Definition
An attack tree is a formal modeling framework that represents how an adversary might achieve a specific security breach, expressed as a hierarchy of goals and sub-goals. The root of the tree is the attacker’s ultimate objective, while intermediate and leaf nodes describe alternative strategies, conditions, and concrete actions that could lead to that objective. Logical relationships, such as AND and OR nodes, capture whether multiple conditions must be satisfied together or whether any one of several paths is sufficient. In blockchain and crypto systems, attack trees are used to reason about complex multi-step threats against consensus, keys, smart contracts, and supporting infrastructure.
As a process, building an attack tree involves systematically enumerating and structuring potential attacks that relate to a system’s attack surface and specific attack vectors. The resulting model provides a rigorous way to analyze how different components, trust assumptions, and dependencies contribute to overall risk. It also supports quantitative or qualitative assessment of likelihood and impact along different branches, without prescribing particular defensive measures. In security-focused audit work, attack trees serve as a conceptual backbone for understanding where and how a system is most vulnerable.
Context and Usage
Within security analysis, an attack tree functions as a high-level abstraction that unifies disparate threats under a single, goal-oriented structure. It is technology-agnostic, so it can describe both on-chain and off-chain attack paths, including social, organizational, and infrastructure-level steps that support a technical compromise. For cryptographic protocols and decentralized networks, attack trees help clarify how assumptions about adversary capabilities, resource limits, and required preconditions shape the feasibility of different attacks.
Attack trees are closely related to the concepts of attack surface and attack vector, but they emphasize the logical composition of multiple steps rather than isolated entry points. They are often referenced in formal documentation, threat models, and security audit reports as evidence that a system’s risks have been examined in a structured and exhaustive way. In mature security programs, attack trees become living models that can be updated as the system evolves, new components are added, or new classes of attacks are discovered.