Identity How identity became the new security battleground May 21, 2026 Share By Craig Birch (Adobe Stock) COMMENTARY: The 2026 Verizon Data Breach Investigations Report (DBIR) landed this week with a number every security leader should remember: organizations take a median of 43 days to fully remediate critical vulnerabilities, and only 26% get fixed end-to-end. At the same time, vulnerability exploitation now accounts for 31% of breaches. That’s not just a patching issue. It’s a structural speed advantage for the attacker. [ SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here . ] Security programs used to assume defenders had time to detect, triage, and patch before exposure became compromise. That assumption has been broken. Even before AI accelerated the threat, many teams were already losing patch window arguments to uptime, dependencies, and change control. I have seen that firsthand. AI collapsed the exploit window Projects like Mother of All KEVs (MOAK) make the point painfully clear. MOAK's a research workflow built to show how AI agents can take a newly-disclosed vulnerability, analyze the code changes, build a test environment, and produce a working exploit with minimal human help. Its published results claim autonomous exploitation of 98% of open-source known exploited vulnerabilities, including React2Shell in 21 minutes. Anthropic Mythos Preview had different results, but points in the same direction: a restricted frontier model that Anthropic says showed unusually strong capability at finding and exploiting software vulnerabilities. Together, they make this feel immediate, not theoretical. The tactics did not change. The clock did. Vulnerabilities still get exploited, credentials still get stolen, and privileges still get escalated. But steps that once took hours or days now take minutes. Defenders still face change control, dependencies, and business continuity constraints. Attackers do not. It's become a durable speed asymmetry. The breach lands in identity The story does not end at initial access. That’s where it starts. Attackers pivot to identity fast because vulnerabilities offer access, but identity gives control. Once they reach credentials, roles, service accounts, delegation rights, or trust relationships in Active Directory or Entra ID, they stop looking like intruders and start looking like valid activity. Access starts in the infrastructure. And the blast radius grows in identity. When exploitation happens in minutes and analysts cannot respond in time, the controls that matter most are the ones that limit what identity can do next. Recent campaigns keep reinforcing the same lesson: once attackers control identity and the management plane behind it, expansion gets fast and containment gets harder. What leaders must do now It’s a speed problem, and right now the attacker owns the clock. Keep patching, but stop treating it as the primary control layer for a minute-scale threat. Higher-value controls are the ones that limit what identity can do after initial access lands: continuous identity monitoring, least privilege, just-in-time access, and automated containment that triggers at machine speed. We can’t depend on containment alone. Organizations also need a tested way to recover trusted identity fast after compromise, restoring trusted privileges and administrative control before the business feels the full impact. We have to make recovery part of the identity security model, not a separate disaster scenario. Every security leader must answer these three questions right now: How fast can we detect identity-layer compromise? How fast can we contain it? How quickly can we recover trusted identity before the business feels the full impact? Those answers will define who absorbs the next breach and who contains it. Organizations that cannot answer them today are misaligned with the threat environment – and that gap will not close on its own. Craig Birch, technology evangelist, principal security engineer, Cayosoft SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Craig Birch Related Identity 1Password and OpenAI collaborate on secure credential access for AI coding agents SC Staff May 20, 2026 The new 1Password Environments MCP Server for Codex establishes a secure runtime environment where secrets are mounted, utilized, and then discarded after use, requiring user authentication for each access. Identity New Mini Shai-Hulud attack targets npm ecosystem Steve Zurier May 20, 2026 Mini Shai-Hulud campaign hits 323 npm packages, GitHub Actions and VS Code tools. Identity The AiTM problem nobody’s architecture actually solves Alan LeFort May 20, 2026 Accountability becomes the big issue following a breach – does the team know who’s responsible for what? Related Events Cybercast IAM for MSSPs: Real-World Deployments On-Demand Event Cybercast Privilege risk is in the lifecycle: A CISO discussion on modernizing identity control On-Demand Event Cybercast The industrialization of identity compromise On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Basic Authentication Biometrics Certificate-Based Authentication Challenge-Handshake Authentication Protocol (CHAP) Digest Authentication Digital Certificate Discretionary Access Control (DAC) You can skip this ad in 5 seconds