ORLANDO, Fla. — Credential-based attacks are reshaping the cybersecurity landscape. In many modern breaches, attackers are no longer breaking through the front door with obvious malware or brute-force activity. They are logging in with valid credentials, moving through cloud and SaaS environments while appearing, at least initially, like legitimate users.
That shift has changed the way enterprises need to think about security. As companies rely more heavily on SaaS platforms, federated access, remote teams and third-party integrations, identity has become one of the most important layers of business infrastructure. It is also becoming one of the most attractive targets for attackers.
Ajai Paul, a senior cybersecurity leader at Affirm and a member of the Forbes Technology Council, has seen that shift play out across highly regulated industries. In his view, authentication is no longer just a front-line control. It is now a critical area of risk because attackers increasingly operate inside trusted environments after gaining access through compromised accounts, exposed tokens or abused permissions.
When Logins Become the Attack Surface
A growing number of cyber incidents begin with valid credentials rather than malicious code. A user account may authenticate successfully, access cloud systems and move between applications without triggering the same alerts that traditional intrusion attempts might create.
In SaaS-first environments, every employee, contractor, partner account, service account and connected application can become part of the attack surface. Threat actors can exploit stolen passwords, compromised API tokens, misconfigured permissions or low-privilege accounts, then gradually escalate access while blending into normal activity.
Industry research reinforces the concern. IBM’s 2024 X-Force Threat Intelligence Index found that the use of stolen credentials to access valid accounts surged 71% year over year and represented 30% of all incidents X-Force responded to in 2023, tying phishing as a leading infection vector.
For security teams, the challenge is no longer just collecting more logs. It is understanding which activity is meaningful. High volumes of low-fidelity alerts can make it difficult to distinguish routine access from early-stage compromise. That makes behavior, context and identity intelligence increasingly important.
What ITDR Adds to SaaS Security
Identity Threat Detection and Response, or ITDR, is designed to address this gap. Rather than replacing tools such as SIEM, endpoint detection or cloud security platforms, ITDR focuses specifically on threats that exploit identity systems, access privileges, trust relationships and SaaS configurations.
Effective ITDR programs look beyond whether a login was technically successful. They examine whether the behavior makes sense. Signals such as unusual session duration, impossible travel, unexpected privilege escalation, abnormal time-of-day access, new device patterns or suspicious application consent can help identify risk before an attacker causes broader damage.
Paul has emphasized the need to move from basic access monitoring to identity-aware interpretation.
In a published case study about Affirm’s MDR implementation, Paul also discussed the importance of detection pipelines that can ingest, interpret and act across identity-centric signals.
“Detection only works when it understands not just what happened, but whether it should have,” Paul said in previously published comments.
That distinction is especially important in SaaS environments, where sensitive data and business-critical workflows often sit outside traditional network boundaries. If the identity layer is compromised, attackers may be able to access financial systems, customer records, internal communications or operational platforms without deploying malware at all.
Why Identity Defense Is a Business Issue
The rise of identity-based attacks is not only a technical concern. It has direct implications for compliance, customer trust, operational resilience and executive risk management.
In regulated industries, identity telemetry can support audit trails, access reviews and incident investigations. Stronger monitoring of user behavior and permissions can also help organizations demonstrate control over sensitive systems, especially when working under frameworks such as SOC 2, PCI DSS or other industry-specific requirements.
Faster detection also matters financially. The longer an attacker remains inside an environment, the more opportunity there is for data theft, fraud, service disruption and reputational harm. For executives, identity security is increasingly tied to business continuity and stakeholder confidence.
That is why ITDR is gaining attention as more than another cybersecurity acronym. It represents a practical response to the reality that identity has become a core part of enterprise infrastructure.
Identity Is the New Perimeter
For years, companies built security programs around the idea of defending the perimeter. But in a SaaS-driven business environment, the perimeter is no longer a fixed boundary. It is distributed across users, devices, applications, permissions and cloud services.
That makes identity one of the most important control points in modern cybersecurity.
“Threat detection needs to move where the threat surface lives,” Paul said. “Today, that is inside identity systems. And detection only matters if it leads to response.”
As businesses continue to adopt SaaS platforms and federated access models, security teams will need to prioritize visibility into how identities behave across systems. The organizations best positioned for the next phase of cybersecurity will be those that treat identity not as a background IT function, but as a central layer of risk management, compliance and enterprise defense.
©2026 Cox Media Group
