CrowdStrike’s 2026 Global Threat Report delivered a statistic that should fundamentally change how enterprises think about cybersecurity: 82% of detections in 2025 were malware-free. Not reduced. Not declining. Eighty-two percent of the intrusions CrowdStrike tracked didn’t involve malware at all. Attackers used valid credentials, trusted identity flows, and approved SaaS integrations to walk through the front door. Meanwhile, Palo Alto Networks’ Unit 42 found that identity loopholes were implicated in nearly 90% of its incident response investigations. The cybersecurity industry has spent two decades building increasingly sophisticated malware defenses. The attackers stopped using malware.
This isn’t a subtle shift. It’s a structural inversion of the threat landscape — and the cybersecurity industry’s response has been dangerously slow. Enterprise security budgets still disproportionately fund endpoint detection, antivirus, and malware sandboxing. These tools remain necessary. But when four out of five intrusions involve an attacker logging in with legitimate credentials rather than deploying a payload, the security architecture most enterprises rely on is optimized for the minority of attacks.
How identity became the primary attack surface
The economics explain everything. On the dark web, initial access brokers now sell pre-compromised credentials for as little as $10 per account. Infostealer malware harvested 1.8 billion credentials in 2025 alone, and over 24 billion compromised credential sets are currently circulating across dark web marketplaces. For an attacker, purchasing stolen credentials is faster, cheaper, and far less risky than developing custom malware. Why write exploit code when you can buy a valid login for the price of a coffee?
CrowdStrike’s data shows the scale of this shift. Access broker advertisements increased 50% year-over-year. The average eCrime breakout time — the interval between initial access and lateral movement — dropped to 48 minutes, with the fastest observed breakout clocking in at just 51 seconds. When an attacker is using legitimate credentials, every second of that breakout window looks like normal user behavior to traditional security tools. There’s no malicious payload to detect, no signature to match, no anomalous file execution to flag. The attacker is, from the system’s perspective, an authorized user.
Palo Alto’s Unit 42 found that in 87% of cases, attacker activity spanned multiple attack surfaces — endpoints, identity systems, networks, and cloud services within a single intrusion. Browser-based activity played a role in 44% of investigations, as attackers increasingly exploit trusted communication channels and identity verification weaknesses to harvest credentials in real time. The attack chain doesn’t start with a zero-day exploit. It starts with a phished password, a stolen session token, or a credential set purchased from an infostealer marketplace.
The malware fixation is a strategic liability
Here’s the contrarian argument: the cybersecurity industry’s continued emphasis on malware defense isn’t just outdated — it’s actively harmful. Every dollar spent on malware-centric tools that could have funded identity threat detection represents a misallocation of finite security resources. And the misallocation is substantial.
Gartner estimates that enterprises spend roughly 60% of their security budgets on endpoint and network security — the layers primarily designed to detect and block malicious code. Identity security, by contrast, typically receives 10 to 15% of the security budget despite being implicated in the vast majority of successful intrusions. The mismatch between where the attacks are happening and where the money is going is staggering.
The problem compounds because identity-based attacks are harder to detect with traditional tools. When an attacker uses valid credentials to access a SaaS application, generate an API token, and move laterally through cloud infrastructure, the entire attack chain consists of actions that authorized users perform every day. Behavioral analytics can sometimes distinguish between legitimate and malicious credential usage, but the signal-to-noise ratio is far worse than malware detection, where a known-bad file hash provides near-certain identification.
Organizations that have invested in AI-native security capabilities are better positioned to detect these subtle behavioral anomalies, but most enterprises are still running identity security programs built around password policies and periodic access reviews — approaches that assume credentials haven’t already been compromised.
AI is making the identity threat worse, not better
CrowdStrike’s report documents an 89% increase in AI-enabled adversary activity. That number is alarming on its own, but the specific applications matter more than the aggregate growth. Generative AI is supercharging the credential theft pipeline at every stage.
AI-generated phishing emails are nearly indistinguishable from legitimate communications — eliminating the grammatical errors and formatting inconsistencies that trained users to spot social engineering attempts. Voice cloning and deepfake technology enable vishing attacks (voice phishing) that impersonate executives with sufficient fidelity to fool experienced employees. CrowdStrike recorded a 442% increase in voice phishing between the first and second halves of 2025, a growth rate that suggests vishing is transitioning from a novelty to a primary attack vector.
Perhaps most concerning, attackers exploited legitimate generative AI tools at more than 90 organizations by injecting malicious prompts designed to extract credentials and authentication tokens. The AI tools that enterprises deploy to increase productivity are simultaneously creating new credential harvesting surfaces that most security teams haven’t accounted for. The World Economic Forum’s Global Cybersecurity Outlook 2026 found that 87% of organizations now identify AI-related vulnerabilities as their fastest-growing cyber risk — but identifying the risk and funding the defense against it are very different things.
What actually works against identity-based attacks
The enterprises that are successfully defending against credential-based intrusions share a common approach: they’ve stopped treating identity as an access management function and started treating it as a threat detection surface.
This means continuous identity monitoring — not periodic access reviews, but real-time analysis of authentication events, token generation, privilege escalation, and lateral movement patterns. It means deploying identity threat detection and response (ITDR) platforms that can correlate identity signals across cloud, SaaS, and on-premises environments simultaneously. And it means investing in credential intelligence — monitoring dark web marketplaces and infostealer logs for compromised credentials associated with the organization, ideally before those credentials are used in an attack.
Specops’ 2026 Breached Password Report analyzed over six billion malware-stolen passwords and found that 97% of identity-based attacks still leverage passwords as the initial vector. This suggests that passwordless authentication — FIDO2 security keys, biometric verification, certificate-based access — remains the single highest-impact investment most enterprises can make against identity threats. Yet adoption remains painfully slow. The technology is mature. The regulatory pressure is building. The obstacle is organizational inertia, not technical limitation.
The ransomware connection makes the urgency concrete. Over 54% of ransomware victims in 2024-2025 had their domain credentials appear on infostealer log marketplaces before the attack. In more than half of ransomware cases, the credentials that enabled the intrusion were already for sale on the dark web — visible to anyone monitoring for them. The gap between credential exposure and credential exploitation is the window that identity-focused security is designed to close.
The uncomfortable reallocation
The cybersecurity industry doesn’t like this conversation because it implies that a significant portion of existing security spending is misallocated. Endpoint detection vendors don’t want to hear that 82% of attacks bypass their core detection mechanism. SIEM vendors don’t want to acknowledge that their correlation rules are optimized for malware-based attack patterns that represent a shrinking minority of actual intrusions. And CISOs don’t want to tell their boards that the security stack they’ve spent years building is architecturally misaligned with how attackers actually operate.
But the data is unambiguous. Identity is the primary attack surface in 2026. Stolen credentials cause more damage than malware because they’re harder to detect, they leverage trusted access paths, and they render most perimeter and endpoint defenses irrelevant. The broader collapse of traditional tracking and verification mechanisms across the technology industry makes identity-first security architecture not just a cybersecurity priority but a business imperative.
Enterprises that continue funding malware-centric security architectures while identity-based attacks account for four out of five intrusions aren’t being conservative. They’re being negligent. The attackers have already moved on. The defenders need to follow.
