Your Coding Agents Have Admin Rights and Trust Issues

/in , /by

Here is an uncomfortable truth about modern software development. The most privileged identity in your engineering organization is no longer a person. It is an AI coding agent that reads your source code, runs commands in your terminal, holds your cloud credentials, and connects to whatever tools a developer wires up on a Tuesday afternoon.

Claude Code, Cursor, GitHub Copilot, OpenAI Codex, and Devin have quietly become production infrastructure. Most security programs are blind to their capability to run amok.

Banning the tools slows innovation. The productivity gains are real. Organizations must secure them the way we secure any other powerful, autonomous, internet-connected system: with a healthy dose of distrust.

The new attack surface is the coding agent, not just the app

Traditional application security asks whether the code you ship is safe. Coding agent security asks a different and newer question:

“Is the agent writing that code being manipulated while it works?”

Those are not the same problem, and the second one has major blind spots.

These exploits are not hypothetical. Security researchers have already documented and catalogued cases where a single piece of injected text, arriving through a connected tool or a repository file, rewrites an agent’s configuration and executes attacker-controlled commands on a developer’s machine. In controlled testing, getting these agents to run malicious instructions succeeds far more often than anyone will admit.

The pattern is consistent: feed the agent poisoned input, and its considerable privileges silently become the attacker’s windfall. Stolen credentials, supply chain injections, dead-man switches. All real, all a threat to your business.

The mechanism behind most of these is indirect prompt injection. A coding agent reads a GitHub readme file, an email or poisoned RAG document, a Teams or Slack message, and buried in that content are instructions the agent dutifully follows. It cannot reliably tell the difference between approved actions and novel attack patterns.

MCP is the connective tissue, and the soft underbelly

The Model Context Protocol, the open standard that lets agents plug into external tools and data, is what makes these agents genuinely useful. It is also where a lot of the risk lives. These connections get set up by developers, not security teams, which means most organizations have not built the practices to inventory, approve, and constantly retest for compromise. Supply chain attacks delivering credential-stealing malware through cloned connectors have already happened.

You cannot apply least privilege to a tool you did not know existed. Discovery and scanning of MCP servers, their privileges, and the systems they connect to is not a nice-to-have. It is a critical requirement for organizations embracing AI-assisted coding regardless of scale.

Zero Trust for AI Agents is the answer

Anthropic’s recent eBook, Zero Trust for AI Agents, makes the case better than any vendor pitch.

Its three principles will sound familiar to anyone who has done network zero trust: never trust and always verify, assume breach has already occurred, and enforce least privilege.

The paper adds a sharp new wrinkle it calls least agency: where least privilege limits what an agent can access, least agency limits what each agent tool can actually do, how often, and where.

Where AI runtime guardrails come in

AI runtime guardrails sit at the coding agent’s boundaries, integrated via hooks or a proxy, and inspect every tool call the agent makes before it executes. The controls that matter run two detection engines in parallel on each call. A rule-based engine matches commands, arguments, and file references against curated patterns to catch known attacks fast and deterministically. An LLM-based engine adds semantic analysis to catch what patterns miss: novel attack techniques, obfuscated payloads, and context-dependent threats where the same command is benign in one session and malicious in another. Together they evaluate every prompt, response, and tool call for injection, credential and data exfiltration, and tool abuse. Just as important, they constrain the overly privileged actions that turn a single compromised call into a breach, blocking the offending tool call rather than killing the session.

  • Granular enforcement that blocks or rewrites the offending tool call rather than killing the whole session, so a single flagged action does not halt legitimate work.
  • Continuous red teaming that attacks your agents the way a real adversary would, in CI/CD before they reach production, mapped to frameworks like the OWASP Top 10 for Agentic Applications.
  • MCP discovery and scanning that inventories every agent and connected server in your environment and flags the poisoned, abandoned, or over-permissioned ones.

Together these controls add up to a zero-trust posture for coding agents. Verify every call continuously with both engines, you assume the agent can be tricked, and you constrain what each tool is allowed to do and how far a single call can reach.

Guardrails supplement good DevSecOps

AI runtime guardrails secure the coding agent and AI Agent Actions. They do not secure the shipped code the agent helps you build. You still need good DevSecOps procedures for your DevOps pipelines, unit tests, code scanning, etc.

Static Application Security Testing (SAST) analyzes your source code and binaries without running them, catching flaws like injection and insecure cryptography early in the development lifecycle. Dynamic Application Security Testing (DAST) tests the running application from the outside, finding the issues that only appear under execution.

Neither one can see what your coding agent is doing in the IDE, and runtime guardrails cannot prove your shipped code is free of SQL injection. Defense in depth is never optional. The coding agents just added a layer.

Let us pressure-test your coding agents together

In Balance IT Solutions is co-presenting a Summer Security Series with Straiker focused on securing AI agents in the enterprise, and coding agent security is front and center. If your developers are running Claude Code, Cursor, Copilot, Codex, or Devin, and your security team does not yet have an inventory of the MCP servers attached to them, that gap is worth a conversation.

Schedule time with In Balance IT Solutions to walk through your current coding agent security plans, and register for the Summer Security Series to see runtime guardrails, agent red teaming, and MCP scanning in action. Reach out to your In Balance account team or visit our site to claim a seat. Bring your hardest questions. We will bring the red team.

Non-Human Identity Security: An Attack Surface You Can’t See

/in , /by

Eighty percent of breaches begin with identity. But most organizations are still treating identity as an access control problem — a gate to pass through — rather than an attack surface to monitor, baseline, and defend continuously.

When security practitioners talk about identity, they typically mean user authentication. MFA enforcement, password policy, privileged access management (PAM) — controls designed to keep the wrong person from logging in. That framing made sense when the identity surface was primarily human, but it no longer meets the challenge.

The modern enterprise identity fabric contains five distinct identity classes, most of which traditional IAM architectures were not designed to govern. Human accounts (the original target of identity controls) represent a shrinking fraction of the total identity population. Service accounts, machine identities, OAuth tokens, workload identities, and AI agent credentials collectively outnumber human accounts in most organizations, often by a ratio of 82 to 1. Most of them have elevated permissions. Almost none of them are behaviorally baselined. Many of them are never reviewed at all.

88%Of basic web application attacks used stolen credentials (Verizon DBIR 2025)
30%Of all incidents began with valid account abuse (IBM X-Force Threat Intelligence Index)
292 daysAverage to identify and contain a credential-based breach (IBM 2025)
82:1Machine-to-human identity ratio in typical enterprise environments (CyberArk 2025 Identity Security Landscape)

The five classes and why each is different

Human accounts carry the highest individual blast radius when compromised, particularly privileged accounts. But they also carry the most governance investment. MFA is widely deployed for human identities. Behavioral anomaly detection for humans exists in most mature security programs. While access over-provisioning is still a common occurrence, human identity management is not the biggest threat. The challenge is that human identity governance was built for a binary trust model (authenticate, then trust) rather than a continuous verification model.

Service accounts are the most commonly abused non-human identity class. They frequently carry far more permissions than their declared function requires, deployed against a broad permission set and rarely reviewed. In many organizations, many service accounts have never been audited after initial provisioning. Some are “owned” by systems, applications, or projects that no longer exist. These are orphan credentials with a blast radius that can include production environments.

OAuth tokens present a different problem. They are granted through consent flows that users rarely read carefully, often to third-party applications that acquire permissions far in excess of their stated function. Token scope right-sizing — auditing what each OAuth token is authorized to access versus what it actually needs — is not a standard organizational practice. It should be at least a weekly one.

Workload identities — the credentials used by cloud workloads, containers, and serverless functions — are particularly attractive targets because they often carry infrastructure-level permissions and are provisioned automatically at deploy time. The 2025 Salesloft Drift breach involved adversaries stealing OAuth tokens from a chatbot and using them to access hundreds of Salesforce instances (Google Threat Intelligence Group, 2025). A single compromised workload identity with over-privileged scope can become a cloudwide vulnerability and attack surface.

AI agent credentials are the newest class and the fastest growing. Every internal AI agent connected to production data or enterprise communication channels has an identity. That identity carries permissions. Those permissions are almost never JIT-scoped. As an example, an agent that has standing read access to the customer database for the purposes of feature testing that completed months ago is a standing attack surface. Those credentials are often never revoked because it is largely unmanaged.

The behavioral baseline is the prerequisite for everything

Every identity detection capability depends on an expected behavioral baseline, otherwise you can’t detect anomalous authentication behavior. You cannot detect a service account that is being abused for lateral movement if you have never mapped what that service account legitimately calls. Behavioral baselines are not just features of security tooling, they are data structures that must be deliberately built and continuously maintained.

For human identities, the baseline captures authentication timing patterns, device fingerprints, geographic access patterns, and the set of resources each identity normally accesses.

For machine identities, it captures which services each identity calls, at what frequency, and with what response patterns. Deviation from baseline can be the first indication of a malicious signature, and what enables detection of credential-based attacks that leave no malware behind.

“We have realized that AI Agents are synthetic identities. We have to identify them like we would a human. Authenticate them, scope what that agent can and should be able to do, and then maintain observability fine enough to detect anomalous behavior quickly.

— David Malcom, In Balance IT cybersecurity practice lead

JIT access and NHI lifecycle governance

Just-in-time access architecture eliminates standing privileges, which are the most exploitable condition in the enterprise identity fabric. Under JIT, credentials are issued per task, scoped to the minimum permissions required, and expire automatically on task completion. The standing attack surface is reduced to near zero because there are no standing permissions to compromise.

NHI lifecycle governance is the operational practice of tracking, rotating, right-sizing, and decommissioning non-human identities throughout their lifecycle. The target: All machine identities with active rotation, documented ownership, and current scope documentation. Given the increased attack surface and the machine speed threat actors, these tactics have become basic discipline, applied to a class of assets that most security teams have historically treated as invisible.

Identity as telemetry infrastructure

The identity fabric, when properly instrumented, is one of the most reliable sources of high-fidelity threat telemetry in the enterprise. Every authentication event, every privilege use, and every lateral movement attempt leaves a trace in identity logs.

The organizations that treat identity as a gate (validate credentials, grant access, stop watching) throw away this telemetry the moment the authentication succeeds. The organizations that treat identity as a battlefield collect and analyze that telemetry continuously because they understand that the authentication succeeding is not evidence that the session is safe.

ITDR — Identity Threat Detection and Response — is the operational program that turns identity telemetry into detection and containment capability. It is not a product category. It is a program that combines behavioral baselining, anomaly detection, and automated response across all five identity classes, continuously.

The identity question to ask this week

How many non-human identities does your organization currently have documented with active ownership, rotation schedules, and scope reviews? If the answer is a percentage below 90, the identity attack surface is larger than your security program currently addresses.

AI / Human Operating Model

Control Frameworks

Identity Protection

Data Protection (DLP) / Shadow AI

AI Agentic Controls

Cloud & Multi-cloud

Agentic SOC

API / AppSec

Continuous Compliance
Extended Controls & Metrics

About This Series

This post is the third in the Adaptive Defense series. Each article addresses a specific domain where traditional frameworks fall short of today’s agentic AI threat landscape.

Post 1Why NIST, ISO 27001 & COBIT Can’t Keep Up With AI Threats

Post 2Agentic Adoption, the New Pattern for Cybersecurity

Agentic Adoption, the New Pattern for Cybersecurity

/in , /by

The question is not whether to automate security operations. The question is which decisions belong to machines, which belong to humans, and what happens when you get that boundary wrong in either direction.

There are two ways to get the human-machine boundary wrong in security operations. The first is keeping humans in every decision loop, ensuring that no action is taken without analyst review. Given the mean response times for detection and response within organizations is much longer than than the 29-minute adversary breakout times, these attacks can complete before containment begins. The second is removing humans from the decisions that require judgment and granting machines authority over ambiguous scenarios where the cost of a wrong decision is high. Both failures are common. Both should be considered cautionary tales.

The Adaptive Defense human-AI operating model is built around a single design principle: the right actor for each decision is determined by the speed at which that decision must be made and the degree of ambiguity it carries. Map every security operation onto those two axes, and four quadrants emerge, each with a different answer to the question of where the human sits.

The Four Quadrants

The first quadrant is machine autonomous. In this quadrant, the threat is high speed, low ambiguity. These decisions must be made in seconds and carry clear, well-bounded indicators. Examples include identity session revocation on confirmed anomaly breach, network micro-segmentation on high-confidence threat signals, and deception token triggers that lead to autonomous isolation. When the context is clear and the window is measured in seconds, human review is not a governance improvement, but rather a timing liability. The machine acts within approved thresholds; humans review outcomes, not decisions.

The second quadrant is human plus machine — high speed, high ambiguity. The machine surfaces context and generates a decision brief. The human decides, in under five minutes. Scenarios such as novel TTP alerts, insider threat signals, and lateral movement events carry genuine uncertainty that a confidence score cannot resolve. The analyst becomes a decision-maker, proactively informed by AI instrumentation. That is a fundamentally different role, and it requires a fundamentally different skill set. Over time, repeated responses to novel threats can be instrumented and moved into the autonomous quadrant as the threat becomes more defined.

The third quadrant is machine assisted, characterized by low speed and low ambiguity. Examples include vulnerability patch scheduling, AI-scored access certification reviews, and continuous compliance drift monitoring. The machine executes at scale; the human approves outcomes. This is where most practitioner bandwidth historically has been consumed and where automation returns the most working hours to higher-stakes work.

The fourth quadrant is solidly human. Low speed, high ambiguity. This is where operational posture is established. Security strategy and risk appetite. The governance of the autonomy boundary itself. The decisions about which actions machines are permitted to take. Board reporting and crisis decision-making. These cannot be delegated to a machine, not because the machine lacks capability, but because the accountability for these decisions cannot be delegated.

Quad 1 — Machine autonomousHigh speed • Low ambiguityReviews outcomes, not decisionsMTTC < 2 min
Quad 2 — Human + machineHigh speed • High ambiguityDecision-maker from machine briefAnalyst decision time < 5 min
Quad 3 — Machine assistedLow speed • Low ambiguityApproves outcomes at scaleNHI lifecycle compliance > 92%
Quad 4 — Human ledLow speed • High ambiguityOwns the decision and its accountabilityQuarterly boundary review

The Skill Gap the Industry is Not Talking About

The operating model requires three competency profiles that did not exist as distinct disciplines five years ago in the SOC landscape. Security AI Engineers build, train, and adversarially red-team the detection and response models. They own the confidence scoring model and threshold calibration. The critical question they must be able to answer is not “Does the model work?” but “Can this model be evaded? Is the training data poisoned? Do the false positive rates hold at 3 a.m. on a Sunday?”

Identity Security Architects treat the full identity fabric — human accounts, machine identities, service principals, OAuth tokens, AI agent credentials — as a living attack surface to be modeled, monitored, and minimized continuously. Not managed periodically. Not reviewed quarterly. Continuously.

Agentic SecOps Leads design the autonomous playbook library, define the thresholds for machine action, manage human escalation paths, and conduct tabletop exercises on human-machine handoff points. This role carries a specific authority that no previous security role has carried: the authority to adjust the autonomy boundary under operational pressure. That authority must be explicitly documented because the organization that grants machines the ability to take autonomous action must have a human who is accountable for where that line sits.

“Cybersecurity has become an agentic arena, and there is no shortage of technology and platforms to ‘fight fire with fire.’ But for many organizations, this is new muscle. The Human-AI operating model helps our customers rationalize where, how, and how much to instrument for autonomous operation, and how to evolve as the organization matures.”

— David Malcom, In Balance IT cybersecurity practice lead

The Override Rate as a Calibration Signal

One of the most underappreciated metrics in the operating model is the analyst override rate — the percentage of machine-recommended actions that analysts reverse or modify. The target is 5 to 15 percent. Below 5 percent, analysts are rubber-stamping machine decisions without genuine review; the human governance layer has become theater. Above 15 percent, the confidence model is mismatched — machines are making recommendations that trained practitioners routinely reject.

The override rate is not primarily a performance metric for the AI system. It is a calibration signal for the boundary between Quadrant 1 and 2. When override rates drift above the threshold, it is evidence that actions classified as machine-autonomous carry more ambiguity than the model accounts for — and the boundary needs to move.

The Governance Infrastructure That Makes Autonomy Safe

Every autonomous action must carry a reasoning chain, a confidence score, a timestamp, and a reference to the governance policy that authorized it. This is the evidentiary foundation that makes machine-speed defense auditable. When a machine revokes an identity session in 60 seconds, the organization must be able to show the regulator exactly why, under what authority, and with what evidence. If it cannot, it will face a choice between moving fast or staying compliant. With the right governance infrastructure, it does not have to choose.

The autonomy boundary review is a quarterly minimum, not an annual obligation. In a threat environment that evolves on a weekly cadence, a governance policy that has not been reviewed in six months is already stale. The Agentic SecOps Lead is accountable for triggering a review within 30 days of any material threat landscape change or any autonomous incident that produced an unexpected outcome.

The Velocity Gap is Not Optional

Organizations that maintain fully human-gated security operations in 2026 are not making a conservative choice. They are opting out of the fight. Adversary breakout timelines do not pause for analyst availability. Technology will always promise outcomes, but a bad actor only has to be right once to be successful. Adoption and maturity of agentic operations will determine how an organization prevents and responds over time to novel threats.

The question is not whether to adopt the operating model, but whether to adopt it before or after the incident that makes the case for change unmistakably clear.

AI / Human Operating Model

Control Frameworks

Identity Protection

Data Protection (DLP) / Shadow AI

AI Agentic Controls

Cloud & Multi-cloud

Agentic SOC

API / AppSec

Continuous Compliance
Extended Controls & Metrics

About This Series

This post is the second in the Adaptive Defense series. Each article addresses a specific domain where traditional frameworks fall short of today’s agentic AI threat landscape.

Post 1Why NIST, ISO 27001 & COBIT Can’t Keep Up With AI Threats

Post 3Non-Human Identity Security: An Attack Surface You Can’t See

Why NIST, ISO 27001 & COBIT Can’t Keep Up With AI Threats

/in , /by

Every year, security teams across the world complete their NIST CSF assessments, renew their ISO 27001 certifications, and report green on their COBIT dashboards. Every year, the same teams get breached. The uncomfortable truth is that these two facts are not contradictory but reflect the disconnect between the systemic approach of traditional frameworks and the “controlled chaos” of real-world cybersecurity. The foundational frameworks upon which most governance and compliance systems are based were designed for a threat landscape that no longer exists.

NIST CSF was first published in 2014. ISO 27001 was substantially revised in 2013 and updated in 2022. COBIT 2019 reflects governance thinking from the same decade. All of them were designed, and supplemented through consortiums, around a set of assumptions about how adversaries operate. These assumptions were reasonable at the time, but are structurally lacking for today’s threat landscape.

Key Failings of Traditional Control Frameworks

Time Compression: The traditional frameworks assume human-speed adversaries. The 2014 threat model imagined attack cycles measured in days or weeks, long enough for human escalation chains, and quarterly assessments to reflect capability. In 2025, the average adversary breakout time (the interval between initial access and lateral movement) fell to 29 minutes, according to CrowdStrike’s 2026 Global Threat Report. The fastest recorded breakout was 27 seconds. The threat is happening before the time check.

Identity as an Attack Surface: The frameworks assume identity is a binary gate. Valid credential equals trusted session. MFA plus least-privilege forms the perimeter. The Verizon 2025 Data Breach Investigations Report found that 88% of basic web application attacks used stolen credentials. The IBM X-Force Threat Intelligence Index 2025 found that valid account abuse was the initial access vector in 30% of all incidents. The gate model fails when the attacker already has the key.

“As someone who has led an Audit practice, our expectation of access management controls were ensuring management performed a quarterly re-certification of user access and ensuring that the findings identified in the previous quarter had been actioned…this wasn’t a very effective control then, and it certainly isn’t an effective control now. The threats are using valid credentials and moving (if they choose) in minutes.”

— David Malcom, In Balance IT cybersecurity practice lead

Speed vs. Human Intervention: The frameworks assumed humans would be the actors, through SIEM correlation rules, analyst triage, and escalation chains, in time to intercept bad actors. That assumption fails against attackers who enter through valid credentials, lie in wait, move laterally and recon-to-exfiltration at machine speed before an analyst can respond.

29 minutes
Average adversary breakout time, 2025 (CrowdStrike, 2026)
27 seconds
Fastest recorded breakout time, 2025 (CrowdStrike, 2026)
82%
Of 2025 intrusions were malware-free — attackers log in, not break in (CrowdStrike)
241 days
Average breach lifecycle, 2025 (IBM Cost of a Data Breach Report)

The metrics are real, and so are the threats. You cannot document your way out of a timing gap. If your mean time to contain is four hours and an adversary’s kill chain completes in four minutes, no control framework revision closes that gap. It is a physics problem that requires operational solutions, and those solutions are (at least in part) the agentic capabilities required to detect and respond in the real world.

What Adaptive Defense Does Differently

Adaptive Defense recognizes that there is no “steady state” in cybersecurity. The investment organizations have made in traditional frameworks (NIST, ISO, COBIT) has value, but those control frameworks need to be extended and activated by mapping every framework control to real-time operational capabilities that operate at adversarial speeds rather than audit cadence.

The prime directive for any security leader should not be “are we compliant?”, but “at current mean time to contain, how many adversarial kill chains complete in our environment in a 24-hour window before we intercept them?” Most organizations have never answered that question. The answer, when measured, is the business case for everything that follows.

The rest of this series works through the specific attack surfaces and operating disciplines where the framework gap is widest, and what closing it looks like in practice.

AI / Human Operating Model

Control Frameworks

Identity Protection

Data Protection (DLP) / Shadow AI

AI Agentic Controls

Cloud & Multi-cloud

Agentic SOC

API / AppSec

Continuous Compliance
Extended Controls & Metrics

About This Series

This post is the first in the Adaptive Defense series. Each article addresses a specific domain where traditional frameworks fall short of today’s agentic AI threat landscape.

Post 2Agentic Adoption, the New Pattern for Cybersecurity

Post 3Non-Human Identity Security: An Attack Surface You Can’t See

An image of shield with a lock demonstrating adaptive defense.

The Stryker Wakeup Call: Building an Adaptive Defense for the Age of Destructive Attacks

/in /by

On March 11, 2026, employees at Stryker Corporation arrived at work to find their laptops, phones, and desktops wiped clean. Login screens displayed the logo of Handala, an Iranian government-linked hacker group. Stryker is a Fortune 500 medical technology company with 56,000 employees, $25 billion in annual revenue, and operations across 61 countries.

This was not ransomware. It was a deliberate wiper attack designed for pure destruction.

According to reporting from KrebsOnSecurity and Cybersecurity Dive, attackers compromised Stryker’s Microsoft Intune environment and used global administrator privileges to issue a mass remote wipe command. At 3:30 a.m. EST, about 200,000 employee devices were factory-reset before anyone could respond. Offices in 79 countries went offline. Manufacturing, electronic ordering, and shipping systems went dark. Leaders in Ireland sent staff home and resorted to WhatsApp for basic coordination. Stryker filed an 8-K with the SEC, and CISA launched a formal investigation.

No traditional malware was deployed. The attackers used Stryker’s own enterprise management tools against it — a textbook living-off-the-land attack executed at devastating scale. As one security expert noted, when an attacker gains global administrator privileges, they can execute absolute destruction in minutes that takes months to repair.

Beyond Frameworks: Building an Adaptive Defense

We operate in an industry reliant on security frameworks like NIST and CIS that reflect traditional program maturity, but not the capability to defend against the shifting tactics of modern adversaries. In an era where nation-state actors move at machine speed, organizations need a defense strategy that adapts to the current threat landscape rather than checking boxes against historical standards. At In Balance IT Solutions, we call this Adaptive Defense.

Here are five tactical areas every organization should evaluate, and how In Balance can help:

1. Intune and Endpoint Management Health Checks. The Stryker attack effectively weaponized a device management platform. In this case, threat actors exploited global administrator roles, a practice Microsoft’s own documentation explicitly warns against for daily Intune management. Best practices — and Microsoft’s recommendations — advocate for least-privilege role assignments, Privileged Identity Management (PIM) for just-in-time elevation, phishing-resistant MFA, and Multi-Admin Approval for high-impact actions like bulk device wipes. These concepts are not new, but the frequently erode as organizations, workforces, and security policies evolve.

Action: In Balance offers Intune Health Check services that audit your configuration against these practices and ensure no single credential can trigger organization-wide destruction.

2. Identity Recovery Solutions. When a wiper attack takes out your environment, the first thing you need to rebuild is identity. Without Active Directory and Entra ID, nothing else comes back online. Users cannot authenticate, applications cannot authorize, and recovery stalls at the starting line. Understanding how long the threat actor has been active in the environment and being able to recover/restore cleanly from a point in time is a crucial but overlooked aspect of identity management and backup/recovery solutions.

Action: Solutions like Rubrik Identity Recovery and Semperis Active Directory Forest Recovery restore your identity infrastructure from known-good, validated backups independent of the compromised environment.

3. Data Resilience and Accelerated Recovery. Stryker’s employees were sent back to pen and paper. Having backups is a necessary component of a recovery strategy, but business continuity is much more nuanced. When you need to rehydrate terabytes or petabytes of data across a global footprint, recovery becomes a physics problem. Organizations need tiered, contingent, and orchestrated recovery and continuity strategies and solutions that accelerate the restoration process to minimize the window between incident and operational recovery.

Action: In Balance offers workshops to illustrate and derive recovery strategies that go beyond restoring technical systems, but address business continuity and contingencies. We then help our customers test, validate and improve these strategies through pen testing, tabletop exercises, and simulations that prepare our customers for various scenarios.

4. Agentic SOC and Integrated Threat Detection. The Stryker attackers used legitimate admin tools through authorized credentials, which means traditional endpoint detection would not have flagged the initial activity. Most organizations have a SIEM, an EDR platform, and an identity provider that operate in silos. With threat actors using modern “living-off-the-land” techniques, organizations need to integrate their detection capabilities to identify threats at the source rather than waiting for alerts to propagate through a pipeline.

Action: Agentic platforms like BlinkOps offer machine speed security automation that correlates signals across your entire stack and triggers response workflows in seconds.

5. Policies, Governance, and Tabletop Exercises. The least glamorous recommendation and arguably the most important. Is your organization prepared for a scenario where every corporate device is wiped simultaneously? Do your teams know who to call if Teams and email are both down and their phones have been wiped? Have you conducted a tabletop that simulates total endpoint loss, not just ransomware encryption? Stryker was reduced to WhatsApp and personal phones for basic coordination.

Action: In Balance helps organizations build, document, and pressure-test their incident response and business continuity plans so that when the worst comes, the response is rehearsed rather than improvised.

The Threat Landscape Has Changed. Has Your Defense?

The Stryker attack is a signal, not an anomaly. Compliance frameworks tell you where you have been. Adaptive Defense prepares you for where the threat is going and can extend and activate traditional control frameworks to achieve both compliance AND cybersecurity.

If your organization is ready to evaluate its readiness across endpoint management, identity recovery, data resilience, threat detection, and incident response, In Balance IT Solutions is ready to help. Reach out to us today.

Michael Caplan is the Chief Technology Officer for In Balance IT Solutions.

Image describing identity as the new perimeter of cybersecurity

Identity is the New Perimeter: 4 Lessons from the 2026 CrowdStrike Global Threat Report

/in /by

Hackers used to break in. Now they just log in. That stark warning comes directly from CrowdStrike via the 2026 Global Threat Report, which details a fundamental shift in adversary tradecraft: the defenses most organizations spent the last decade building are becoming obsolete in real-time.

For years, the cybersecurity conversation centered on malware: ransomware, trojan horses, and viruses. In response, we built formidable walls:

  • Advanced antivirus software
  • Endpoint Detection and Response (EDR)
  • Robust email filtering

While these tools remain essential, adversaries have pivoted. Today, 82% of detected security threats are malware-free. Rather than deploying malicious code that’s detected and blocked by modern endpoint protection tools, attackers are using your own employees’ credentials. Valid credentials, trusted authentication methods and approved SaaS integrations allow adversaries to breach and move laterally across your network.

The CISO’s Reality: From the perspective of your monitoring tools, an attacker with a legitimate set of credentials isn’t a threat — they’re just a user finishing their Tuesday to-do list.

These attack methods provide staggering results. The average breakout time — the window between initial access and first lateral movement — has plummeted:

  • 2023: 98 minutes
  • 2024: 48 minutes
  • 2025: 29 minutes

In one example, the adversary began exfiltrating data within four minutes of obtaining initial access. Most security teams can’t even open a ticket in four minutes, let alone contain a live intrusion.

The Evasive Adversary’s Playbook

The speed with which attackers are moving is headline-grabbing, but it is a distraction from the more important story: the method. The fundamental way adversaries enter your network has changed, and it has everything to do with identity.

CrowdStrike refers to 2025 as “the year of the evasive adversary,” where the defining characteristic of an attack is the exploitation of trust. By pivoting away from malware, cybercriminals now move through authorized pathways and trusted systems using valid employee credentials.

This activity blends in perfectly with normal network traffic, which is why modern identity attacks are so difficult to stop:

  • No malware to flag: Attackers don’t need to use malware when they’re able to log directly into your systems.
  • Authorized pathways: Attackers use the same SaaS integrations and VPNs your employees use daily.
  • The “User” Illusion: From the vantage point of your security tools, an attacker with a legitimate set of credentials isn’t a threat — they are the user.

This is the core of the modern identity crisis. When an attack looks identical to a standard login, the traditional security posture of detecting malicious code fails by design. We aren’t just fighting a faster enemy; we’re fighting one that is wearing our own uniform. This shift fundamentally changes the nature of the security mechanisms necessary to identify adversarial activity. We’re no longer relying on our endpoint detection systems to identify malicious software. Instead, we need behavioral analytics capable of identifying anomalous behavior performed by seemingly authorized users.

AI Is Changing the Game — For Attackers

While organizations leverage AI for productivity, cybercriminals are using it to become more efficient and create more sophisticated attack patterns. The number of adversaries utilizing AI in 2025 grew by 89% year-over-year, creating a shift in the threat landscape.

This evolution manifests in three primary ways:

  • The End of the “Obvious” Phish: Social engineering — the phishing emails, vishing calls, and fake IT help desk scenarios used to harvest credentials — is now more personalized and far easier to scale. AI has lowered the skill level necessary to commit cybercrime and provides less sophisticated actors with the tools necessary to execute more convincing campaigns that previously could only be performed by elite attackers.
  • Prompt Injection as an Entry Vector: In 2025, at least 90 organizations were compromised when adversaries injected malicious prompts into legitimate GenAI tools. These “jailbroken” prompts forced corporate AI to generate commands for stealing credentials and cryptocurrency.
  • Infrastructure as an Attack Surface: Beyond just using AI, attackers are targeting the AI development platforms themselves. By exploiting vulnerabilities in these environments, they establish persistent footholds and deploy ransomware, turning the tools your employees use daily into a new, unmonitored attack surface.

The Identity Sprawl Problem

The technology and identity footprint of the modern enterprise continues to sprawl. And given the ease with which an employee can procure a SaaS subscription with a corporate credit card, there is no end in sight.

This sprawl creates massive visibility gaps, turning what should be a unified defense into a fragmented collection of access controls that are easily exploitable. Identity no longer lives in one place; it lives in Active Directory, Entra ID, Okta, and dozens of additional SaaS platforms simultaneously.

As credentials get cached, reused, and shared across these systems, each connection point becomes a seam. In a world of identity-based attacks, these seams are the primary targets. Attackers are experts at finding them, pulling at the threads where one system ends and another begins until the entire fabric of your security posture unravels.

The Core Problem: Credentials Are Not Identity

We’ve now reached the point where the 2026 report provides something deeper than a tactical threat update – it challenges the entire way we think about authentication.

Traditional authentication factors verify credentials, not people.

  • A password proves that someone knew the password.
  • A time-based one-time password (TOTP) proves that someone possessed the device.

But neither proves that the person doing the authenticating is actually the authorized employee — and that distinction is where the entire modern identity attack pattern lives.

An account is not a person. You need to know that the person behind the action is the right person. That principle becomes even more urgent as Agentic AI is introduced into enterprise workflows. The acceleration of these “digital workers” creates additional opportunities for threat actors to exploit poorly managed Agent credentials and over-privileged Agent identities.

When AI Agents can autonomously act on behalf of users, the identity question is further compounded. Who is providing the authorization that is actually driving that action? If we cannot distinguish between a person, a legitimate agent, and an adversary, our security model effectively collapses.

What This Means for Your Organization’s Cyber Defense

The implications of CrowdStrike’s findings are disastrous for many organizations’ existing security strategies. Most identity security strategies rely on SIEM alerts, anomaly detection, and behavioral analytics to detect compromised identities. The problem is that these are all reactive capabilities. Static signatures and isolated endpoint detection systems cannot keep pace with adversaries whose actions mirror normal user activity.

While some are difficult to execute, the takeaways from the report are straightforward:

  • Treat account recovery as a primary attack surface. Password resets, helpdesk verification, and backup MFA methods often represent the weakest links in an otherwise strong identity posture. Review these activities with the same rigor as your primary authentication paths.
  • Stop assuming your detections work. Only cross-domain detection controls can identify the attack chains that move from identity providers to SaaS logs to cloud infrastructure. Because most organizations silo their detection capabilities, adversaries easily operate unnoticed across systems.
  • Start assuming adversaries will use AI against you. Phishing, vishing, and credential harvesting attempts have become more convincing with the assistance of AI. Yesterday’s security awareness training fails to address today’s threats.
  • Get ahead of Agentic AI risk now. Organizations must design authorization models that match the specific risks of AI Agents rather than allowing them to inherit the permissions of the human accounts that provisioned them.

Conclusion

While I strongly urge all cybersecurity professionals to read the full 2026 CrowdStrike Global Threat Report, the most important message is this:

Intrusions now move through trusted identities, SaaS applications, and cloud infrastructure, bypassing traditional detection capabilities by blending in with normal user activity, and thereby reducing an organization’s time to respond.

The window to act is shrinking. The methods being used against you are increasingly invisible. And the assumption that you’ll catch your attackers’ actions after they happen is the one that adversaries are counting on the most.

The CrowdStrike 2026 Global Threat Report is available for download at crowdstrike.com. The report covers threat intelligence and adversary tradecraft observed across CrowdStrike’s global customer base throughout 2025.