Identity attacks succeed because the credentials are already compromised.

Identity has become the new security perimeter, but according to the latest SANS research, that shift hasn’t eliminated identity-related compromise.

If anything, the data shows the opposite.

The 2026 SANS Identity Threats & Defenses Survey highlights a reality most security teams are already experiencing: identity tools are widely deployed, yet identity-related breaches remain stubbornly common. In fact, 55% of organizations experienced an identity-related compromise in the past year, despite 85% deploying identity security solutions.

So what’s going wrong?

The issue isn’t a lack of investment. It’s a mismatch between how identity defenses are built and how identity attacks actually work today.

The Problem Isn’t Detection—It’s Timing

One of the most telling insights in the SANS Identity Threats report is the gap between detection and containment.

Organizations are getting better at identifying identity attacks. 68% detect them within 24 hours, but only 55% can contain them in that same window.

That delay matters.

Because by the time an alert fires, the attacker is rarely at the door—they’re already inside. They’ve authenticated, established a foothold, and often begun moving laterally across systems. The report puts it plainly: organizations have built the sensors, but not the operational muscle to respond fast enough.

It’s easy to interpret this as a detection problem. It’s not.

It’s a timing problem—and more specifically, a credential exposure problem.

Identity Attacks Don’t Start at Login

The SANS Identity Threats data reinforces a shift that’s been building for years: identity attacks no longer depend on breaking authentication—they depend on using legitimate login flows. While credential phishing still accounts for a portion of attacks (35%), the report highlights a broader mix of techniques, including compromised browsers (27%), MFA fatigue (26%), token-based access methods (23%).

What makes these techniques effective is that they rely on legitimate access. There’s no failed login, no obvious anomaly, and often nothing that looks suspicious in isolation. These techniques matter—but they all depend on one thing: access to credentials that are already trusted.

This aligns with the report’s broader finding that modern identity attacks increasingly rely on valid credentials and trusted access paths. And that’s the real issue: identity defenses are still largely built on the assumption that credentials are trustworthy.

Attackers know they’re not.

The Real Gap: Credential Exposure

The SANS Identity Threats report does a strong job outlining how identity attacks unfold. But it also points to something deeper, something many organizations still don’t fully account for.

Identity attacks don’t start when someone logs in.

They start when credentials are exposed.

That exposure can happen in a number of ways:

• Credentials harvested through malware or compromised endpoints
• Passwords leaked in prior breaches
• Reuse across personal and corporate accounts

By the time those credentials are used in an attack, they’re not “stolen” in real time—they’ve often been circulating for weeks or months.

From the defender’s perspective, the attack looks sudden.
From the attacker’s perspective, it’s just execution.

This is the disconnect.

Security teams are focused on what happens at authentication: monitoring logins, enforcing MFA, and looking for suspicious activity.

Meanwhile, the real issue often exists upstream. The credential itself has already been exposed—sometimes long before any alert is ever triggered.

How Infostealers Fit into the Identity Attack Chain

The SANS report points to techniques like compromised browsers and token-based access, but these don’t happen in isolation.

In many cases, they begin at the endpoint.

Infostealer malware is one example of how credentials and authentication data can be extracted from endpoints. Once collected, that information can be reused or sold, often long before any attack is detected.

This helps explain why attackers are increasingly able to operate inside trusted environments without triggering alerts.

From a security team’s perspective, the activity appears legitimate.

But in reality, the credential was already compromised.

This is one of the clearest examples of how identity risk originates outside traditional identity systems.

Why This Is So Hard to Detect

This also explains why identity attacks continue to slip through, even in environments with modern controls.

When attackers use valid credentials, everything looks normal. MFA prompts can be approved, login behavior appears expected, and access aligns with what the system allows.

There’s no obvious signal to trigger a response.

The SANS report reinforces this through its analysis of modern attack chains, where initial access, privilege escalation, and lateral movement can all occur using trusted identities and approved access paths.

In other words, nothing looks broken.

And that’s exactly the problem.

Hybrid Environments Make Identity Risk Harder to Contain

Another important finding in the SANS Identity Threats report is the complexity of modern identity environments.

Most organizations are not operating in a single system. Instead, identities span:

• On-premises and hybrid Active Directory environments
• Cloud identity providers
• SaaS applications and integrations

A single authentication flow may traverse all three.

This creates an environment where identity risk is distributed and harder to track. This reflects the hybrid identity environments described in the SANS report, where identities span on-premises, cloud, and SaaS systems.

An exposed credential in one system can often be reused across others. Access granted in one environment can extend into multiple systems, and visibility is often fragmented across tools.

This hybrid reality is a defining characteristic of modern identity attacks—and a key reason they are so difficult to contain.

The Real Risk: Credentials Stay Valid After Exposure

Another theme that shows up clearly in the SANS data is persistence—but not in the way most organizations think about it.

The issue isn’t how often credentials are rotated. It’s that exposed credentials often remain valid long after they’ve been compromised.

Once a password is exposed—whether through malware, phishing, or prior breaches—it doesn’t lose its value. It can be tested, reused, and leveraged across systems over time, often without triggering any alerts.

This is exactly what makes modern identity attacks so effective.

Attackers aren’t racing against expiration windows. They’re taking advantage of the fact that most systems still accept credentials that have already been exposed elsewhere.

This is also why traditional approaches like forced password rotation fall short. Changing passwords on a schedule doesn’t address whether those credentials have already been compromised.

What matters is not how often credentials change, but whether they are safe to use in the first place.

What This Means for Identity Security

Taken together, the SANS Identity Threats findings point to a clear conclusion:

Identity defenses are heavily focused on authentication, but identity risk starts earlier.

Organizations have invested in stronger login controls, MFA enforcement, and detection capabilities. But those investments are concentrated at the point of access.

Attackers, on the other hand, are operating upstream, at the point of credential exposure.

Until that gap is addressed, the same pattern will continue: valid credentials used for access, legitimate activity that appears normal, and detection triggered after the fact.

Identity Risk Starts with Credential Exposure

The takeaway from the SANS Identity Threats report isn’t that identity security is failing, it’s that it’s incomplete.

Detection is improving. Visibility is improving. But neither solves the problem if compromised credentials are still allowed to authenticate in the first place.

Reducing identity risk requires a shift in focus:

• Identifying exposed credentials continuously
• Preventing compromised passwords from being used
• Reducing reliance on long-lived credentials

Because in today’s threat landscape, identity risk doesn’t begin at login.

It begins the moment a credential is exposed.

For a deeper look at how identity attacks are evolving and where defenses are falling short, download the full report: 2026 SANS State of Identity Threats & Defenses Survey.

*** This is a Security Bloggers Network syndicated blog from Blog | Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/blog/2026-sans-identity-threats-report-why-attacks-still-work/