Identity as the New Battleground

Identity as the new attack surface. Identity has become the primary attack surface in 2026. Attackers have shifted focus from exploiting software flaws on endpoints to hijacking the very fabric of trust - user and machine identities. A 2025 Verizon breach report noted that more than 80% of compromises involve stolen credentials, and industry analysts stress that identity misuse has overtaken other methods as the preferred mode of intrusion. Red teams still need a foothold, but what constitutes a foothold has changed. Rather than planting malware on a PC or abusing a network vulnerability, adversaries increasingly gain entry by stealing, forging, or abusing trust relationships such as OAuth tokens, API keys, federated logins, and orphaned service accounts.

Key takeaway: Identity is no longer just an authentication issue. It is the new attack surface. Enterprises must evolve from perimeter-first defenses to identity-first strategies. Traditional patch-and-prevent models are already proving obsolete against these threats.

Legacy footholds vs identity footholds

Red teams have always needed a beachhead. In the old model, that often meant exploiting an endpoint vulnerability or delivering a backdoor payload. The adversary initial access vector was typically malware (via phishing or drive-by), an unpatched server, or a stolen password. Once inside, they pivoted across the network to reach high-value systems. Endpoint compromise equaled foothold.

In 2026, the story still holds in form, but the mechanisms have changed. The new foothold is frequently an identity artifact rather than a binary on disk. Examples include:

• Credential and token theft: Phishing or malware harvests valid credentials, OAuth tokens, or API keys. Attackers have intercepted long-lived OAuth tokens tied to SaaS integrations and moved freely through customer instances without triggering alerts.
• Misconfigured identity trust: Misconfigured AD or Entra ID, weak MFA, or orphaned service accounts can let an attacker sign in as legitimate users or roles. Cisco Talos found that 44% of identity-based attacks in 2024 exploited Active Directory misconfigurations.
• Federation and consent phishing: Attackers trick users into granting permissions via OAuth or SAML flows. Consent phishing can let criminals take over accounts without capturing passwords or MFA codes, creating delegated access tokens that behave like privileged identities.
• API keys and service secrets: Cloud environments and CI/CD pipelines rely on long-lived secrets. Exposed AWS keys or GitHub tokens can be used to log in as trusted machines. Attackers have used stolen OAuth and API keys to reset admin passwords without writing malware.

Identity-native attack paradigm

Old model: Break into a device or server, run code, and escalate via network trusts. Attack surface was endpoints and networks; visibility was through EDR and network monitoring.

Modern model: Exploit trusted relationships and credentials. Attack surface is federated identity systems, APIs, and SaaS ecosystems; visibility gaps emerge.

Many identity-native attacks are not about breaking encryption or hacking code. They are about appropriating trust. When a user clicks "Yes" to approve an OAuth consent, they hand over a set of keys that grant permissions to act on their behalf. A malicious OAuth app becomes a persistent backdoor. The network is untouched; the attacker simply walks through the front door as a trusted principal. Other examples include abusing SAML trusts, forging SSO assertions, or misusing privileged Azure and M365 tokens. Deepfake attacks capitalize on identity trust as well, allowing social engineers to operate with credibility.

Insight: Identity-based intrusions often leave no new malware signatures or exploit traces. All actions look legitimate to conventional monitoring. Token-based trust can be just as fragile as password-based trust, and far harder to monitor. The attacker is not breaking the system; they are bending its trust until it snaps.

Implications for attackers and red teams

The rise of identity-native methods changes tradecraft. Campaigns are being designed around identity reconnaissance and abuse, including:

• Identity discovery: Map the identity landscape first. Enumerate Azure AD or SAML federation endpoints, look for stale accounts, and search public repos for service credentials.
• Social engineering and phishing 2.0: Target identity flows such as device-code auth phishing instead of just credential dumps. OAuth consent phishing is now part of red team simulations.
• Non-human exploitation: Attack machine identities and CI/CD pipelines. Hunt for GitHub secrets, service principals, container registries, and cloud roles with excessive permissions.
• Token and session theft: Steal session tokens or SAML tokens from browsers or endpoints instead of dumping hashes.
• Supply chain pivoting: Exploit third-party trust. A compromised vendor account or SaaS application can provide implicit access to many customers.

Implications for defenders

This evolution upends many defender assumptions. Legacy defenses were built to catch executable malware and network anomalies. Identity-native attacks often evade those controls:

• Visibility gaps: OAuth and SAML transactions flow through APIs or browsers, unseen by endpoint logs or SIEM unless explicitly tracked.
• Broken assumptions: MFA or SSO can be bypassed by consent flows and token abuse. Even passkeys do not stop attacks that never require a login.
• Detection gaps: Most SIEM and XDR solutions lack built-in identity analytics. An MFA bypass or token abuse can look like normal user traffic.
• Alert fatigue and blind spots: Teams see login alerts without context for suspicious permission changes or anomalous token usage.

Defensive gaps: XDR, correlation, and visibility

Most enterprises are not set up to detect identity-first attacks. True XDR with integrated telemetry from identity, endpoint, network, and cloud is the exception. Many organizations still run fragmented stacks where identity providers, SIEM, endpoint tools, and cloud monitoring are siloed. The result is limited correlation and weak visibility into identity abuse.

Key gaps include:

• No holistic view: Point solutions fail to provide unified, real-time awareness across identity, endpoint, and cloud telemetry.
• Missing ITDR: Identity Threat Detection and Response adoption remains limited, leaving non-human identity anomalies unnoticed.
• Reactive posture: Many teams only become aware of attacks after a breach or vendor alert instead of continuous identity monitoring and anomaly hunting.

Conclusion: red teams and the identity-first reality

The offense-defense gap is growing. Attackers already have the tools and tactics for identity-first intrusion, and red teams are incorporating them. But most clients still cannot detect purely identity-driven attacks. Modern engagements remain pragmatic: simulate advanced identity attacks to the extent customers can benefit, then help them build the telemetry and detection required for the next frontier.

The message to CISOs and defenders is clear. Review IAM configurations, expand logging into federated and cloud systems, and consider dedicated identity monitoring. The safety of modern enterprises depends on managing all identities, human or not, as real liabilities. The core battle is no longer the endpoint. It is the realm of digital identities and trust.

Key takeaways

• Identity now anchors attack strategies. Initial footholds increasingly come from stolen credentials, tokens, and trusted app consents.
• Attackers appropriate existing trust relationships rather than deploying malware.
• Defenders must upgrade from endpoint-centric monitoring to holistic identity threat detection.
• Red teams are adapting, but most enterprises are not yet ready to see the full identity-first threat landscape.