Hypothetically speaking, where would you launch your attack as a cybercriminal? Definitely where the effort is low and the impact is high. Most attacks do not result from highly specialized individual operations, but from opportunities. Cyber criminals look for scalable entry points, automate the search and further exploit successful access points. This turns a compromised company access point into an exploitable entry point.
Cybercriminals try to phish other users through compromised email accounts. With LLMs, phishing scenarios can be scaled with little effort. Most phishing attacks are less targeted than opportunistic: the decisive factor is the quantity of emails sent.
Attackers systematically test exposed login prompts with brute force or password spraying. They use known username/password combinations, leaked passwords, typical variants and recognizable patterns in employees' password choices. Accordingly, brute force and password spraying are among the most common attack vectors identified as true positives in the InfoGuard Security Operations Center (SOC) in 2025.
According to Zerodayclock, vulnerabilities will be exploited after just 2.1 days on average in 2026, compared to 21.5 days in the previous year. This acceleration is putting classic patch processes under massive pressure. A key driver is AI tools, which facilitate both the detection of vulnerabilities and the development of exploits.
Partners and suppliers provide software, services and hardware, maintain systems via remote access or support business-critical processes. This is precisely why a company's own security is increasingly dependent on the security of third parties. Supply chain risks arise where trust, technical dependencies and external access come together.
The most common entry points show: Initial access to a corporate environment is no longer just a technical problem, but part of a criminal market. Initial access brokers procure, check and resell such accesses. What used to be the prelude to a single cyberattack is now part of the cybercriminal value chain.
Scalability counts. Cyber criminals collect as many access points as possible, evaluate their damage potential and resell particularly worthwhile access points. A compromised VPN account, valid remote access, a hijacked cloud account or access to an internal system can be enough - for ransomware, data theft, blackmail or espionage, for example.
For companies, this means that the actual attack often begins long before ransomware is executed or data is stolen - namely when access is compromised unnoticed and passed on in criminal supply chains.
"It is not just logins that are traded, but access opportunities and thus the possibility of making a company usable for blackmail, fraud or espionage."
Which accesses are leaked and how they are misused depends on the compromise method and the role affected.
The following examples show how the damage potential varies depending on the role:
Email accounts: Business email compromise, internal phishing, access to confidential communications, password resets
M365/Google Workspace account: SharePoint, OneDrive, teams/chat, calendar, internal documents
Session cookies and browser tokens: Access without password without renewed MFA request
VPN accounts: Access to the internal network
Password manager content: access to other internal and external services
CRM access: customer data, pipeline, contracts, contact lists
Email accounts: Invoice fraud
Signing solutions: Manipulation or misuse of contract processes
Customer portal access: customer data, service cases, orders
Helpdesk accounts: password resets, account recovery, user information
Ticketing system: internal problems, system names, ongoing projects
Remote support access: direct access to end devices and servers
MDM and endpoint management access: device management, software distribution, policy changes
MFA reset or MFA registration rights: takeover of third-party accounts
VPN and Jumphost access: access to internal administration zones
SSH keys: Access to Linux servers, network devices, appliances
Domain admin: Complete compromise of theWindowsenvironment
Cloud admin access: Access to virtual devices, storage, IAM, databases, backup
Kubernetes admin access: access to clusters, secrets, workloads, containers
GitHub/GitLab/Bitbucket access: source code theft, search for secrets, code manipulation
CI/CD secrets: manipulation of builds and deployments
Deployment tokens: release of manipulated software in production
Container registry accesses: infiltration of malicious images
Package registry accesses: Supply chain attacks via manipulated packages
Signing certificates: Signing manipulated software
Secrets on local developer machines: Site access to build, test andproduction environments
Webhook secrets: Manipulation of integrations and automations
Identities are among the most important targets today. Attackers often do not need malware or a complex vulnerability. A valid password, a stolen session cookie or a manipulated MFA process is enough. Identity protection must therefore be seen as a security discipline in its own right, not purely as an IT administration task.
The following seven measures show how organizations can effectively secure identities, access and sessions:
"Not every login is trustworthy just because the password is correct."
A strong identity security strategy only works in combination: robust authentication, context-based access, minimal rights, secure admin processes, session protection, ongoing monitoring and a rapid response to suspicious logins.
The whitepaper "InfoGuard Threat Intelligence Insights 2025" shows just how much identities have become the focus of real cyber incidents in 2025. It classifies current attack patterns and shows which measures organizations should prioritize in order to detect account takeovers earlier and prevent them more effectively. For the moment available in german only, in a few weeks also in english.
Even strong identity security does not close every gap. Attackers can gain access to an environment via vulnerabilities, stolen sessions, compromised suppliers or existing access points. From this moment onwards, visibility determines whether an attack is detected early or whether attackers can continue undisturbed.
Systems with access to company data or internal infrastructures need the most complete EDR coverage possible: workstations, notebooks, servers, virtual machines, terminal servers, admin systems and critical application servers. Systems on which privileged users work or which are used to access business-critical data are particularly important.
EDR is not just another tool, but the sensor technology on the system itself. It detects suspicious process chains, unusual script execution, credential dumping, lateral movement, ransomware behavior or tampering with security tools. Without this visibility, a company often only recognizes the consequences - but not the actual course of the attack.
Not every system can be equipped with an EDR agent. Legacy systems, production facilities, appliances, network devices, mainframes, OT systems or highly critical platforms with stability requirements need compensating controls. Where EDR is not possible, administrative access must at least be controlled, logged and monitored - for example via hardened jump hosts or admin workstations with EDR coverage.
Network visibility through Network Detection and Response (NDR) and central logs in the SIEM are also required. NDR helps to detect lateral movement, unusual connections, command-and-control communication, scans or data leakage. Especially where no endpoint agent can be installed.
The monitoring of high-priority servers is particularly critical. Domain controllers, identity systems, backup servers, virtualization platforms, file servers, databases, application servers, CI/CD systems, management servers, EDR/SIEM components and cloud connectors. If you only monitor user end devices but neglect servers, Linux systems, virtual environments or admin infrastructure, you may recognize the entry point - but miss the escalation.
The crucial point: every exception needs transparency. Companies need to know which systems exist, which of them have EDR, which exceptions exist and which compensating controls are in place. "Almost everywhere" is not enough if critical systems remain blind.
In addition to identity protection and endpoint and server monitoring, a third key capability is needed: the ability to continuously check your own attack surface. This is because many attacks do not start with highly complex exploits, but with what is visible to the outside world, incorrectly configured, forgotten or not properly accounted for.
This includes unmanaged assets, exposed systems, shadow IT, misconfigurations, unpatched vulnerabilities and technical attack paths that attackers find faster than the organization itself. This is precisely where a dangerous blind spot arises: organizations often protect what they know - they are compromised by what no one had on their radar.
Managed Risk Exposure adds the crucial context to traditional vulnerability management: it's not just about scanning CVEs and creating tickets. The actual attack surface is crucial: Which systems are accessible from the outside? Which identities have critical rights? Which cloud resources are incorrectly configured? Which supplier or remote accesses exist? Which vulnerabilities can realistically be combined into an attack path?
The most important point: not everything can be fixed at the same time. This is why risk-based prioritization is needed. A critical vulnerability on an isolated test system is not automatically more important than a medium vulnerability on an exposed system with access to productive data. The decisive factors are accessibility, criticality, existing controls, potential impact and probability of exploitation.
Identified risks should therefore be prioritized on an ongoing basis. This list is not a static reporting artifact, but an operational management tool. It shows which risks need to be reduced first with the available resources and which measures will bring the greatest security gains.
The typical areas are
Unmanaged assets: Systems without an owner, EDR, patch process or inventory
Exposed assets: Internet-accessible servers, VPN portals, remote access, admin interfaces, cloud services
Shadow IT: Unapproved SaaS services, private cloud resources, forgotten subdomains, unofficial tools
Misconfigurations: Open storage buckets, overly broad firewall rules, weak IAM roles, insecure default configurations
Vulnerabilities: Unpatched systems, outdated software, known exploit paths, lack of hardening
Attack paths: Combinations of exposure, identities, authorizations, network access and vulnerabilities
This approach is particularly valuable if technical findings are not viewed in isolation. An open port is not yet a risk in understandable language. However, an exposed admin interface without MFA on a business-critical system is. It is precisely this translation that is crucial: technical findings become prioritized risks that management and technology can understand and deal with together.
An annual look at the attack surface is not enough. New systems, cloud projects, suppliers, software releases, authorizations, acquisitions or shadow IT are constantly changing the security situation. Anyone who only checks their attack surface once a year is practically always too late. A recurring process is crucial: identify, assess and prioritize risks, implement measures and check their effectiveness.
The InfoGuard white paper "Threat Intelligence Insights 2025" deepens this perspective based on over 350 real cyber incidents that we processed in 2025. It shows which attack paths are particularly relevant and why identities, visibility and responsiveness will become even more important in 2026. The focus is on concrete findings from real attack patterns. This creates a picture of the situation that does not stop at analysis, but helps to expand monitoring in a targeted manner, test processes and make more informed decisions.
Use the white paper "InfoGuard Threat Intelligence Insights 2025" as a reality check: check which attack patterns are particularly relevant now - and which measures have priority for your organization. For the moment available in german only, in a few weeks also in english.
Sandro Bachmann, Principal Threat Intelligence Analyst, knows from daily practice that an attack rarely happens the way you expect it to.
In the "Cyber Threat Intelligence Webinar" on 27 May 2026, he will show how modern threats really work and how organizations can identify risk exposures at an early stage.
Will you be there? Simply register and take part. We look forward to seeing you!
Caption: Image generated with AI