This chapter covers Defender CSPM Attack Path Simulation, a critical feature for identifying how an attacker could move through your cloud environment from an initial compromise to high-value assets. On the SC-200 exam, this topic appears in approximately 5-8% of questions, typically as part of Cloud Security Posture Management (CSPM) scenarios. Understanding how attack path simulation works, its configuration, and how to interpret results is essential for the Security Operations Analyst role, as it directly informs remediation priorities and proactive threat hunting.
Jump to a section
Defender CSPM Attack Path Simulation is like a fire department running a controlled fire drill in a building. The fire department (simulation engine) first maps the building's floor plan, exits, and fire hazards (cloud resources and configurations). Then they intentionally start a small, contained fire (simulated attack) in a specific room (a vulnerable resource) and observe how the fire spreads through hallways, open doors, and flammable materials (attack paths via misconfigurations, permissions, and network routes). They note which doors were left open (unrestricted inbound rules), which fire extinguishers were missing (missing security controls), and how quickly the fire reached the server room (high-value assets). After the drill, they provide a report detailing the exact path the fire took, the vulnerabilities exploited, and recommendations to prevent real fires. In the same way, Defender CSPM simulates an attacker's path from an initial entry point to critical assets, identifying the sequence of misconfigurations and permissions that an attacker would exploit. The simulation does not actually compromise resources; it uses read-only techniques to model attack paths based on existing configurations and relationships.
What is Defender CSPM Attack Path Simulation?
Defender CSPM (Cloud Security Posture Management) Attack Path Simulation is a feature within Microsoft Defender for Cloud that models potential attack paths an adversary could use to compromise critical assets in your cloud environment. It does not execute real attacks; instead, it uses graph-based analysis of your cloud resources, configurations, permissions, and network rules to identify sequences of exposures that could be exploited.
Why It Exists
Traditional vulnerability scanning identifies individual weaknesses but does not show how an attacker could chain them together. Attack path simulation addresses this by providing a holistic view of risk, showing the exact steps from an initial entry point (e.g., a publicly exposed VM with a known vulnerability) to a high-value target (e.g., a database containing sensitive data). This enables security teams to prioritize remediation based on actual exploitability rather than just severity scores.
How It Works Internally
The simulation engine operates in three phases:
Graph Construction: Defender for Cloud builds a graph of all cloud resources in the subscription, including VMs, storage accounts, databases, network security groups (NSGs), Azure RBAC roles, managed identities, and more. Edges represent relationships such as network connectivity, IAM permissions, or resource dependencies.
Path Enumeration: Using the graph, the engine simulates an attacker's perspective. It starts from nodes that are publicly exposed or have known vulnerabilities (e.g., a VM with a high-severity CVE). Then it traverses edges to find paths to critical assets, considering:
Network paths: NSG rules, Azure Firewall rules, virtual network peering, VPN gateways.
Identity paths: RBAC role assignments, managed identity permissions, service principal capabilities.
Data paths: Storage account network access settings, database firewall rules.
Risk Scoring: Each attack path is assigned a risk score based on the likelihood of exploitation and potential impact. The score considers factors like the number of steps, the difficulty of each step, and the sensitivity of the target asset.
Key Components
Cloud Security Graph: The underlying graph database that maps all resources and their relationships. It is updated continuously as resources change.
Attack Paths: Directed sequences of nodes and edges from an initial exposure to a critical asset. Each path is displayed in the Defender for Cloud portal with a visual map.
Critical Assets: Assets defined as high-value by the user or automatically identified (e.g., resources with sensitive data, domain controllers, key vaults).
Initial Exposure: Entry points such as public IP addresses, open management ports (RDP/SSH), or unpatched vulnerabilities.
Permissions: Azure RBAC roles and Azure AD roles that grant an attacker lateral movement capabilities.
Configuration and Verification
Attack path simulation is enabled by default when Defender for Cloud's CSPM plan is activated (requires the Defender Cloud Security Posture Management plan). No additional configuration is needed. However, you must ensure that the following are in place:
Defender for Cloud is enabled on the subscription.
The CSPM plan is turned on (it's part of the foundational CSPM capabilities, but the attack path simulation is a feature of the Defender Cloud Security Posture Management plan, which is the enhanced version).
Critical asset identification: You can define critical assets manually in Defender for Cloud via the 'Workload protections' > 'Attack path analysis' blade. If not defined, Defender automatically marks assets like storage accounts with sensitive data, key vaults, and SQL databases.
To view attack paths:
Navigate to Microsoft Defender for Cloud > Attack path analysis.
The dashboard shows a list of attack paths, their risk scores, and affected resources.
Click on any path to see the visual graph and details.
Using Azure CLI, you can query attack paths with the following command (requires az and the defender extension):
az security attack-path list --subscription <subscription-id>Interaction with Related Technologies
Microsoft Sentinel: Attack path results can be ingested into Sentinel for correlation with other security events. Use the SecurityAttackPath table in Log Analytics.
Defender for Cloud Recommendations: Attack path simulation often triggers recommendations to close specific exposures (e.g., 'Virtual machines should be migrated to new Azure Resource Manager resources' or 'Network Security Groups should restrict access to critical ports').
Azure Policy: You can create custom policies to automatically remediate common attack path components, such as blocking public access to storage accounts.
Defaults and Timers
Attack path simulation runs continuously, with results updated within 24 hours of resource changes.
The graph is rebuilt every 24 hours or when significant configuration changes are detected.
Risk scores are recalculated on each update.
Step-by-Step Walkthrough of a Typical Attack Path
Consider a scenario: A VM (VM-A) has a public IP and an NSG allowing RDP from the internet. VM-A has a managed identity with Contributor role on a storage account (Storage-B) that contains sensitive data.
Initial Exposure: NSG rule allows RDP from 0.0.0.0/0 on port 3389.
Compromise: An attacker exploits a vulnerability in VM-A (e.g., unpatched OS) to gain access.
Lateral Movement: Using the managed identity, the attacker authenticates to Azure and uses the Contributor role to list and read blobs in Storage-B.
Target: Storage-B contains sensitive customer data.
The attack path simulation will identify this path and display it as a graph. It will also suggest remediations like restricting RDP access, patching the VM, or removing the managed identity's excessive permissions.
Enable Defender CSPM Plan
To use Attack Path Simulation, you must have the Defender Cloud Security Posture Management (CSPM) plan enabled on your subscription. This is an enhanced plan beyond the free foundational CSPM. In the Azure portal, navigate to Microsoft Defender for Cloud > Environment settings > Select your subscription > Defender plans. Ensure the 'Cloud Security Posture Management' plan is set to 'On'. This plan includes attack path analysis, cloud security graph, and other advanced features. Without it, the attack path analysis blade will not show any data.
Identify Critical Assets
Defender automatically identifies critical assets based on data classification (e.g., storage accounts with 'Confidential' or 'Highly Restricted' labels) and resource type (e.g., key vaults, SQL databases). You can also manually define critical assets. In Defender for Cloud, go to 'Attack path analysis' and click 'Define critical assets'. You can select specific resources or use tags. This step is optional but improves relevance of attack paths by focusing on high-value targets.
Review Attack Path Dashboard
After enabling the plan and allowing time for the graph to build (up to 24 hours), navigate to Defender for Cloud > Attack path analysis. The dashboard shows a list of discovered attack paths, each with a risk score (High, Medium, Low), the number of steps, and the affected resources. You can filter by subscription, resource group, severity, or specific resource. Click any path to see the visual representation.
Analyze Attack Path Details
Clicking on an attack path opens a detailed view with a graph showing nodes (resources) and edges (relationships). Each node displays the resource type and any vulnerabilities or misconfigurations. Edges show the type of relationship (e.g., 'has permission', 'can connect to'). The details pane lists the exact steps an attacker would take, along with the specific misconfigurations at each step. You can also see recommended actions to break the path.
Remediate and Re-evaluate
Based on the analysis, apply the recommended remediations. For example, if an NSG allows all inbound RDP, modify the NSG to restrict source IPs. After remediation, the attack path simulation will automatically update (within 24 hours) to reflect the changes. You can also manually trigger a refresh by clicking 'Refresh' on the dashboard. Verify that the path is no longer listed or its risk score has decreased.
Enterprise Scenario 1: Financial Services Compliance
A large bank uses Azure to host a customer-facing web application and a backend database containing personally identifiable information (PII). The security team needs to demonstrate compliance with regulations like PCI DSS and GDPR by showing that attack paths to sensitive data are minimized. They deploy Defender CSPM Attack Path Simulation to continuously monitor for paths from the internet to the database. In production, they define the database as a critical asset. The simulation identifies a path where a web server VM has a public IP and an NSG allowing SSH from the internet, and the VM's managed identity has read access to the database. The team remediates by removing the public IP, restricting SSH to a management subnet, and using a service endpoint instead of a managed identity for database access. The simulation then shows no high-risk paths. Performance considerations: The simulation runs continuously without impacting application performance. However, the graph update can take up to 24 hours, so immediate verification after changes is not possible. Common misconfiguration: Failing to define critical assets leads to many low-value paths cluttering the dashboard.
Enterprise Scenario 2: Multi-Tenant SaaS Provider
A SaaS company runs multiple customer environments in separate Azure subscriptions. They use Defender CSPM to monitor all subscriptions centrally. Attack path simulation helps them identify cross-subscription attack paths, such as a compromised VM in one subscription using Azure AD permissions to access resources in another subscription. They configure the simulation to include all subscriptions under a management group. The simulation reveals a path where a service principal in a development subscription has Contributor role on a production subscription's storage account due to a misconfigured RBAC assignment. The security team immediately revokes the excessive permissions. Scale considerations: With hundreds of subscriptions, the cloud security graph can become large, but Defender handles it at scale. The main challenge is managing the volume of attack paths; they prioritize by risk score and critical asset tags.
What Goes Wrong When Misconfigured
Common misconfigurations include: not enabling the CSPM plan (attack path analysis shows no data), not defining critical assets (paths to non-critical assets are shown, causing noise), and ignoring the 24-hour update delay (making changes and expecting immediate results). Another issue is over-reliance on the simulation for real-time detection; it is not an intrusion detection system but a posture management tool. Finally, some organizations fail to integrate attack path findings into their remediation workflows, leaving high-risk paths open despite being identified.
What SC-200 Tests on This Topic
SC-200 objective 3.2 specifically covers 'Configure and manage Microsoft Defender for Cloud' with a sub-objective on attack path analysis. The exam expects you to:
Understand the purpose of attack path simulation (identifying chains of exposures).
Know the prerequisites: Defender CSPM plan enabled, not the free tier.
Be able to interpret attack path graphs and risk scores.
Know how to define critical assets.
Understand the difference between attack path simulation and other Defender for Cloud features like vulnerability scanning or security recommendations.
Common Wrong Answers and Why
'Attack path simulation executes real attacks to test defenses.' This is wrong because it is a read-only simulation that does not actually compromise resources. Candidates confuse it with penetration testing.
'Attack path simulation is available in the free foundational CSPM.' This is incorrect; it requires the enhanced Defender CSPM plan (paid). The free tier only provides basic security score and recommendations.
'Attack path simulation can be used to detect active attacks in real time.' It is not a detection tool; it models potential paths based on configuration, not real-time activity.
'Defining critical assets is mandatory.' It is optional but recommended. Without it, Defender automatically identifies critical assets, but manually defining them improves relevance.
Specific Numbers and Terms
The cloud security graph updates every 24 hours.
Risk scores are High, Medium, Low.
The feature is part of the Defender Cloud Security Posture Management plan (not the free CSPM).
Attack paths are displayed as directed graphs with nodes and edges.
Initial exposures include public IPs, open management ports, and unpatched vulnerabilities.
Edge Cases and Exceptions
Attack path simulation does not cover on-premises resources unless they are connected via Azure Arc.
It only models Azure resources; AWS and GCP resources are not included (though Defender for Cloud supports multi-cloud, attack path simulation is Azure-only as of the exam scope).
If a resource is deleted, its associated attack paths disappear after the next graph update.
The simulation does not consider time-based factors like temporary access or scheduled tasks.
How to Eliminate Wrong Answers
When you see a question about attack path simulation, first check if the answer mentions 'real attack' or 'active detection' — those are likely wrong. Look for keywords like 'graph-based', 'modeling', 'configuration analysis', and 'CSPM plan'. If the question asks about prerequisites, remember that it requires the enhanced plan, not the free tier. For remediation questions, focus on breaking the chain of exposures rather than fixing individual vulnerabilities in isolation.
Attack path simulation models potential attacker paths from initial exposure to critical assets using the cloud security graph.
It requires the enhanced Defender Cloud Security Posture Management plan (paid), not the free tier.
The simulation is read-only and does not execute real attacks.
Critical assets can be defined manually or are automatically identified based on data classification and resource type.
The cloud security graph updates every 24 hours; changes take up to a day to reflect.
Risk scores are High, Medium, or Low based on likelihood and impact.
Attack path simulation is Azure-only as of the SC-200 exam scope.
Remediation focuses on breaking the chain of exposures, e.g., restricting network access or removing excessive permissions.
These come up on the exam all the time. Here's how to tell them apart.
Attack Path Simulation
Models chained exposures from entry point to critical asset.
Uses graph-based analysis of configurations and permissions.
Provides a visual path with risk score.
Requires Defender CSPM plan (enhanced).
Focuses on attack sequences, not individual CVEs.
Vulnerability Assessment
Scans for individual vulnerabilities (CVEs) on VMs and containers.
Uses agent-based or agentless scanning.
Provides a list of vulnerabilities with severity scores.
Available in free CSPM tier (basic) and enhanced plans.
Does not show how vulnerabilities can be chained.
Mistake
Attack path simulation actually performs a real attack to test defenses.
Correct
It is a read-only simulation that models potential attack paths based on configuration data. It does not execute any code or attempt to compromise resources. It uses the cloud security graph to analyze relationships and permissions.
Mistake
Attack path simulation is available in the free foundational CSPM tier.
Correct
Attack path simulation requires the enhanced Defender Cloud Security Posture Management plan, which is a paid add-on. The free tier only provides basic security score and recommendations.
Mistake
Attack path simulation can detect active attacks in real time.
Correct
It is a posture management tool that identifies potential paths an attacker could use, not a detection tool. It does not monitor real-time events or alerts. For active attack detection, use Defender for Cloud's workload protections or Microsoft Sentinel.
Mistake
Defining critical assets is mandatory for attack path simulation to work.
Correct
It is optional. Defender automatically identifies critical assets based on data classification and resource type. However, manually defining critical assets improves the relevance of attack paths shown.
Mistake
Attack path simulation covers all cloud providers including AWS and GCP.
Correct
As of the SC-200 exam scope, attack path simulation is only available for Azure resources. Defender for Cloud supports multi-cloud for other features, but attack path analysis is Azure-only.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Attack Path Simulation models potential attack sequences from an initial exposure to a critical asset by analyzing configurations, permissions, and network paths. It shows how an attacker could chain multiple weaknesses. Vulnerability Assessment scans for individual CVEs on VMs and containers, providing a list of vulnerabilities with severity scores. The key difference is that Attack Path Simulation focuses on the chain of exposures, while Vulnerability Assessment identifies isolated weaknesses. On the exam, remember that Attack Path Simulation requires the enhanced CSPM plan.
No, Attack Path Simulation is agentless. It uses the cloud security graph built from Azure Resource Manager and configuration data. No agents are required on VMs or other resources. This is different from Vulnerability Assessment, which may use an agent for OS-level scanning.
The cloud security graph is rebuilt every 24 hours or when significant configuration changes are detected. Therefore, attack paths are updated at most every 24 hours. You can manually refresh the view in the portal, but the underlying data may still be up to 24 hours old. This is a common exam point: do not expect real-time updates.
No, it is not a detection tool. It models potential attack paths based on current configurations. It does not analyze real-time events or logs. For detection of active attacks, use Defender for Cloud's workload protections (e.g., adaptive application controls, file integrity monitoring) or Microsoft Sentinel.
Common initial exposures include: virtual machines with public IP addresses and open management ports (RDP/SSH), storage accounts with public network access enabled, unpatched vulnerabilities on internet-facing resources, and overly permissive network security group rules. These are the entry points from which an attacker can start.
In Defender for Cloud, go to 'Attack path analysis' and click 'Define critical assets'. You can select specific resources from a list or use tags. For example, you can tag resources as 'Critical' and then filter by that tag. If you do not define any, Defender automatically identifies critical assets based on data classification labels (e.g., 'Confidential') and resource types (e.g., key vaults, SQL databases).
Yes, it works across all subscriptions under a management group where Defender for Cloud is enabled. The cloud security graph includes resources from all those subscriptions, allowing identification of cross-subscription attack paths. This is important for enterprises with multiple subscriptions.
You've just covered Defender CSPM Attack Path Simulation — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?