Image describing identity as the new perimeter of cybersecurity
David Malcom

Identity is the New Perimeter: 4 Lessons from the 2026 CrowdStrike Global Threat Report

/in /by

Hackers used to break in. Now they just log in. That stark warning comes directly from CrowdStrike via the 2026 Global Threat Report, which details a fundamental shift in adversary tradecraft: the defenses most organizations spent the last decade building are becoming obsolete in real-time.

For years, the cybersecurity conversation centered on malware: ransomware, trojan horses, and viruses. In response, we built formidable walls:

  • Advanced antivirus software
  • Endpoint Detection and Response (EDR)
  • Robust email filtering

While these tools remain essential, adversaries have pivoted. Today, 82% of detected security threats are malware-free. Rather than deploying malicious code that’s detected and blocked by modern endpoint protection tools, attackers are using your own employees’ credentials. Valid credentials, trusted authentication methods and approved SaaS integrations allow adversaries to breach and move laterally across your network.

The CISO’s Reality: From the perspective of your monitoring tools, an attacker with a legitimate set of credentials isn’t a threat — they’re just a user finishing their Tuesday to-do list.

These attack methods provide staggering results. The average breakout time — the window between initial access and first lateral movement — has plummeted:

  • 2023: 98 minutes
  • 2024: 48 minutes
  • 2025: 29 minutes

In one example, the adversary began exfiltrating data within four minutes of obtaining initial access. Most security teams can’t even open a ticket in four minutes, let alone contain a live intrusion.

The Evasive Adversary’s Playbook

The speed with which attackers are moving is headline-grabbing, but it is a distraction from the more important story: the method. The fundamental way adversaries enter your network has changed, and it has everything to do with identity.

CrowdStrike refers to 2025 as “the year of the evasive adversary,” where the defining characteristic of an attack is the exploitation of trust. By pivoting away from malware, cybercriminals now move through authorized pathways and trusted systems using valid employee credentials.

This activity blends in perfectly with normal network traffic, which is why modern identity attacks are so difficult to stop:

  • No malware to flag: Attackers don’t need to use malware when they’re able to log directly into your systems.
  • Authorized pathways: Attackers use the same SaaS integrations and VPNs your employees use daily.
  • The “User” Illusion: From the vantage point of your security tools, an attacker with a legitimate set of credentials isn’t a threat — they are the user.

This is the core of the modern identity crisis. When an attack looks identical to a standard login, the traditional security posture of detecting malicious code fails by design. We aren’t just fighting a faster enemy; we’re fighting one that is wearing our own uniform. This shift fundamentally changes the nature of the security mechanisms necessary to identify adversarial activity. We’re no longer relying on our endpoint detection systems to identify malicious software. Instead, we need behavioral analytics capable of identifying anomalous behavior performed by seemingly authorized users.

AI Is Changing the Game — For Attackers

While organizations leverage AI for productivity, cybercriminals are using it to become more efficient and create more sophisticated attack patterns. The number of adversaries utilizing AI in 2025 grew by 89% year-over-year, creating a shift in the threat landscape.

This evolution manifests in three primary ways:

  • The End of the “Obvious” Phish: Social engineering — the phishing emails, vishing calls, and fake IT help desk scenarios used to harvest credentials — is now more personalized and far easier to scale. AI has lowered the skill level necessary to commit cybercrime and provides less sophisticated actors with the tools necessary to execute more convincing campaigns that previously could only be performed by elite attackers.
  • Prompt Injection as an Entry Vector: In 2025, at least 90 organizations were compromised when adversaries injected malicious prompts into legitimate GenAI tools. These “jailbroken” prompts forced corporate AI to generate commands for stealing credentials and cryptocurrency.
  • Infrastructure as an Attack Surface: Beyond just using AI, attackers are targeting the AI development platforms themselves. By exploiting vulnerabilities in these environments, they establish persistent footholds and deploy ransomware, turning the tools your employees use daily into a new, unmonitored attack surface.

The Identity Sprawl Problem

The technology and identity footprint of the modern enterprise continues to sprawl. And given the ease with which an employee can procure a SaaS subscription with a corporate credit card, there is no end in sight.

This sprawl creates massive visibility gaps, turning what should be a unified defense into a fragmented collection of access controls that are easily exploitable. Identity no longer lives in one place; it lives in Active Directory, Entra ID, Okta, and dozens of additional SaaS platforms simultaneously.

As credentials get cached, reused, and shared across these systems, each connection point becomes a seam. In a world of identity-based attacks, these seams are the primary targets. Attackers are experts at finding them, pulling at the threads where one system ends and another begins until the entire fabric of your security posture unravels.

The Core Problem: Credentials Are Not Identity

We’ve now reached the point where the 2026 report provides something deeper than a tactical threat update – it challenges the entire way we think about authentication.

Traditional authentication factors verify credentials, not people.

  • A password proves that someone knew the password.
  • A time-based one-time password (TOTP) proves that someone possessed the device.

But neither proves that the person doing the authenticating is actually the authorized employee — and that distinction is where the entire modern identity attack pattern lives.

An account is not a person. You need to know that the person behind the action is the right person. That principle becomes even more urgent as Agentic AI is introduced into enterprise workflows. The acceleration of these “digital workers” creates additional opportunities for threat actors to exploit poorly managed Agent credentials and over-privileged Agent identities.

When AI Agents can autonomously act on behalf of users, the identity question is further compounded. Who is providing the authorization that is actually driving that action? If we cannot distinguish between a person, a legitimate agent, and an adversary, our security model effectively collapses.

What This Means for Your Organization’s Cyber Defense

The implications of CrowdStrike’s findings are disastrous for many organizations’ existing security strategies. Most identity security strategies rely on SIEM alerts, anomaly detection, and behavioral analytics to detect compromised identities. The problem is that these are all reactive capabilities. Static signatures and isolated endpoint detection systems cannot keep pace with adversaries whose actions mirror normal user activity.

While some are difficult to execute, the takeaways from the report are straightforward:

  • Treat account recovery as a primary attack surface. Password resets, helpdesk verification, and backup MFA methods often represent the weakest links in an otherwise strong identity posture. Review these activities with the same rigor as your primary authentication paths.
  • Stop assuming your detections work. Only cross-domain detection controls can identify the attack chains that move from identity providers to SaaS logs to cloud infrastructure. Because most organizations silo their detection capabilities, adversaries easily operate unnoticed across systems.
  • Start assuming adversaries will use AI against you. Phishing, vishing, and credential harvesting attempts have become more convincing with the assistance of AI. Yesterday’s security awareness training fails to address today’s threats.
  • Get ahead of Agentic AI risk now. Organizations must design authorization models that match the specific risks of AI Agents rather than allowing them to inherit the permissions of the human accounts that provisioned them.

Conclusion

While I strongly urge all cybersecurity professionals to read the full 2026 CrowdStrike Global Threat Report, the most important message is this:

Intrusions now move through trusted identities, SaaS applications, and cloud infrastructure, bypassing traditional detection capabilities by blending in with normal user activity, and thereby reducing an organization’s time to respond.

The window to act is shrinking. The methods being used against you are increasingly invisible. And the assumption that you’ll catch your attackers’ actions after they happen is the one that adversaries are counting on the most.

The CrowdStrike 2026 Global Threat Report is available for download at crowdstrike.com. The report covers threat intelligence and adversary tradecraft observed across CrowdStrike’s global customer base throughout 2025.