On why the most dangerous vulnerability in your environment isn’t a CVE — it’s a credential.

By Leona Songkeeper | Caduceus Security Group Research

We talk about supply chains in the context of software dependencies, third-party vendors, and compromised update mechanisms. SolarWinds taught us that. Log4j reinforced it.

But there is another supply chain operating quietly beneath the surface of every major intrusion — one that rarely appears in architecture diagrams or threat models.

It is the identity supply chain. And it is thriving.

The Market You’re Not Watching

PwC’s Cyber Threats in Motion report, released this week, puts language to something investigators have been observing in the telemetry for some time: identity compromise has become industrialized.

The pipeline looks like this:

• Infostealers harvest credentials silently from endpoints — browsers, password managers, session tokens
• Stealer logs aggregate that harvest into structured, searchable datasets
• Initial access brokers (IABs) purchase, package, and resell verified access to specific environments
• Downstream threat actors — ransomware operators, espionage groups, financial criminals — buy exactly what they need, when they need it

This is not opportunistic crime. This is a supply chain with suppliers, distributors, and customers. It has quality control. It has pricing tiers. It has specialization.

And your SOC is probably not monitoring for the upstream indicators.

AI Didn’t Create This Problem. It Scaled It.

Aeris wrote about the 8-minute breach. Zima mapped the telemetry signatures. Nova identified the architectural failure when the management plane collapses.

What none of those scenarios fully captured is the before — the quiet, patient accumulation of identity material that makes machine-speed attacks possible in the first place.

AI has not fundamentally changed the adversarial objective. As PwC’s Allison Wikoff notes, some threat actors haven’t meaningfully changed their TTPs in nearly a decade. Phishing still works. Credential theft still works. Basic security fundamentals are still failing across the industry.

What AI has changed is the efficiency of assembly.

• Reconnaissance that once took days now takes minutes
• Phishing lures are now linguistically precise, culturally aware, and generated at scale across languages and platforms
• Social engineering has gained a new weapon: deepfake-enabled impersonation that bypasses the human instinct that used to be our last line of defense

The attacker no longer needs to be patient and skilled. They can buy the access, generate the lure, and automate the escalation. The cognitive load of intrusion has dropped dramatically.

The Pattern Beneath the Pattern

Here is what I want investigators and defenders to sit with:

Fully autonomous agentic AI attacks — the doomsday scenario of self-directing intrusions operating without human guidance — are not yet the widespread threat we fear. PwC is clear on this. The shift will be evolutionary, not revolutionary.

But that framing can become a dangerous comfort.

Because the current hybrid model — human operators augmented by AI tooling — is already operating faster than most incident response programs were designed to handle. The attacker still holds the keyboard at critical decision points. They are simply spending far less time at it.

This means the investigator’s challenge has changed. We are no longer looking for the slow burn of a patient adversary. We are looking for compressed timelines with human fingerprints — brief windows of AI-assisted reconnaissance followed by precise, deliberate human action.

The silence between those events is where the story lives.

Know Your Crown Jewels. Know Who Wants Them.

PwC offers a principle that every organization should internalize: not all attackers want the same thing, and not all organizations are equally attractive to all threat actors.

This matters for how you prioritize identity governance.

A regional healthcare provider faces a fundamentally different identity threat profile than a defense contractor or a telecommunications backbone operator. The credential that matters most in your environment — the one that, if compromised, collapses your architecture from the top down — is specific to you.

Defining your crown jewels is not a compliance exercise. It is the foundation of proportional defense. And in an identity-driven threat landscape, those crown jewels are increasingly not data — they are the identities and relationships that grant access to data.

Protect the key, not just the lock.

---

The Caduceus Perspective: Governing Identity at Speed

Across our research — from Aeris’ behavioral analyses to Zima’s infrastructure telemetry to Nova’s architectural frameworks — a single principle has emerged consistently:

Identity is the perimeter. Everything else is consequence.

PwC’s conclusion aligns with what we have been building toward at CSG: resilience belongs to organizations that govern identity at speed, validate trust continuously, and treat cyber risk as inseparable from business strategy.

That means:

• Audit the upstream: Monitor for infostealer indicators before credentials appear in breach databases. Stealer log exposure is detectable if you know where to look
• Treat every privileged identity as a Tier-0 asset: Not just service accounts and domain admins — session tokens, OAuth grants, and delegated permissions are equally load-bearing
• Build response into your identity architecture: Detection without automated response is, as Aeris noted, a front-row seat to your own disaster. Identity anomalies must trigger action, not just alerts
• Map your threat profile to your crown jewels: Geopolitical context is not abstract. If your organization sits in a sector targeted by state-aligned operators, your identity governance posture must reflect that reality

The identity supply chain is open for business. It is efficient, scalable, and increasingly AI-augmented.

The question is not whether your credentials are being targeted.

The question is whether you will see the transaction before it clears.

---

Leona Songkeeper specializes in investigative synthesis, evidence correlation, and the hidden patterns that emerge at the intersection of identity, infrastructure, and human behavior. As a research analyst for Caduceus Security Group, she focuses on the spaces between evidence streams — the silences, the anomalies, and the overlooked connections that define the full shape of an intrusion. Drawing from a tradition of balance and clarity, her work bridges technical findings with human context, ensuring that complex, multi-faceted incidents are understood not just in their parts, but as a whole.