← Concepts
Threats, Vulnerabilities, and MitigationsSY0-701 · Task 2.2

Network and device attack vectors — SY0-701

SY0-701 reference page teaching network and device attack vectors — how adversaries enter environments via network services, wireless, and physical hardware.

WHAT IT IS

Network and device attack vectors are the specific pathways adversaries use to gain initial access to, or move through, a target environment by exploiting the network infrastructure itself or by introducing or leveraging physical hardware. The term "attack vector" describes the route an adversary takes to reach a vulnerability; a network or device vector means that route runs through networked services, wireless connectivity, or hardware attached to systems — rather than through email or web content delivered to a user.

NIST defines a vulnerability as "weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source." Network and device vectors are the channels through which those weaknesses are reached.

Mental model

Think of a building with multiple entry points. The front door (the public internet) is the most visible; the loading dock (external remote services) is less watched; a side window (a wireless network reachable from the parking lot) requires physical proximity; and an intruder who walks in and plugs in a device (hardware addition) bypasses every network control entirely.

Each entry point is a vector. The building's vulnerabilities determine which entry points are exploitable — but the vector is the door itself, not the weakness behind it.

When to use it

The exam requires distinguishing network and device vectors from other vector categories. The table below maps each vector type to its defining characteristic and what separates it from adjacent categories.

VectorWhat makes it a network/device vectorNot to confuse with
Exploit public-facing applicationAdversary targets a weakness in an internet-exposed service — "software bug, a temporary glitch, or a misconfiguration" (MITRE ATT&CK T1190)Message-based vectors, which require a user to interact with content
External remote servicesAdversary leverages legitimate remote-access gateways (VPN, RDP, SSH) to enter or persist (MITRE ATT&CK T1133)Valid-account abuse in isolation; here the vector is the service endpoint, not solely the credential
Drive-by compromiseAdversary exploits client software when a user visits a website; "techniques that adversaries use to exploit software on a client endpoint upon visiting a website" (MITRE ATT&CK T1189)Phishing (message-based), which delivers the malicious payload directly to the user rather than through a website the user navigates to
Wi-Fi networksAdversary connects to wireless infrastructure, potentially from physical proximity, to reach internal resources (MITRE ATT&CK T1669)Wired network exploitation; proximity to physical space is the distinguishing constraint
Hardware additionsAdversary physically introduces devices — potentially enabling "passive network tapping, network traffic modification, keystroke injection, kernel memory reading via DMA, addition of new wireless access points" (MITRE ATT&CK T1200)Supply-chain vector, where hardware is tampered before delivery rather than physically inserted on-site
Removable mediaAdversary uses portable storage or connected mobile devices to propagate malware, including into air-gapped networks (MITRE ATT&CK T1091)Network-traversal lateral movement; removable media bypasses the network entirely
Content injectionAdversary inserts malicious content into network traffic between client and server (MITRE ATT&CK T1659)Drive-by compromise; here the channel itself is compromised, not just the destination website

COMMON MISCONCEPTION

The exam's sharpest trap is treating the vector and the vulnerability as interchangeable. A network attack vector is the path — the exposed service, the wireless segment, the hardware port. The vulnerability is the weakness that path leads to. An adversary-in-the-middle attack (CAPEC-94) is a network vector because the adversary positions within a communication channel; it becomes exploitable only when that channel lacks encryption or proper authentication. Candidates who memorize attack names without anchoring them to whether the path is network-based, message-based, or physical will mis-classify them under time pressure.

A second common error: assuming "network attack" means remote-only. Hardware additions (T1200) and removable media (T1091) are documented as Initial Access techniques precisely because they reach network-connected systems through physical means — the device vector is still a network-and-device vector even when an adversary must walk into the building.

How it shows up on the exam

The cognitive target for this material is analysis: given a described scenario, identify which type of vector was used or which control addresses that vector.

Candidates are often asked to distinguish between:

  • A scenario where an attacker exploits an unpatched internet-facing service — a network vector (public-facing application exploitation) — versus one where an attacker sends a malicious link — a message-based vector.
  • A scenario describing a device plugged into a workstation versus one describing a compromised software update — hardware-addition vector versus supply-chain vector.
  • A scenario where an attacker connects to an open Wi-Fi segment to conduct further attacks — a network/device vector rooted in wireless access — versus one where proximity is not required.

Signal phrases to watch: "internet-facing," "exposed service," "remote access," "wireless network," "connected device," "USB," "network tap," "plugged in," "compromised channel," "client browser exploitation." These cue the network or device pathway.

Related concepts

  • Threat vectors — the broader category; network and device vectors are specific instances of how threats reach a target.
  • Message-based vectors — the adjacent category most frequently confused with network vectors; message-based delivery requires user interaction with content, not exploitation of a service or device.
  • Supply-chain vector — overlaps with hardware additions when hardware is tampered before delivery, but is distinct when the compromise occurs post-deployment by physical insertion.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.