.png){kind=small}
.png)
.png)
It seems that spring is the popular season for cyber threat reports, headlined by the Verizon Data Breach Investigations Report (which I consider the gold standard) but including similar insights from Crowdstrike, IBM and many more. While chock full of important insights, they are all derived by looking back at the year that was. Which is not a criticism for, as the saying goes, “those who don’t learn from history are doomed to repeat it.”
How Threat Actors Abuse Credentials
However, cyber security is often criticized as a reactive exercise. Threat actors do this, so cyber defenders counter with that. So threat actors respond with this and cyber defenders counter with that. Over and over again. While of course a necessary reality, most organizations these days look for proactive cyber security measures to complement the necessary reactive ones
Here is a great example. In the 2025 Verizon Data Breach Investigations Report it is called out that credential abuse remains the most common method for gaining access to organizations. But it leaves us to wonder, how are threat actors abusing credentials? And more importantly, what can organizations do to shore up identity security posture before a threat actor gains entry via stolen credentials? It is this last question that Orchid Security’s inaugural State of Identity Security report begins to answer.
Implementation of Controls Varies
From day one, we built our offering with a robust “backoffice” overlay infrastructure, specifically designed to aggregate, analyze and present insights across our customer and partner user base. Most relevant for this conversation, those insights include the most common identity security gaps we see across applications deployed across geographies and industries.
For example, did you know that while identity providers (IdPs) like Okta, Ping, Microsoft Entra and others are viewed as widely deployed among enterprises, in fact data shows that more than 40% of applications have authentication paths that don’t use these identity security mechanisms?
The reality is that there are corporate standards, regulatory requirements and even cyber security frameworks that all outline a pretty common set of identity controls, yet implementation of these controls varies greatly from application to application. I recently had a conversation with one CISO who was adamant that his organization's application did not use Kerberos tokens for authentication. However, analyzing the binary clearly showed their use- both in a visual authentication map as well as a detailed snippet of coding. And, indeed, when the application one was asked to check, they confirmed this use of the token.
Our Report
To learn more about the most common identity security gaps we’ve uncovered, as well as some of the reasons we hear customers explain why they occur, you can read the report itself.
Or, if you are one of the people who watch videos at 1.5x speed or skip right to the summary and next step, we also provide a checklist of the top 5 gaps and how to (again proactively) assess- using common enterprise tools and practices- whether your organization has some of the same identity security exposures.
.png)
.png)
.png)
