All field notes

Attack paths are stories, not spreadsheets

A useful finding connects the technical weakness to the decisions an attacker can make next.

A vulnerability can be technically correct and still fail to explain the risk. A version number, severity score, and screenshot tell us that a weakness exists. They do not tell us what the weakness makes possible.

That second question is where a penetration test becomes useful. The point is not to collect the longest list of findings. It is to understand how a person with limited access could turn one opening into meaningful control.

A finding is a fact. An attack path is a sequence.

Attackers work through choices: gain an initial foothold, learn what the environment trusts, acquire a stronger identity, move toward a valuable system, and establish a way back. Each step changes the options available at the next one.

A clear attack path therefore has four parts:

  1. Entry condition: what access or knowledge the attacker needs at the beginning.
  2. Enabling weakness: the control gap that creates a new capability.
  3. Next decision: the systems, identities, or data now within reach.
  4. Operational consequence: what the organization could lose or what the attacker could control.

If a finding cannot explain what changes for the attacker, it probably is not ready for the report.

Follow trust, not just hosts

Host-by-host testing is tidy, but modern environments rarely fail along neat infrastructure boundaries. Identity links cloud consoles to CI/CD, service accounts link applications to data, and administrative tooling links operator workstations to production.

Mapping those relationships reveals the real terrain. Ask which identity can assume another role, where credentials are materialized, which automation can change production, and what trusts traffic simply because it came from an internal network. The interesting route may cross a laptop, a repository, and a cloud role without exploiting a traditional server vulnerability.

Write for the remediation decision

The report should preserve the chain without forcing the reader to reverse-engineer it. Show the evidence for each transition, state the assumptions, and distinguish demonstrated impact from plausible impact. Then sequence the fixes by leverage.

Breaking an attack path early is usually more valuable than treating every node equally. A narrowly scoped identity, an eliminated secret, or a corrected trust policy may close several findings at once. That is a stronger outcome than seven isolated tickets with seven unrelated severity labels.

The test ends with a clearer model

A good penetration test leaves more than a list. It gives defenders a sharper picture of how their environment can be traversed, which controls carry the most weight, and where one change can remove several attacker options. The story is what turns evidence into action.

Next note: Cloud guardrails teams will actually use