TL;DR: Modern applications have become the primary battleground for attackers, with vulnerability exploits remaining one of Mandiant’s top initial access methods for five years and application-layer threats often escaping traditional controls, according to Oligo Security. The editorial point is that AppSec, cloud, and SecOps teams need a shared attack model for logic, APIs, pipelines, and runtime behaviour.
NHIMG editorial — based on content published by Oligo Security: The Application Attack Matrix, Mapping the Modern Cloud Application Threat Landscape
Questions worth separating out
Q: How should security teams map application attack paths in cloud environments?
A: Start with the application control surface, not the network perimeter.
Q: Why do modern application attacks often evade traditional security tools?
A: Traditional tools are strongest at spotting infrastructure-level anomalies, but many application attacks occur through valid requests, trusted services, and approved business logic.
Q: What breaks when organisations treat application security as separate from identity governance?
A: They miss the fact that application behaviour is driven by identities, tokens, scopes, and delegated trust.
Practitioner guidance
- Map application trust paths Inventory APIs, service accounts, delegated tokens, and cross-service permissions so you can see where legitimate calls create lateral movement opportunities.
- Model business-logic abuse scenarios Add attack paths that use valid application flows in unintended sequences, especially where approvals, transfers, or state changes can be abused without code execution.
- Tie supply-chain assurance to runtime monitoring Validate dependency provenance, build integrity, and deployment trust, then confirm those assumptions still hold after release by watching runtime behaviour.
What's in the full report
Oligo Security's full research covers the operational detail this post intentionally leaves for the source:
- The complete Application Attack Matrix structure with phase-by-phase technique coverage across pre-intrusion, intrusion, post-intrusion, and impact.
- Specific real-world technique mappings and example incidents that show how the matrix was built from observed attacker behaviour.
- Practical guidance for application security, detection engineering, and incident response teams using the matrix in day-to-day work.
- The community contribution model for extending the matrix as new application-layer attack methods appear.
👉 Read Oligo Security's application attack matrix research →
Application attack matrix: what it means for AppSec teams?
Explore further
The application layer is now an identity and trust problem, not just an AppSec problem. The article is right to treat applications as the primary battleground because modern attacks increasingly exploit legitimate flows rather than obvious perimeter breaks. That changes the governance question from "is the app secure?" to "which identities, tokens, and delegated actions can the app itself exercise?" Practitioners should treat application behaviour as part of identity governance.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- By comparison, systems with least-privileged AI access had a 17% incident rate versus 76% for over-privileged systems, showing how sharply outcome changes when access scope is constrained.
A question worth separating out:
Q: How can teams tell whether application attack coverage is actually improving?
A: Look for coverage across the full lifecycle, from pre-intrusion reconnaissance and supply chain risk through post-intrusion privilege expansion and impact. If your detections only fire on exploit signatures, you still have a blind spot. Better coverage means you can explain how a compromise moved from entry to business effect.
👉 Read our full editorial: Application attack matrix fills the blind spots in cloud security