Documentation

Paths to Privilege | Insights

Suggest Edits

What are Paths to Privilege? How are they useful?

A Path to Privilege shows some of the identities, accounts, entitlements, and configurations an identity can access via a particular set of steps. The collection of all paths describe the account's True Privilege.

Identifying and visualizing these Paths to Privilege allows you to understand and control the relationships that enable both vertical and lateral privilege escalation.

Understanding privilege escalation

Privilege escalation occurs when a lower-privileged account gains access to higher privileges, either vertically (to a more privileged role) or laterally (to a role with equivalent privileges that enables further escalation). This often happens due to misconfigurations or abuse of trust relationships.

Even low-privilege accounts in test or legacy systems can create paths to high-value targets if trust relationships or misconfigurations exist

How attackers exploit paths

Threat actors think in graphs, not lists. They look for cross-domain connections and hidden routes that connect accounts, systems, and cloud resources. Common tactics include:

  • Compromising human or service accounts: Using phishing, malware, or credential theft to access privileges directly or indirectly.
  • Exploiting non-human accounts: Service or application accounts with high privileges, often lacking MFA or stored insecurely.
  • Harvesting exposed secrets: Plain-text credentials, API keys, and certificates in scripts, repos, or cloud services.
  • Abusing identity infrastructure: Misconfigured AD groups, certificate templates, sync accounts, or privileged cloud accounts.
  • Leveraging remote access: VPNs and RDP that provide broad network access, increasing lateral movement opportunities.
  • Privilege creep: Dormant or excessive privileges in on-prem and cloud environments, creating unnecessary attack vectors.

These techniques allow attackers to move laterally, escalate privileges, and pivot across domains, potentially compromising entire environments.

How Insights visualizes paths

Insights maps identities, systems, and permissions as interconnected nodes and edges, creating a graph-based view of privilege across your environment.

The Paths to Privilege graph in Insights:

  • Visualizes cross-domain paths between accounts, apps, and infrastructure.
  • Highlights hidden or indirect paths to high-value privileges.
  • Identifies dormant or over-privileged accounts and risky configurations.
  • Provides risk context, helping you prioritize high-impact remediation.

By thinking in graphs like an attacker, Insights allows security teams to see the full attack surface, including paths traditional tools might miss.

Use Paths to Privilege to secure your environment

Use the graph to prioritize remediation by business context, focusing on the paths that would cause the highest impact if exploited.

Proactively manage paths to privilege to create a hardened identity security posture, reduce the blast radius of potential compromises, and align defence strategies with how attackers actually operate.

Open the graph

  1. Navigate to the Entitlements page to open the Entitlementsgrid.
  2. Use the tabs and filters to locate the Entitlement name.
  3. Select from the Actions column. The Paths to Privilege node graph opens.

Paths to Privilege show on the True Privilege graph if there is an escalation path.

To open the True Privilege graph:

  1. Navigate to the Identity Details page.
  2. Click View True Privilege graph or the icon under the Actions column on the Identities grid to open the graph.
  3. Drag the nodes to manipulate the the graph. Click any node to open a side panel with detailed information.

📘

For reports relating to Paths to Privilege, see Reporting.

Updated about 2 months ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.