In plain English
Once an attacker is inside one device, they don't stop there. Lateral movement describes how they hop from machine to machine — using stolen credentials, exploiting vulnerabilities, or abusing trusted network relationships — until they reach the systems or data they're after. Network segmentation and the principle of least privilege limit how far an attacker can travel.
Full definition
Getting into one machine is rarely the goal. The data an attacker wants is usually on a different server, in a different account, or behind a different set of permissions. Lateral movement is how they close that gap.
After an initial compromise, attackers move through a network using whatever they can find: , pass-the-hash attacks that reuse authentication tokens without needing the actual password, exploitation of trust relationships between systems. In a flat network with no segmentation, a single compromised laptop can become the starting point for access to a domain controller, a file server, or a cloud admin account within hours.
Two controls limit how far an attacker can travel once they are inside. splits the environment into zones so that a compromised endpoint in the sales team cannot directly reach payroll systems or backup infrastructure. Least privilege access means that even if an attacker takes over a user account, that account can only reach what the legitimate user needed. In the framework, both restricting administrative privileges and patching applications directly address the techniques used for lateral movement. A penetration test that stops at initial access misses the question that matters most: once we are in, how far can we get?
