By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ColorTokensPublished November 11, 2025

TL;DR: A simple complement-rule probability model shows how lateral movement becomes easier to estimate when defenders treat each pivot path as a graph, then combine sequential hops and alternate routes mathematically, according to ColorTokens. The lesson is that microsegmentation decisions should focus on reducing the highest-probability pivot paths, not just shrinking the number of possible connections.


At a glance

What this is: This article uses a license-plate probability puzzle to explain a graph-based model for lateral movement, showing how sequential hops and alternate paths can be combined into a workable risk estimate.

Why it matters: It matters because IAM, PAM, and microsegmentation teams need to understand which access paths create the greatest blast radius, especially where service accounts, identity flows, and workload pivots define real attacker reach.

By the numbers:

👉 Read ColorTokens's analysis of probabilistic lateral movement modelling


Context

Lateral movement becomes difficult to reason about when defenders look at isolated connections instead of attack paths. In practice, the real question is not whether a port, protocol, or identity flow exists, but how those connections compose into reachability across workloads, servers, and databases. That is especially relevant where service accounts and identity flows create pivot options that are not obvious from a simple asset inventory.

The article frames this as a probability problem, but the governance issue is broader: security teams need a model that turns network adjacency into measurable blast radius. For identity and access programmes, that means treating RDP, SSH, WinRM, SMB, and service account paths as part of the same control problem, not separate operational silos. The starting position described here is typical of environments that have not yet mapped reachability with enough rigor.


Key questions

Q: How should security teams model lateral movement in complex environments?

A: Security teams should model lateral movement as a graph of reachable paths, not as isolated vulnerabilities or ports. Each edge should represent a plausible pivot, such as a remote protocol, trust relationship, or identity flow. That approach helps teams prioritise the routes that most increase blast radius and lets microsegmentation, PAM, and workload identity controls be measured against attacker reach.

Q: Why do service accounts increase lateral movement risk in enterprise environments?

A: Service accounts often connect multiple systems, so they sit at the center of trust relationships that humans never see directly. If those credentials are reused, over-scoped, or poorly rotated, they can provide a bridge across environments. The risk is not the account type alone, but the hidden connectivity it enables across production workflows.

Q: How do organisations know which segmentation controls matter most?

A: The best signal is whether a control change reduces the probability of reaching high-value systems through common pivot paths. If the environment still allows strong routes through RDP, SSH, or shared service identities, the segmentation design is not reducing blast radius enough. Teams should compare before-and-after reachability, not just policy coverage.

Q: How should teams balance network controls and identity controls against lateral movement?

A: They should treat them as complementary parts of the same exposure problem. Network controls reduce where an attacker can go, while identity controls reduce what they can do once they arrive. If identity trust still permits traversal through service accounts or delegated access, segmentation alone will not fully constrain lateral movement.


Technical breakdown

How the complement rule models lateral movement reachability

The complement rule is useful because it converts a hard counting problem into a simpler one. Instead of enumerating every possible way an attacker might succeed, you model the probability that no path succeeds, then subtract that from 1. In this article’s framing, a network is a directed graph, and each edge represents a plausible pivot. That makes the model practical for security work because it can represent multiple alternative routes without pretending the environment is deterministic. The result is not perfect certainty, but a usable approximation of reachability and exposure.

Practical implication: teams should model attack reachability as path probability, not just as exposed ports or permissions.

Sequential hops and alternate routes behave differently

The article distinguishes two operations that matter in graph-based lateral movement models. Sequence means every hop must succeed, so probabilities multiply. Alternatives mean one of several routes can work, so the combined probability grows through the complement of all routes failing. This matters because a weak single path may become more dangerous when paired with other viable pivots. In identity terms, that is often where service account privileges, protocol reachability, and workload trust relationships intersect. A high-probability route is usually a sign that the environment has multiple reinforcing control gaps, not just one misconfigured node.

Practical implication: prioritise the highest-probability pivot chains first, because they drive the largest reduction in attacker reach.

Why microsegmentation changes the math of lateral movement

Microsegmentation works in this model by reducing edge probability, not merely by reducing edge count. If a key protocol such as RDP becomes much less likely to succeed, the entire path probability collapses, and the combined reachability of the graph drops more sharply than when you constrain a low-probability path. That is a useful way to justify control prioritisation. It also connects directly to identity governance, because identity flow and service account trust often determine whether a pivot is even possible. The control objective is therefore to shrink the attacker’s reliable paths, not to chase every theoretical connection equally.

Practical implication: use segmentation and access controls to suppress the most probable privilege-bearing routes, not every route equally.


Threat narrative

Attacker objective: The attacker’s objective is to maximise reachable paths so that a single foothold can expand into broader access across the environment.

  1. Entry occurs when an attacker finds a plausible foothold in the environment, such as a service endpoint or identity flow that can initiate a pivot path.
  2. Escalation happens as the attacker chains sequential hops or alternative routes, with each successful pivot expanding reach across assets, workloads, or databases.
  3. Impact follows when the combined reachability of the graph gives the attacker access to high-value systems or lateral movement paths that increase blast radius.

NHI Mgmt Group analysis

Lateral movement is best understood as a reachability problem, not a tooling problem. The article’s graph-and-probability framing is valuable because it captures how attackers actually move through environments with multiple identity and protocol paths. In identity-heavy estates, service accounts, delegated flows, and remote administration channels all become edges in the same attack graph. Practitioners should therefore measure exposure by path quality, not just by the presence of controls.

Identity-flow reachability is the more useful concept than raw network adjacency. A network may look segmented on paper while identity relationships still preserve practical pivot routes through RDP, SSH, WinRM, SMB, or service account trust. That is where IAM, PAM, and microsegmentation intersect. Security teams need to treat privilege-bearing paths as first-class exposure, because the attacker only needs one reliable route. The conclusion for practitioners is to align identity governance with graph reachability analysis.

Microsegmentation only changes outcomes when it suppresses high-probability pivots. The article correctly shows that reducing a strong route has more effect than constraining a weak one. That supports a risk-prioritised control strategy rather than a blanket segmentation programme. In practice, this means combining least privilege, protocol restriction, and account-specific controls where the graph shows the greatest blast radius. The practitioner takeaway is to invest where probability and privilege reinforce each other.

The model also exposes a governance gap: many organisations still manage access as static entitlements rather than dynamic paths. Once you see lateral movement as composition across edges, it becomes obvious that access review alone cannot describe real attacker reach. This is where NHI governance matters, because service accounts and workload identities often create durable traversal paths that human-centric processes miss. Practitioners should fold machine identity paths into segmentation and privilege governance together.

Named concept: pivot-path probability. This article implicitly defines the idea that attacker reach is best measured by the probability of traversing a complete path, not by the existence of any single control gap. That concept is useful because it turns lateral movement into something teams can prioritise and communicate. The practitioner conclusion is to focus on path reduction, not isolated hardening.

What this signals

Identity-flow reachability is becoming a practical planning concept for security teams that need to connect microsegmentation with IAM and PAM. If an organisation cannot see which service accounts, delegated flows, and remote protocols preserve traversal rights, it will continue to overestimate its containment posture.

The programme-level implication is straightforward: segmentation work should be paired with identity discovery and account lifecycle governance. Hidden OAuth connections and stale tokens create the same kind of route persistence that makes graph-based lateral movement harder to reduce.

For teams building a control roadmap, the priority is to reduce reliable paths into crown-jewel systems, not to chase equal risk across every possible connection. That makes path analysis, account review, and access policy tuning a single governance exercise rather than separate operations.


For practitioners

  • Map pivot paths as probability chains Represent critical workloads, identity flows, and remote administration channels as directed paths, then score sequential hops and alternate routes separately to identify the most dangerous reachability patterns.
  • Reduce the highest-probability administrative routes Prioritise controls on protocols and flows that repeatedly appear in successful chains, especially RDP, SSH, WinRM, SMB, and service-account-mediated access.
  • Tie microsegmentation to identity governance Review whether service account trust, delegated access, and workload permissions preserve pivot options even where network controls exist, and remove unnecessary traversal rights.
  • Use blast-radius reduction as the success metric Measure whether a control change reduces the probability of reaching crown-jewel systems, not just whether it blocks one port or one host.

Key takeaways

  • Lateral movement is better treated as a graph reachability problem than as a list of open connections.
  • The article’s probability model shows that high-probability pivot chains matter more than low-value routes when reducing attacker reach.
  • Identity governance and microsegmentation need to work together, because service accounts and trust paths can preserve traversal even when network policy looks strong.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0008 , Lateral Movement; TA0004 , Privilege EscalationThe article models attacker pivot chains and privilege-bearing routes across assets.
NIST CSF 2.0PR.AC-4Path-based access control aligns with limiting and segmenting connectivity.
NIST SP 800-53 Rev 5AC-4Information flow enforcement is directly relevant to limiting pivots between nodes.
CIS Controls v8CIS-12 , Network Infrastructure ManagementNetwork segmentation and controlled pathways are central to the article's model.
NIST Zero Trust (SP 800-207)The article’s focus on reachability and trust paths aligns with zero trust principles.

Map your most probable pivot paths to ATT&CK tactics and reduce the routes that enable lateral movement.


Key terms

  • Lateral Movement: Lateral movement is the phase of an attack where an adversary moves from one system to another after gaining an initial foothold. In practice, it depends on reachable paths, credential reuse, and trust relationships that let one compromise become broader access.
  • Pivot Path: A pivot path is a sequence of systems, services, or identities an attacker can traverse to reach a target. It is useful for security analysis because it makes blast radius measurable and shows where segmentation or privilege reduction will have the biggest effect.
  • Reachability Graph: A reachability graph is a directed model of which systems can plausibly be accessed from others. For security teams, it turns network and identity relationships into a structure that can be scored, compared, and reduced based on real attacker routes.

What's in the full article

ColorTokens's full article covers the mathematical details this post intentionally leaves at the modelling level:

  • The step-by-step derivation of the complement-rule operators used to combine alternate attack paths.
  • The full two-path numeric example showing how sequential hops and alternate routes are composed.
  • The deeper discussion of how reducing an RDP pivot probability changes overall reachability.
  • The article’s graph-theory framing for interpreting lateral movement as an attack path model.

👉 The full ColorTokens post walks through the probability math, graph model, and microsegmentation examples in detail.

Deepen your knowledge

NHI Mgmt Group's NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity control decisions to broader security architecture and operational risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org