Initial Access

Definition

Initial access is the point in an attack when an adversary first succeeds in getting into a target environment. It is the moment where the attacker goes from being completely outside the network to having some level of foothold inside. After initial access, they can begin to explore, steal data, or prepare for more damaging actions.

In the MITRE ATT&CK framework, Initial Access is its own tactic. It covers the techniques attackers use to break in, such as:

* Phishing emails that trick users into opening malicious links or attachments
* Exploiting vulnerabilities on public-facing websites or VPNs
* Using valid accounts with stolen or guessed passwords
* Abuse of remote access services like RDP or SSH
* Supply chain compromises that deliver malicious software through trusted updates

Example: An employee receives a phishing email that looks like a shared document notification. They click the link and enter their password on a fake login page. The attacker now has the user’s valid credentials and can sign in to the company’s systems. That stolen login creates initial access.

Initial access is critical because it sets the stage for everything that follows: execution of malware, persistence, privilege escalation, lateral movement, and impact. Defenders focus heavily on reducing initial access opportunities through phishing defenses, patching, strong authentication, and careful exposure of internet-facing services. Detecting and blocking attackers at this stage is one of the most effective ways to prevent serious incidents.

Initial Access

Definition

Explore More Terms