The number of incidents involving stolen credentials in 2025 is, to quote an ancient meme, “too damn high.” A Checkpoint report cites a 160% increase in compromised credentials between 2024 and 2025. In addition, Verizon’s Data Breach Investigation Report cites a staggering 22% of breaches involved credential abuse. This is another list of major incidents in 2025, many involving credentials. A bombastic sentence worthy of writing by an AI, complete with the em dash, explains the situation perfectly: the real blast radius is no longer just a compromised endpoint or a vulnerable server – it’s a compromised identity. And this is why SOC playbooks, which have revolved around endpoints, networks, and malware families for years, are now also incorporating identity-centric detections.
This move has been needed for a long time. Identity-led incidents are more insidious, as attackers can simply log in with stolen or abused credentials, or exploit weaknesses in federated identity, session tokens, and OAuth permissions. They blend seamlessly with normal user behavior, performing actions that look legitimate on the surface, such as modifying authentication methods, granting permissions to new SaaS apps, or adjusting privilege levels inside Active Directory or cloud identity providers.
This insidious nature is particularly dangerous in today’s environments. The perimeter has vanished. A lot of business-critical activities are performed through third-party tools. This also includes security. User Behavior analytics and identity security posture signals. These provide continuous insight into how identities operate, what normal activity looks like, and when deviations indicate emerging risk. While they are not the only sources of security telemetry, they are the most consistently accurate for detecting identity-driven anomalies before those anomalies escalate into something far more damaging.
Another angle we must consider is that of the attack methods themselves. We have already described how identity theft allows much easier intrusion, compared to time and money spent in scanning for vulnerabilities and developing software. You don’t have to intrude, move laterally, and then pounce. In addition, there is much less chance of an early warning in the infrastructure layer. There is no way to detect a threat until detonation.
Another key change is the shift towards exploiting processes over vulnerabilities. Attackers now leverage forgotten automation scripts, misconfigured service principals, shadow IT SaaS apps, and residual admin privileges granted years ago for migration projects that nobody remembers, instead of developing malicious software. These are not security bugs; they are business artifacts. SOCs historically ignored identity anomalies because they looked operational, not malicious. Today, those “operational anomalies” are the new intrusion paths. The most efficient way to compromise a modern enterprise is not to breach a server but to impersonate a process. Identity logs are the only place where this impersonation is visible.
Another factor is, yes, the most obvious one: AI. AI is a double-edged weapon. It helps SOCs detect possible attacks in progress, and it also gives the bad actors a tool that allows them to launch machine-speed with self-correcting and enhanced sophistication abilities. Bad actors can now perform MFA bombing, token replay, OAuth consent phishing, and API-based privilege escalation with precision and speed far beyond human reaction times. These attacks blend into the background noise of identity activity by appearing as failed logins appearing like typing errors, silent enrolment of new authentication factors looking like legitimate recovery events, and seemingly benign service-to-service OAuth grants. Infrastructure tools were not built to distinguish these micro-signals because they never occurred at such micro-levels.
Another problem is connected with governance. Many enterprises have accumulated years of identity sprawl, which include inactive accounts, over-privileged service identities, unmonitored third-party integrations, and loosely governed entitlements. Attackers look for and exploit this governance debt first over any technical flaw.
Another point heavily in favor of identity is that unlike telemetry, identity analysis is unform across various types of systems. Endpoint telemetry, network telemetry, and cloud telemetry all produce incompatible data types. Identity, however, touches all systems uniformly. Every action, involving diverse assets like a Kubernetes cluster, a CRM system, or a SaaS HR platform, ultimately resolves to an identity making a request. This universality allows SOCs to correlate activity across environments that previously required specialized tooling.
Sanket Kadam, Senior Security Analyst at QKS Group, explains the need, “Identity has quietly become the most dependable signal in detection work. Attackers aren’t breaking down doors anymore; they’re walking in with stolen credentials, abused tokens, and unnoticed privilege paths. That’s why SOC teams can’t afford to treat identity telemetry as an afterthought. Shifting from purely infrastructure alerts to identity-aware analytics isn’t a trend; it’s a reflection of how attacks actually happen today. When organizations build identity signals into their SOC playbooks, they start spotting trouble earlier, responding with more clarity, and keeping incidents from spreading further than they should.“
To conclude, in the WYSINWYAG (What You See Is Not What You Always Get) world, every other detection surface has lost strategic relevance. Identity is so far, the most trustworthy aspect left. Hence, Identity-centric detections are being integrated into SOC playbooks. The following is a short table of vendors currently leading the way.
| Company | Product | How it uses identity-centric detections in SOC/XDR workflows |
| Microsoft | Microsoft Defender for Identity (part of Microsoft Entra & Microsoft Defender XDR) | Monitors on-prem Active Directory and Azure AD for credential theft, lateral movement, and privilege escalation, then feeds correlated identity alerts into Microsoft Defender XDR so SOC teams can investigate and respond to identity-driven attacks alongside endpoint and email telemetry. |
| Okta | Identity Threat Protection with Okta AI | Continuously evaluates user risk using sign-in behavior, device and location context, and shared signals; raises identity risk events and triggers adaptive policies (step-up MFA, access revocation) that can be consumed by XDR/SIEM and integrated with tools like Cortex XSIAM/XDR to automate SOC playbooks. |
| CrowdStrike | Falcon Identity Protection / Falcon Identity Threat Protection | Uses AI-driven behavioral analytics to baseline user behavior and detect suspicious identity activity in real time (risky logins, privilege abuse, lateral movement), then enforces risk-based conditional access, session revocation, and policy changes directly from the Falcon XDR platform. |
| Vectra AI | Vectra AI ITDR | Focuses on the idea that “attackers don’t hack in, they log in,” continuously analyzing identity signals across Active Directory, Entra ID (Azure AD), and cloud identity sources to surface stealthy account compromise and insider threats that can be operationalized in SOC playbooks. |
| Silverfort | Silverfort Identity Threat Detection and Response | Monitors authentication flows across AD, cloud, SaaS, and federation paths for credential-based attacks, privilege escalation, and lateral movement, then blocks malicious access in real time and supports identity-first incident response for SOC teams. |
| SentinelOne | Singularity Identity (ITDR component of Singularity Platform) | Deploys agents on endpoints and domain controllers to sense identity misuse and reconnaissance targeting AD; detects credential theft and lateral movement in real time and automates remediation (disabling compromised identities, enforcing password changes) as part of the broader Singularity XDR stack. |
| CyberArk | CyberArk Identity Security Platform with Threat Detection & Response | Applies AI-powered identity security intelligence and behavioral analytics to privileged and non-privileged identities, detecting risky sessions and anomalous access; its Threat Detection and Response capability integrates with SIEM, XDR, and SOAR to rotate credentials, isolate sessions, and orchestrate identity-centric response from within the SOC. |
| Palo Alto Networks | Cortex XDR / Cortex XSIAM with Identity Threat Module | Uses an Identity Threat module to classify user and host roles and detect compromised accounts and insider threats, and integrates with Okta Identity Threat Protection so that Okta’s real-time identity risk signals drive Cortex-based automated actions like session termination and endpoint quarantine in SecOps playbooks. |
| IBM | IBM QRadar SIEM + IBM Security Verify | Collects JSON events from IBM Security Verify into QRadar via REST APIs and DSMs so identity and access events (suspicious logins, access anomalies, risky app access) appear as correlated offenses in the SIEM, giving SOC analysts identity context alongside traditional network and endpoint alerts. |