It is tempting to think of attackers as relentless and unbounded — as if, given enough time, any system falls. In practice, almost every adversary that matters is working within constraints: time, money, skill, and the risk of exposure. Treating an attack as an economic decision is one of the most useful lenses a defender can adopt, because it tells you which controls actually change behavior and which just look reassuring.
Every attack path has a cost
An attack path is a sequence of steps from an attacker's starting position to their goal. Each step carries a cost — effort to develop or buy a capability, time to execute, and risk of detection. The attacker is not trying to overcome your single strongest control. They are looking for the cheapest viable path to their objective.
This is why a hardened front door means little if there is an unlocked window. The total cost of the path is what governs the decision, and attackers optimize the whole route, not any individual segment.
Defenders tend to maximize the strength of individual controls. Attackers minimize the cost of the cheapest complete path. Those are not the same optimization.
Raising cost vs. eliminating risk
You will rarely make a determined adversary's task impossible. What you can do is make the cheapest path more expensive than the objective is worth, or more expensive than an easier target elsewhere.
Consider what each defensive investment does to the attacker's cost model:
- Multi-factor authentication turns a cheap, scalable attack — credential stuffing against millions of leaked passwords — into one requiring per-target effort. The cost per account rises by orders of magnitude.
- Network segmentation raises the cost of every lateral movement step, converting one cheap hop into many expensive ones.
- Good detection does something subtler: it raises the risk term, not just the effort term. An attacker who might be caught has to move slowly and carefully, and slow, careful attacks cost more.
Why detection is an economic weapon
Prevention raises the effort cost. Detection raises the risk cost, and risk is often the constraint that matters most to a professional adversary. An attacker who can operate without fear of detection can afford to be patient and noisy. One who knows they might be seen has to invest in evasion at every step, and that investment compounds.
This is the economic argument for red teaming and threat hunting. They do not just find gaps; they measure and increase the cost of operating inside your environment undetected. A path that an attacker could once walk for free becomes one they have to pay for in tradecraft and time.
Putting the lens to work
When you evaluate a control, stop asking "does this make us more secure?" and ask instead "which attack paths does this make more expensive, and by how much?" That reframing has consequences:
- It exposes controls that are strong in isolation but irrelevant to any realistic path.
- It surfaces the cheap paths you have been ignoring because the assets on them seemed unimportant.
- It explains why an attacker bypassed your best defense entirely — they were never going to pay for the expensive path when a cheap one existed.
Security is not about being impregnable. It is about being expensive enough, in the specific ways that matter, that a rational adversary spends their budget somewhere else.