1 minute read

In reviewing security firms’ 2022 threat data, a subset of these include insight into the initial access vectors leveraged most frequently in successful intrusions. This is a summarization of findings based on their reporting.


Rank MITRE ATT&CK Technique ID Vector Percentage
1 T1566 Phishing 45%
2 T1190 Exploit Public-Facing Application 26%
3 - Other 9%
4 T1189 Drive-By Compromise 6%
4 T1133 External Remote Services 6%
4 T1078 Valid Accounts 6%
5 T1195 Supply Chain Compromise 2%


To determine the most prevalent initial access techniques leveraged by adversaries in 2022, I relied on data from the following reports:

Because not all of these reports use a standard taxonomy, reported vectors were mapped to the corresponding MITRE ATT&CK Initial Access parent technique.

As with all threat reports, the findings and prevalence are subject to each firms’ visibility and methodology.

How to use this information

From my earlier thoughts on this matter:

A good use case for these types of lists–and a way to make them actionable–is to look at tactics starting with initial access and progressing through the intrusion lifecycle. For each tactic, look for common vectors and MITRE ATT&CK techniques (some of this is readily available in the source reports below). The goal is to see whether we can glean good enough insights and do it quickly, assess risks, and take preventative measures.