Attack Surface Mapper
Given an organization profile, identify valid attack surfaces, categorize each by threat vector type, and rank them by risk level. Reject distractors that don’t apply to the scenario.
What You’ll Practice
- Mapping attack surfaces across message-based, file-based, network, supply chain, human/physical, and other vector categories
- Distinguishing real attack surfaces from plausible-sounding distractors based on organizational context
- Ranking risk by considering exploitability, impact, and exposure for each entry point
- Thinking through how an attacker would approach different organization types (SaaS, healthcare, manufacturing)
How the Exam Tests This
Objective 2.2 covers threat vectors and attack surfaces — expect questions that describe an organization or scenario and ask you to identify which vectors apply, which entry points are most exposed, and how to categorize them. This lab builds that muscle by forcing you to evaluate each potential surface against the actual org profile rather than just recognizing keywords.
Scoring
Each attack surface entry is scored across three dimensions: identification (did you correctly accept or reject it?), categorization (did you assign the right vector type?), and risk ranking (how close were you to the expected level?). Risk rankings within one level of expected earn partial credit. Final score is a weighted percentage across all entries in the scenario.
HOW IT WORKS
- 1. Read the organization profile — understand what they are, what they run, how they operate
- 2. For each potential attack surface entry, decide if it applies to this org
- 3. For valid entries, categorize the threat vector type and assign a risk level
- 4. Submit and review your analysis against the expected mapping