TL;DR: SMB, RDP, WinRM, and RPC accounted for 71% of detected threat activity, according to Zero Networks, which analyzed about 3.4 trillion activities across 400 enterprise environments and found that a single compromised host could reach a median 85% of internal systems in one hop. The real control problem is not detection volume, but limiting reachable access paths before attackers move.
At a glance
What this is: This is an analysis of how routine abuse of trusted internal access paths, not novel exploits, drives breach expansion once an attacker gets in.
Why it matters: It matters because IAM, PAM, and NHI programmes are judged by how much access remains reachable after initial compromise, not by how many alerts fire.
By the numbers:
- A single compromised host could reach a median of 85% of internal systems in the first hop and effectively 100% in the second hop.
- SMB, RDP, WinRM, and RPC dominated activity, accounting for 71% of the 3.4 million detected threat activities.
👉 Read Zero Networks' analysis of blast radius and lateral movement after compromise
Context
Blast radius is the amount of damage an attacker can cause after initial access. In this case, the problem is not whether defenders can spot suspicious activity, but whether normal enterprise access paths remain open long enough for an intruder to spread.
That is an identity governance problem as much as a network problem. Standing access, overbroad administrative reach, and always-on management protocols turn a single foothold into enterprise-wide exposure, even when the original entry point is limited.
Key questions
Q: What breaks when a single compromised host can move through trusted internal protocols?
A: Blast radius becomes the failure mode. If a compromised host can reuse valid credentials and move across SMB, RDP, WinRM, or RPC paths, the attack no longer depends on exotic exploitation. The organisation loses containment, and the incident becomes a spread problem instead of a single-system compromise.
Q: Why do trusted management protocols increase lateral movement risk in enterprise networks?
A: They are built for routine administration, so they are usually reachable, trusted, and always available. That makes them ideal for attackers who already have a foothold and want to move quietly. When these channels are left open by default, identity trust is effectively inherited by the attacker.
Q: How do security teams know whether blast radius control is actually working?
A: Look at reachable systems from a single compromised host, not just at alert counts. If the attacker can only touch a tightly bounded set of assets, containment is improving. If one foothold can still reach most of the environment, the access model is still too permissive.
Q: What should organisations do first when internal reachability is too broad?
A: Start by removing always-on access paths and separating administrative channels from general user connectivity. Then apply task-scoped access, segment high-value systems, and verify that compromised identities cannot traverse the environment freely. Containment has to be designed into the access model before detection can help.
Technical breakdown
Why trusted management protocols become breach highways
The article shows that a small set of high-trust protocols carries most of the internal movement risk. RDP, SMB, WinRM, and RPC exist to support routine administration, but once a host is compromised they become the same paths attackers use to extend reach. This is why lateral movement often looks like ordinary IT activity: it uses valid credentials, standard tooling, and expected transport patterns. The technical issue is reachability, not exotic exploitation. When those paths are open by default, compromise of one system gives the attacker a prebuilt route into adjacent assets.
Practical implication: reduce default reachability across privileged protocols and treat management-plane exposure as a containment control, not just an operations choice.
How valid credentials turn one compromise into expansion
Attackers do not need to steal every secret in the environment to create impact. If they can reuse a valid credential set, they can move through systems that already trust that identity. The article’s core finding is that expansion is driven by the legitimacy of the access path, not by the sophistication of the intrusion. That makes credential scope, session duration, and administrative segmentation more important than detection fidelity alone. In identity terms, the breach path is often a chain of trusted decisions, each one widening access because the earlier one was never constrained enough.
Practical implication: tighten credential scope and shorten the usable lifetime of privileged access so a single compromise cannot fan out across the estate.
Why blast radius is a better control metric than alert volume
Traditional security programmes often reward alerts, detections, and time-to-notice. This analysis argues that those metrics can miss the real business risk. A quiet environment may still have extreme exposure if one system can reach most of the estate, while a noisy environment may have much lower actual spread potential. Blast radius measures how much of the environment is reachable from a compromised point, and that is a more direct indicator of resilience. It aligns the security model with containment, which is the only meaningful measure once adversaries are using legitimate paths.
Practical implication: measure reachable systems, not only detections, and use that metric to prioritise containment engineering and access redesign.
Threat narrative
Attacker objective: The attacker aims to expand from one foothold into wide internal reach, increasing the chance of disruption, persistence, and operational control.
- Entry occurs when an attacker gains a foothold through a normal initial access path, then begins using legitimate enterprise connectivity instead of noisy exploit activity.
- Escalation happens when the intruder reuses valid credentials and trusted management protocols such as SMB, RDP, WinRM, and RPC to move from one host to the next.
- Impact follows when that movement reaches a large share of the internal environment, turning one compromised system into broad operational exposure.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Blast radius is the real identity security metric: This article shows that breach impact is determined by how much an attacker can reach after entry, not by how loudly an intrusion is detected. That shifts the governance question from incident response speed to reachable-access design. For IAM, PAM, and NHI programmes, the practitioner conclusion is simple: if a compromised identity can traverse most of the environment, the control model has already failed.
Standing administrative reach is a structural weakness, not a tuning problem: The article’s concentration around SMB, RDP, WinRM, and RPC demonstrates that trusted management channels become attack highways when they stay open all the time. This is exactly where least privilege breaks down in practice, because the access exists for convenience long before an incident occurs. The implication is that enterprise access architecture, not alerting, defines containment.
Runtime containment should be treated as identity governance: The same controls that govern human privilege creep also govern NHI and machine-to-machine reach, because all of them can create persistent internal paths. The difference is that non-human access often scales faster and is harder to notice in normal operations. Practitioners should read this as a governance failure of overexposed trust paths, not a security tooling failure alone.
Identity blast radius: the named concept this article sharpens: A single compromised system can inherit the blast radius created by every always-on path that was left available to it. That makes blast radius a property of identity and access design, not just of network topology. The practitioner conclusion is to govern access by possible reach, because reachability is what attackers monetize after they get in.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, leaving a large share of external identity reach partially or completely unmanaged.
- This blast-radius problem connects directly to the patterns in 52 NHI Breaches Analysis, which shows how access pathways outlive the governance assumptions behind them.
What this signals
Identity teams should expect blast-radius reduction to become a primary board metric. The article’s core message is that containment matters more than raw detection volume once attackers are inside. For programmes that already manage human, machine, and workload identities, that means reachability should sit alongside privilege reviews and access recertification as a measurable security outcome.
Standing administrative access will keep failing in environments that still privilege convenience over containment. Organisations that have not already moved to task-scoped access and closed-by-default internal pathways will continue to see disproportionate spread from single footholds. The governance gap is not theoretical, because attacker movement is still being enabled by the same internal paths operations teams rely on.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the same trust-extension problem is now visible outside the core estate as well. Access architecture is becoming a supply-chain issue, and programmes that do not govern outbound trust paths will keep underestimating exposure.
For practitioners
- Map privileged reachability by protocol Inventory where SMB, RDP, WinRM, and RPC are reachable by default, then remove unnecessary exposure between user, server, and admin zones. Use that map to identify the systems that create the widest internal reach after compromise.
- Replace always-on admin paths with task-scoped access Require just-in-time access for administrative workflows so that privileged channels exist only when a specific task needs them, then revoke them immediately after use. This reduces the window for lateral movement from a single compromised host.
- Measure containment by reachable systems Track how many systems a single compromised host can touch before containment, and use that number as a board-level resilience metric alongside detection time. If one foothold can reach most of the estate, the architecture is too permissive.
- Segment identity infrastructure more aggressively Treat Active Directory Web Services, SQL Server, and endpoint management paths as high-value blast-radius amplifiers. Restrict which identities can reach them, and separate operational admin access from routine user networks.
Key takeaways
- One compromised host can become an enterprise-wide problem when trusted internal access paths remain open by default.
- Blast radius is a better measure of security resilience than alert volume because it reflects what an attacker can actually reach.
- Reducing always-on privileged access is the control that most directly shrinks spread after initial compromise.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The article centers on valid credential reuse and internal movement. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access management are central to blast-radius reduction. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the control family directly implicated by always-on administrative reach. |
| NIST Zero Trust (SP 800-207) | The article argues for closed-by-default access and continuous verification. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | The article’s risk pattern overlaps with over-privileged non-human access and standing trust paths. |
Map exposure to credential access and lateral movement tactics, then reduce reachable paths from a single foothold.
Key terms
- Blast Radius: Blast radius is the amount of damage a compromised identity or system can cause after initial access. In identity programmes, it reflects reachable systems, usable privileges, and how far an attacker can spread before containment takes effect.
- Standing Privilege: Standing privilege is access that remains continuously available rather than being granted only when needed. It is convenient for operations, but it expands the window for abuse because a compromised identity inherits open pathways before defenders can intervene.
- Lateral Movement: Lateral movement is the act of moving from one system to another after initial compromise. In enterprise environments, it usually depends on trusted credentials and normal administrative protocols, which is why it often looks legitimate until the impact becomes visible.
- Closed-By-Default Access: Closed-by-default access means systems are not reachable unless access is explicitly required and approved for a task. It reduces attacker options by making internal pathways invisible or unavailable until they are intentionally opened.
What's in the full article
Zero Networks' full analysis covers the operational detail this post intentionally leaves for the source:
- Protocol-by-protocol findings on how SMB, RDP, WinRM, and RPC contributed to internal spread.
- Environment-level breakdowns that show how much of the estate remained reachable after first compromise.
- Mitigation guidance on closed-by-default access, identity-based controls, and automatic revocation.
- The underlying measurement approach behind the 3.4 trillion activity analysis.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org