All Blogs
Why Attack Chains Matter More Than Individual Security Alerts

Quick Overview: Scanners rate flaws in isolation; attackers chain them. Vulnerability chaining links a low-severity leak, a medium access-control gap, and a request-forgery bug into one attack path to the crown jewels, how the Capital One breach hit 100M+ records with no zero-day. This article shows why low-severity vulnerabilities combined create critical risk, how attack graphs and reachability analysis expose chained vulnerabilities attack paths, and why fixing only critical leaves the links intact.
Every security team runs on the list. The vulnerability scanner produces one, the pentest tool report produces another, the ticketing system turns both into a backlog sorted by severity, critical at the top, low at the bottom, an implicit instruction to work downward. It feels rigorous. It feels like risk, ranked. But that list is built on an assumption that no attacker has ever honored: that a vulnerability's danger can be measured one finding at a time, in isolation from everything around it.
Attackers don't exploit findings. They exploit chains. They take a low-severity information leak, a medium access-control gap, and a request-forgery bug that each looked harmless on their own report line, and they stitch them into a single route that runs from the public internet straight to your customer data. This is attack chaining, also called vulnerability chaining or exploit chaining, and it's the reason a queue of three "mediums" can carry more real risk than the lone "critical" sitting untouched at the top of your triage list. The 2019 Capital One breach exposed more than 100 million records this way, with no zero-day at all: just four ordinary weaknesses linked in the right order.
The data now says out loud what red teamers have always known. The 2026 Verizon DBIR ranked vulnerability exploitation the number-one initial access vector for the first time, and its attack-graph analysis found that most organizations give a low-privileged attacker a high-probability path all the way to an administrative account, a path, not a single flaw. This article makes the case for changing the unit of analysis from the alert to the attack chain: what vulnerability chaining actually is, why low-severity vulnerabilities combined create critical risk, how attack graphs and reachability analysis expose the routes hiding in your findings, and why fixing only critical and highs leaves the links attackers depend on fully intact.
Stop letting disconnected alerts hide your biggest security risks. Turn every finding into meaningful context. Get Started
ON THIS PAGE
- What Is Vulnerability Chaining? (And Why One Bug Is Never the Story)
- Why Pentest Reports Rate Vulnerabilities Individually Instead of as Chains
- How Low-severity Vulnerabilities Combine into Critical Risk
- Anatomy of a Real Chain: The Capital One Breach
- Toxic Combinations, Choke Points, And the Domino Effect
- Vulnerability Scan Vs Attack Chain: The Core Difference
- Attack Graphs and Reachability Analysis, Explained
- How To Find Exploitable Attack Paths in a Web Application
- How Zerothreat Chains and Validates Real Attack Paths
- Conclusion
What Is Vulnerability Chaining?
Vulnerability chaining, used interchangeably with exploit chaining and attack chaining, is the technique of combining two or more individual vulnerabilities into a single, multi-step exploit that reaches a target no single flaw could reach alone. It's the difference between a locked house with three unlocked windows and an actual break-in: the windows are the findings, the burglar's route through them is the chain.
Here's the mental shift. A scanner reports a state, "this input is not sanitized," "this object reference is not authorized," "this endpoint is reachable." An attacker reasons about a sequence, "if I use finding A to learn X, I can use finding B to reach Y, which lets me trigger finding C to obtain Z." The findings are static. The chain is a plan. Severity scoring describes the former and is blind to the latter, which is exactly why attack chain vs individual vulnerabilities is the framing that matters.
Adversaries have always thought this way. The Lockheed Martin Cyber Kill Chain and MITRE ATT&CK both model intrusion as ordered stages, reconnaissance, initial access, privilege escalation, lateral movement, exfiltration, precisely because that's how compromise unfolds. Kill chain vulnerability management is simply the idea of mapping your findings onto those stages: which flaw provides the foothold, which provides escalation, which provides the reach. When you do that, the "medium" that grants an unauthenticated foothold is suddenly far scarier than the "critical" that requires domain-admin access no external attacker has yet.
ZeroThreat POV
A vulnerability's severity is a property of the bug. A vulnerability's risk is a property of its position in a chain. Two identical CVSS 6.5 findings can carry wildly different real-world risk depending on what sits upstream and downstream of them. We built ZeroThreat's engine to score the second thing, because that's the thing that breaches you.
Why Pentest Reports Rate Vulnerabilities Individually Instead of as Chains
If chains are what matter, why does almost every scanner and a lot of pentest reports still hand you a flat, severity-sorted list? Three structural reasons.
First, CVSS is designed to score one thing at a time. The Common Vulnerability Scoring System evaluates a single vulnerability's intrinsic characteristics, attack vector, complexity, privileges required, impact, with no notion of what else exists in the environment. It's a per-finding metric by construction. Useful, but it literally cannot express "this 5.3 becomes a 9.8 when combined with the 4.3 two endpoints over." We covered this limitation in depth in why CVSS scores aren't enough.
Second, most tooling detects; it doesn't correlate. A traditional vulnerability scanner is very good at pattern-matching known weaknesses on individual requests and responses. It is not built to hold a model of the whole application and ask, "does finding A make finding B reachable?" Correlation across findings requires understanding relationships, state, and reachability, which most scanners simply don't track.
Third, the deliverable format rewards volume, not synthesis. A report with 200-line items looks thorough. Synthesizing those 200 items into "here are the four attack paths that actually reach your customer data" takes expert human effort, the kind of manual correlation that makes traditional pentests slow and expensive. So, the default output is pentest findings in isolation vs context: a comprehensive inventory with the one thing that matters left as an exercise for the reader.
The consequence is a firehose. Security operations centers already receive an average of nearly 3,000 alerts a day with the majority going unaddressed, and application security teams face the same overload in a different queue. When every finding arrives context-free and equally urgent-looking, the chain hiding among them is invisible.
How Low-severity Vulnerabilities Combine into Critical Risk
The question people ask most about chaining is the simplest: can low-risk vulnerabilities become critical when combined? The answer is an emphatic yes, and understanding why is the whole game.
Severity scores are, roughly, multiplicative in impact but additive in your queue. On the list, a medium plus a medium plus a low reads as "some cleanup work." Along an attack path, the same three findings can compound: each one lowers the cost of the next, so the effective difficulty of the whole chain collapses toward the difficulty of its easiest step. This is why low-severity vulnerabilities combined create critical risk, not because the math of the scores says so, but because the geometry of the path does.
Consider a concrete, common web-app example. None of these findings would earn a "critical" on its own:
| FINDING | SEVERITY ALONE | ROLE IN THE CHAIN |
|---|---|---|
| Verbose stack trace on error | LOW | Leaks an internal service hostname and framework version |
| Broken object-level authorization (BOLA) | MEDIUM | Lets a low-priv user enumerate other users' records |
| Server-side request forgery (SSRF) in a URL-preview feature | MEDIUM | Forces the server to fetch an attacker-chosen internal URL |
| Over-permissioned service role reachable from that host | MEDIUM | Turns "read an internal URL" into "read cloud credentials" |
| Chained together → | CRITICAL Unauthenticated attacker to full data exfiltration |
Walk the path: the stack trace tells the attacker where to point the SSRF; the IDOR proves the authorization model is soft and hints where else it's soft; the SSRF reaches an internal endpoint that should never have been reachable; and the over-permissioned role converts that reach into credentials. Four mediums-and-a-low on the report. One chained vulnerabilities attack path in reality. If you triaged by severity and "got to the mediums next quarter," you left every link intact.
Replace fragmented security alerts with complete attack narratives powered by AI reasoning. Experience AI Security
Anatomy of a Real Chain: The Capital One breach
If you want the textbook example of how attackers combine multiple vulnerabilities into one exploit, look at the 2019 Capital One breach. It exposed the personal data of more than 100 million people and ultimately cost roughly $270M in litigation plus an $80M regulatory penalty, and it contained, notably, zero exotic zero-days. It was a clean, four-link exploit chain built from individually unremarkable weaknesses.

Score those links individually and none screams "catastrophe." A WAF misconfiguration is a hygiene issue. SSRF is a common, often medium-rated web flaw. A reachable metadata endpoint is a configuration finding. An over-broad IAM role is a best-practice violation your cloud posture tool flags in the hundreds. On four separate reports, four separate teams could each reasonably deprioritize their item. The breach lived entirely in the space between the findings, in the chain no single tool was looking at.
And the pattern is not historical. Security researchers documented a coordinated 2025 campaign where 400+ IPs exploited multiple SSRF CVEs simultaneously, and SSRF-to-metadata credential theft continues to surface in newly deployed applications. The entry points change; the chain shape stays the same. That's the definition of a durable attack pattern, and the reason chain-level thinking outlasts any single CVE.
ZeroThreat POV
We treat the Capital One chain as a template, not a war story. Our engine actively probes for the same shape, an injection or forgery primitive that can reach an internal service, a service that discloses secrets, an identity that over-delivers on those secrets, across web apps and APIs, and validates whether the full path actually executes. Finding the SSRF is easy. Proving it reaches your credentials is the part that changes a remediation decision.
Toxic Combinations, Choke Points, And the Domino Effect
The industry has coined useful vocabulary for chain-level risk, and it's worth knowing because these terms increasingly appear in tooling and board reporting.
Toxic combination vulnerabilities are the security-posture version of chaining: two or more conditions that are tolerable alone but dangerous together. Wiz describes the classic cloud case as public exposure, excessive permissions, and proximity to sensitive data coexisting, no single one is a crisis, but their intersection is. The word "toxic" captures the key property: the danger is emergent, invisible if you inspect each ingredient separately.
The domino effect describes the temporal dimension, domino effect vulnerabilities fall in sequence, where compromising one node hands the attacker what they need to compromise the next. Lateral movement vulnerability is the specific case where a flaw lets an attacker pivot sideways, from a low-value compromised host or account to higher-value neighbors, which is how a single foothold becomes an environment-wide incident.
Choke points are the flip side, and they're where the good news lives. In an attack graph, a choke point is a node where many different attack paths converge on their way to critical assets. XM Cyber's research found that only about 2% of exposures sit on these choke points, while roughly 75% of exposures lead to dead ends that can't reach anything valuable. Remediate a choke point and you break every chain that runs through it at once. This is the single most important operational implication of thinking in chains: most of your queue is noise, and a tiny fraction is leverage. You cannot tell which is from a severity-sorted list.

Vulnerability Scan vs Attack Chain: The Core Difference
It's worth stating the distinction plainly, because it's the crux of the whole argument. What's the difference between a vulnerability scan and an attack chain?
- A vulnerability scan is an inventory. It answers "what weaknesses exist?" and returns a flat, unordered set, each item scored on its own. It's a snapshot of state.
- An attack chain is a route. It answers "what sequence of these weaknesses gets an attacker from outside to the asset?" It's ordered, conditional, and defined by reachability rather than severity.
A scan gives you a pile of unlocked doors. An attack chain gives you the specific walk through those doors into the vault, including the crucial detail that some doors only unlock after you've walked through others. This is why two organizations with identical scan results can carry completely different real risk: risk lives in the connectivity between findings, and a scan doesn't measure connectivity.
Moving from the first model to the second is the shift from vulnerability management to attack path management, from "how many findings do we have and how severe are they?" to "which paths reach our critical assets, and what's the cheapest way to cut them?".
Attack Graphs and Reachability Analysis, Explained
To operationalize chain thinking, you need a way to represent every possible route through your environment. That representation is an attack graph.
What is an attack graph in cybersecurity? It's a model where nodes represent states an attacker can occupy (an exposed endpoint, a set of stolen credentials, a compromised host, a privilege level) and edges represent the vulnerabilities or misconfigurations that let an attacker transition from one state to the next. Trace a path from an entry node to a critical-asset node and you have an attack chain, expressed formally. The graph is what makes attack path analysis systematic instead of intuitive: rather than a human red-teamer imagining routes, you can compute them.
The engine that makes an attack graph honest is reachability analysis: the determination of whether a given node is actually reachable from a given starting point under real conditions. Reachability is what separates a theoretical finding from an exploitable one.
An SSRF that can only reach the public internet is a very different risk from an SSRF that can reach an internal metadata service, same bug class, opposite reachability, opposite severity-in-context. Without reachability analysis, an attack graph is just a diagram of everything that could theoretically go wrong. With it, the graph tells you what can go wrong from here.
This is also where vulnerability correlation becomes concrete. Correlation is the process of linking findings by their graph relationships, "this information-disclosure finding reveals the target that this SSRF finding can reach, which returns the credential this IAM finding over-permissions." Correlation is what turns a scan's flat list into a graph's connected paths. It's the missing operation in most tooling, and it's the operation attackers perform in their heads for free.
Every hour spent triaging isolated alerts is time attackers spend advancing their next move. Compare Plans
How to Find Exploitable Attack Paths in a Web Application
So how do you find exploitable attack paths in a web application in practice? The work breaks into four capabilities, and the reason it's historically been so hard is that most tools only do the first one.
Discover Full Surface
You can't chain through what you can't see. This means mapping every route, parameter, and, critically, every API endpoint, including shadow and undocumented ones. Modern single-page apps and API-first architectures hide most of their surface behind JavaScript and authenticated flows, which is why thorough API security testing and deep web application security testing are prerequisites for any honest attack path analysis.
Test Authenticated and Workflow States
Most chains pass through authentication and authorization boundaries, IDOR, broken access control, and privilege escalation through business logic. A tool that only tests the unauthenticated surface sees a tiny slice of the graph. Authenticated, stateful testing is non-negotiable for finding real paths.
Correlate, Don't Just Enumerate
Once you have findings, you have to link them to see which combine. This is the step traditional scanners skip entirely, and manual pentesters do slowly and expensively.
Validate the Whole Path
A theoretical chain isn't a risk until you prove it executes end to end. Validation is what separates a real attack path from a hypothesis, and it's what eliminates the false positives that make chain hypotheses untrustworthy.
Doing all four by hand is exactly why comprehensive automated penetration testing exists. The value isn't just speed, it's that a machine can hold the entire application's state in view and test combinations a human would never have time to enumerate, then validate them without fatigue.
How ZeroThreat Chains and Validates Real Attack Paths

ZeroThreat is built around a single conviction: the unit of application risk is the attack path, not the finding. Everything in the engine is organized to discover, correlate, and validate chains, then hand you the short list of paths that actually reach something, instead of a long list of findings that mostly don't.
Rather than scanning isolated CVEs and stopping, ZeroThreat's agentic AI reasons the way an attacker does. It builds a working model of the application, routes, parameters, APIs, auth state, and the relationships between them, and then walks that model looking for sequences: an entry primitive that reaches an internal service, a service that leaks a secret, an identity that over-delivers.
When it finds a candidate chain, it doesn't just report the hypothesis. It validates the path in a controlled way, proving exploitability end to end. That validation is a hard architectural gate, not a probability score, which is why it produces zero false positives on confirmed paths.
The result is delivered to two audiences at once. Security teams get the full attack path, its business impact, and a priority ranked by what the chain actually reaches. Application teams get the per-step detail, endpoints, parameters, reproduction steps, evidence, and remediation, for each link. One validated path, two views, no re-translation between them.
Your security dashboard already has the clues. Let's show you how to connect them before attackers do. Book a Live Demo
Conclusion
The most expensive mistake in application security isn't missing a vulnerability, but it's seeing all the vulnerabilities and still missing the breach, because the breach lived in the connections between findings that no severity score describes. Attackers have always thought in chains: entry, foothold, escalation, movement, impact, each step lowering the cost of the next.
When defenders think in isolated alerts, they're playing a different game on a different board, sorting a queue while the adversary walks a path straight through it. Thinking in attack chains realigns the two. It reframes the "medium" that grants a foothold as the priority it actually is, exposes the toxic combinations that severity hides, and, through attack path analysis, reachability, and validation, collapses an overwhelming list into the short set of routes that genuinely reach your crown jewels.
That's not just a more accurate picture of risk; it's a more actionable one, because breaking a single choke point can sever dozens of chains at once. Stop triaging alerts. Start managing attack paths. The attackers already are.
Frequently Asked Questions
Can low-risk vulnerabilities become critical when combined?
Yes. Severity scores add up on your backlog but compound along an attack path: each flaw lowers the cost of the next, so a chain's difficulty collapses toward its easiest step. Three mediums that would each take a quarter to fix can form a path an attacker walks in an afternoon.
Can automated tools really find attack chains, or do I still need a manual pentester?
Does thinking in attack chains mean I can ignore critical vulnerabilities?
How is ZeroThreat different from a scanner that just lists vulnerabilities?
Does ZeroThreat prove an attack chain is real, or just flag possible ones?
Explore ZeroThreat
Automate security testing, save time, and avoid the pitfalls of manual work with ZeroThreat.


