An attack vector is the path or method through which an attacker gains access to a target system. Examples include phishing emails, exposed network services, compromised supply chains, or physical access to devices.
Identifying attack vectors is a central step in risk identification under ISO 27005 and ISO 27001 Clause 6.1.2. Each attack vector links a threat to a vulnerability and the affected asset. In BSI IT-Grundschutz, this corresponds to the threat analysis. For prioritization, what matters is how exposed a vector is (e.g., reachable from the internet vs. internal only) and what preconditions an attacker must meet. A complete picture of attack vectors is the foundation for targeted protective measures.