Multi-factor authentication (MFA) remains a cornerstone of cybersecurity, but attackers have learned find workarounds.

As identity-driven attacks continue to rise, organizations must go beyond MFA to build resilience. Sophos experts and recent Gartner research agree: It’s time for an identity-first security strategy backed by continuous detection and response. For many organizations, keeping pace with identity threats feels overwhelming, especially as hybrid environments expand. But there’s a clear path forward.

Identity is now the primary attack surface

Chris Yule, director of threat intelligence for the Sophos X-Ops Counter Threat Unit, notes that more than 60% of incidents his team investigates stem from identity-related weaknesses. Phishing, stolen credentials, and social engineering are common entry points — methods that allow attackers to infiltrate without deploying traditional malware.

“The number one threat facing our customers today continues to be ransomware, both in terms of the number of incidents that we see and the impact that it can have when it hits,” Yule explained during a recent webinar. “Classic ransomware cases consistently show identity compromise as the critical first step.”

As organizations expand across hybrid and cloud environments, each new integration, from software-as-a-service (SaaS) apps to service accounts, becomes another entry point. Yet, as Yule noted, there will often be cyberattacks where there’s “very little malicious code in use.” Rather, they mainly use “privilege and trust to gain access to the environment and cause as much damage with that trust as possible.”

Why MFA alone isn’t enough

MFA is essential, but it’s not enough. Attackers have evolved, and identity-based threats now bypass even strong authentication. Organizations need continuous detection and response to stay ahead. In multiple business email compromise (BEC) cases, adversaries bypassed MFA using adversary-in-the-middle (AiTM) phishing kits.

An AiTM attack goes beyond traditional phishing. Instead of simply stealing credentials, the attacker intercepts and relays the victim’s login session in real time. When a user clicks a phishing link and enters their credentials on a fake site, the attacker forwards those details to the legitimate service and captures the entire authentication flow, including MFA responses, allowing them to hijack the session.

This reality aligns with findings that Gartner outlines in their report “CISOs Must Integrate IAM to Strengthen Cybersecurity Strategy .” This report notes that credential compromise remains the leading cause of breaches and that “sophisticated attackers are now targeting the [identity access management] IAM infrastructure itself.”

Gartner further cautions that while prevention is essential, “there is no such thing as fail-proof prevention.” Security teams must be prepared to detect and respond when identity defenses are bypassed.

Identity-first security: The next evolution

According to Gartner, cybersecurity leaders should “embrace identity threat detection and response (ITDR) and adopt identity-first security to enable zero trust and optimize the organization’s cybersecurity posture.”

Identity-first security reframes protection around who and what is connecting, rather than where they’re connecting from. Instead of static perimeter controls, it focuses on continuous trust assessment and adaptive access. In practice, this means:

• Monitoring identity posture continuously, not just enforcing login controls.
• Detecting and responding to abnormal behaviors like privilege escalation or lateral movement.
• Reducing the attack surface by addressing misconfigurations and overprivileged accounts.

Detection for the identity layer

Yule emphasized that Sophos built our Identity Threat Detection and Response (ITDR) service precisely to fill this gap.

“Historically, identity and access management and security operations have always been largely separate things,” Yule said. “And so, what we’ve tried to do with ITDR is look at the overlap of those.”

By continuously assessing identity posture, Sophos ITDR monitors for:

• Stolen or exposed credentials on the dark web.
• Accounts with excessive or unusual permissions.
• Application misconfigurations that enable privilege abuse.

This proactive approach complements Sophos Managed Detection and Response (MDR) and Extended Detection and Response (XDR), ensuring organizations can detect threats in action while also reducing the risk of identity exploitation before attacks begin.

Identity has become the cornerstone of modern cybersecurity, and building resilience starts with treating it as a core discipline. Together, ITDR, MDR, and XDR create a security fabric that is continuous, adaptive, and resilient.

“As we increase trust in different things, things become more complicated, things become more opaque, and it becomes harder to know and identify these micro vulnerabilities that could be exploited by somebody who is smart enough to figure it out,” Yule said.

Organizations that adopt identity-first security strategies gain the agility to detect and neutralize threats before they escalate.

*Explore how *Sophos Identity Threat Detection and Response (ITDR) helps organizations preempt and neutralize identity-based threats before they become breaches.