the version you enumerated an hour ago is already out of date. There is no holding still.

The Invisible Payload

There is a harder variant still. In a severe enough incident, the client cuts internet connectivity outright. For a moment, the clock seems to stop: the adversary's command channel goes dark, and you can work the graph quietly, as if peacetime had returned.

It has not. The persistence is still resident, and not all of it is on the graph in front of you.

Object-level footholds, a rogue ACL, or an injected group membership are things you can find and cut in that window. But the backdoor sitting on a member server does not appear on the identity map, even though identity is exactly how it got there.

The attacker reached that host by harvesting credentials and moving laterally, account to account, along paths that were walkable long before the internet line was cut. The implant is only where the path came to rest. And the one signal it emits, beaconing to a command server, is invisible precisely because you severed the line that would carry it. So you prepare before you restore: read the egress logs for what is trying to get out, stand up a DNS sinkhole to catch the callout. Then restoring connectivity becomes both how you finally hunt the implant and how you re-arm it.

The point remains inescapable: the host was reachable because an identity path let it be reached, and that path was cheapest to close before any of this began.

The Live Intrusion Dilemma

Consider how this plays out. A mid-sized organisation, day three of an intrusion. The team has confirmed the adversary holds a foothold in the standard user tier and has established persistence: a known command-and-control channel beaconing out of a compromised host, and at least one backdoor the team has positively identified.

The graph shows a path from that foothold, through a server admin group, across one misconfigured ACL, into Tier 0. In peacetime this is a tidy finding: cut the ACL, prune the group, done in a change window. In wartime it is a dilemma with a clock on it.

Cut the known backdoor now and you close the C2 path you can see. But a backdoor you have identified is rarely the only one a capable actor has planted, and severing it tells them their primary channel is burned. This is the dynamic that makes wartime different from any tabletop: an undetected intruder has every incentive to stay quiet, move slowly, and keep their options open, but one who watches their persistence die has just lost that incentive entirely. Eviction is coming, so the patient play is now the losing play.

What the actor does with that realisation depends on what they came for, and both answers hurt:

• The Thief Becomes an Arsonist: A financially motivated operator monetises destructively before they lose access. This is the dominant dynamic of the current extortion era: time-to-ransom collapses toward zero the moment an affiliate detects active eviction, and an actor who has staged ransomware and suddenly finds their foothold collapsing will fall back to a secondary channel you never found and fire it while they still have the access to do damage, rather than withdraw and forfeit the operation for nothing. They will burn the house down on the way out.
• The Ghost: A patient espionage actor does the opposite and the quieter thing: they go dormant, wipe their tracks, and surrender the current access to protect the option of returning in six months through a door you still have not found. One ends in encryption you cannot miss. The other ends in a clean-looking eviction that was never an eviction at all, which is the more dangerous of the two precisely because it feels like a win.

Either way, eliminating the path you can see does not slow a capable adversary down. It can flush them onto the path you cannot, and convert a thief into an arsonist or a ghost. Leave the persistence in place and watch it instead, and the adversary keeps moving along the graph toward a Tier 0 path that, once walked, ends the organisation anyway. There is no clean answer. Cut and you may detonate them or lose them; wait and they arrive regardless. Every option spends something the team cannot get back: surprise, time, or ground.

What determines the outcome is almost entirely what was done before the intrusion began. If that ACL had been found and cut in peacetime, the path never reaches Tier 0 and the worst case is a contained incident in the user tier, no matter what the adversary does with their backdoors. If the team had walked this graph a dozen times in quiet conditions, they would know which paths exist before the actor used them, and the decision to cut or to wait would be made against a map they already understood rather than one they are reconstructing under fire. The wartime decision is hard in direct proportion to how little peacetime work preceded it. The team is not failing in the moment. They are paying, at the worst exchange rate, for paths nobody priced while they were cheap.

None of this requires a programme of work to begin. The peacetime discipline starts the same way every time: enumerate the paths to your crown jewels as they exist right now, rank them by how many distinct routes each edge carries, and cut the highest-fan choke points first. The first pass will surface paths you did not know were there, and the highest-value cuts are almost always cheaper to make than they look once you can see them. You do not need the whole map perfect. You need the few edges that collapse the most distance to Tier 0, closed while closing them is still free.

The Sharp Line

One map, read two ways. In peacetime you control tempo, completeness, and cost at the same time. You decide when to act, you act on everything that matters, and being wrong is cheap. Wartime takes all three away at once. Tempo belongs partly to the adversary, completeness is impossible, and every error is expensive and seen.

Which means the choice to underinvest in proactive attack path management is not a choice to avoid the work. The work is fixed by the shape of your environment. Every path you decline to cut in peacetime does not vanish. It waits. It becomes a decision you will make later, under observation, with worse information, on the adversary's clock, where being wrong costs a breach instead of a maintenance window. It is the exact same expenditure, just at two different exchange rates.

But the true return on proactive investment is not just about saving time or avoiding extortion. It is about taking the terrain back. The modern adversary's entire operational model relies on the assumption that you do not know your own graph as well as they do. They bank on the fact that your identity sprawl hides their lateral movement.

Proactive attack path management breaks that assumption entirely. It forces the attacker to operate in a constrained, hostile environment where the easiest paths to the crown jewels simply no longer exist, and where the remaining paths require noise, effort, and time they cannot afford to spend. You are not just fixing misconfigurations; you are bankrupting the attacker's playbook before they even load it.

You do not get to opt out of the map. You only get to choose who dictates the rules of the game.

Peacetime buys optionality. Wartime spends it, almost always at a loss.

The Man Behind The Line

For inquiries, or even better: peer discussion, or forensic outreach, you can reach the author directly at: the_man_behind_the_line@pm.me

This article reflects experience from identity security and incident response engagements across enterprise environments. The views expressed are my own.