Attackers Aren't Breaking Into Your Network Anymore. Are You Protecting the Right Thing?

Most organizations think of a cyberattack as a forced entry. Someone exploits a vulnerability, bypasses a firewall, or finds a gap in the perimeter, and from there the damage begins. That mental model shapes security budgets, security tooling decisions, and the questions executives ask when they review their risk posture. It also explains why so many organizations are defending the wrong thing.

The data from 2025 and the conversations dominating RSAC2026 tell a different story. Attackers aren’t forcing their way in, in most cases, they are logging in. Organizations that have not recalibrated their security plans may be exposed to higher risks than what their current security measures suggest.

The Numbers Have Shifted the Conversation

The 2026 Sophos Active Adversary Report, which analyzed over661 incident response cases across organizations in 70 countries, found that67% of all investigated incidents were rooted in identity-related attacks. Separately, Verizon's 2025 Data Breach Investigations Report identified stolen or compromised credentials as the single largest initial access vector, accounting for 22% of confirmed breaches, the highest of any individual method. Phishing came in third, at roughly 15 to 16 percent.

These are not theoretical risks. Recorded Future indexed nearly two billion credentials from info stealer malware and dark web markets in2025 alone. This points to a volume that reflects an industrialized ecosystem of credential theft operating continuously against every industry. More troubling still, 276 million of those credentials included active session cookies, meaning an attacker possessing them does not need a password, does not need to defeat multi-factor authentication, and does not need to wait. They authenticate as a valid user and begin moving through the environment immediately.

Why Traditional Defenses Do Not Solve This Problem

The tools most organizations have invested in over the past decade were designed for a different threat model. Firewalls, intrusion detection systems, endpoint detection, and perimeter segmentation are all valuable, and none of them stop a valid credential from authenticating to your environment.

When an attacker uses a stolen username and password, or a harvested session token, to access Microsoft 365, your VPN, or a cloud-hosted application, that activity looks legitimate to most perimeter controls. The connection is authorized. The identity is recognized. The session is valid. The tools that were built to detect anomalous network traffic or known malicious signatures are not designed to distinguish between a legitimate user and an attacker who has acquired that user's credentials.

This is the core of the problem. Security investments that focus primarily on what enters the network are no longer sufficient when the threat has shifted to who is authenticating to your systems. The perimeter is not gone, but identity has become the more consequential control point, and most organizations have not invested in it at the same level.

What Protecting the Right Thing Actually Looks Like

Shifting from a perimeter-first to an identity-first security posture does not mean abandoning existing investments. It means adding a layer of rigor to the identity infrastructure that most organizations have been running at the surface level for years.

The foundational elements are well established. Phishing-resistant multi-factor authentication or certificate-based authentication eliminate the class of attacks that session cookie theft is specifically designed to defeat. Organizations that have deployed standard push-notification Multi-Factor Authentication (MFA)have meaningfully reduced risk, but they remain vulnerable to adversary-in-the-middle phishing and MFA fatigue attacks that harvest valid session tokens in real time. The authentication method matters, not just the presence of MFA.

Conditional Access policies that evaluate device compliance, user risk, and sign-in context before granting access represent the next layer. These policies create a dynamic enforcement point that standard credentials alone cannot satisfy. A valid username and password, even with an intercepted MFA code, does not automatically satisfy a policy requiring a known, compliant device in a recognized network context.

Privileged identity management is the area where most organizations have the widest gap. Standing administrative access, service accounts with excessive permissions, and legacy authentication paths that bypass modern controls are consistently the highest-value targets for attackers who are already inside an environment. Closing those gaps requires an inventory of privileged accounts, a governance model for standing versus just-in-time access, and monitoring that surfaces anomalous behavior from accounts that should not be active outside defined windows.

None of this requires new tools in most Microsoft environments. Entra ID, Intune, and the Microsoft security stack already contain the capabilities necessary to implement all of it. The gap is notl icensing. It is configuration maturity.

The Question Worth Asking Now

The organizations taking identity security seriously in2026 are not waiting for a breach to make the case. They are auditing their authentication methods, reviewing standing privileges, and stress-testing their Conditional Access policies before an attacker does it for them.

Those questions are uncomfortable to answer when the answers are unknown, and they are often more uncomfortable when the answers are known. But they are the right questions, and the cost of deferring them is measured indwell time, breach cost, and the kind of board-level conversation no IT leaderwants to have after the fact.

Collective Insights works with organizations at every stage of identity maturity, from initial posture assessments to full identity architecture modernization. If your organization is not confident in the answers to those questions, that is exactly where we start.