Skip to content
FortaRisks
Back to the glossaryAttacks and incidents

Lateral movement

Lateral movement is the phase where an attacker, after gaining an initial foothold, progresses through the network to reach higher-value systems and data. It is often the step that turns an isolated intrusion into a major compromise.

Updated on July 2, 2026

What is lateral movement?

Lateral movement covers the techniques by which an attacker moves from one system to another inside an already-breached network. Once a first foothold is set, rarely on the final target, they seek to expand their grip: harvest credentials, compromise new accounts, reach more sensitive servers.

This phase often relies on legitimate tools (living-off-the-land techniques) and stolen credentials, which makes it hard to distinguish from normal administrative activity.

Why it matters for your organization

The severity of an intrusion is largely decided during lateral movement. A limited initial access may seem harmless, but if it allows free pivoting, it leads to a large-scale compromise, up to domain control or access to the most critical data.

Slowing and detecting lateral movement means containing the incident: you turn a potentially total compromise into a localized, manageable problem.

How to limit it

  • Network segmentation: compartmentalize to prevent free movement.
  • Least privilege: reduce what a compromised account can reach.
  • Privileged access management: protect and monitor administrator accounts.
  • Strong authentication to limit the use of stolen credentials.
  • Behavioral detection of abnormal propagation patterns.

Where organizations most often fall short

The most widespread mistake is the "flat" network, with no segmentation, where access gained anywhere opens the door to everything else. The other pitfall is concentrating all defense on the outer perimeter while neglecting the interior: once that barrier is crossed, nothing slows the attacker.

Frequently asked questions

Why is lateral movement so dangerous?

Because the initial entry point is rarely the final target. An attacker who compromises a low-value endpoint will seek to pivot toward privileged accounts, critical servers or sensitive data. It is during this often quiet progression that the incident changes scale.

How do you slow lateral movement?

Through network segmentation, least privilege and rigorous management of privileged accounts. The idea is that one compromised access does not automatically grant access to everything else. Behavioral detection also helps spot propagation attempts before they succeed.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.