Field Lessons April 2026

Attackers Don't Hack In, They Log In

Most breaches don't involve exotic exploits. They involve stolen credentials, unmanaged privilege, and accounts that should not have existed in the first place.

There is a persistent myth in cybersecurity that breaches happen because attackers are technically brilliant. That somewhere out there a genius is writing novel exploit code, finding zero-days in your firewall, and tunneling through your network like a ghost.

Sometimes that happens. Most of the time it doesn't.

Most of the time, the attacker just logs in.

Why It Matters

The credential is the weapon

The 2024 Verizon Data Breach Investigations Report found that stolen credentials were involved in the majority of breaches analyzed that year. Not malware. Not zero-days. Credentials. Someone got a username and password that worked, and they used it.

This matters because it fundamentally changes where your defensive energy should go. You cannot patch your way out of a credential problem. You cannot firewall your way out of it either. If the attacker has valid credentials for a legitimate account, most of your perimeter controls wave them through without a second thought.

The question is not whether your walls are high enough. The question is who has the keys, how many copies exist, and whether you would know if one went missing.

The PAM Lesson

How the attack actually unfolds

Credential-based attacks follow a predictable pattern. Understanding it is the first step to interrupting it.

Initial access. The attacker gets a credential. It might come from phishing, from a data breach dump, from a compromised endpoint, or from a disgruntled insider. It is often a low-privilege account — a regular user, a helpdesk technician, a contractor.
Privilege escalation. Low privilege is rarely enough. The attacker looks for a path upward. Maybe there is a service account with excessive rights running on a box they can reach. Maybe a local admin account shares a password with every workstation in the building. Maybe a domain admin left a session open on a server that got compromised. They find a rung and they climb it.
Lateral movement. With elevated credentials, the attacker moves across the environment. They are not breaking in anymore — they are walking through doors that are supposed to be open, using credentials that look legitimate to every system they touch.
Objective. Ransomware deployment. Data exfiltration. Persistence. Whatever they came for.

PAM controls interrupt this pattern at multiple points. Vaulting credentials removes them from the places attackers commonly find them — configuration files, scripts, shared drives, memory. Least privilege limits what a compromised account can actually reach. Just-in-time access means standing privilege isn't sitting there waiting to be stolen. Session monitoring means that even when someone does get in, what they do is recorded.

None of these controls make a breach impossible. Together, they make the attacker's job significantly harder and make your detection and response significantly faster.

The Account Nobody Is Watching

Orphaned accounts and why attackers love them

There is a specific account type that shows up repeatedly in post-breach forensics: the orphaned account.

A former employee. A contractor who finished a project. A service account tied to a system that was decommissioned. An integration that was replaced but never cleaned up. The account still exists. In some cases it still has significant privilege. Nobody is actively using it, which means nobody is actively watching it.

Attackers love orphaned accounts. An account that nobody owns is an account that nobody will notice being used.

A PAM program that includes regular access reviews — not annual checkbox reviews, but genuine periodic audits of who has what and whether they still need it — closes this gap. It is not glamorous work. It is some of the most important work in your security program.

What to Check This Week

Four things worth looking at right now

Pull a list of accounts in your environment that have not authenticated in 90 days. Those are candidates for immediate review and likely for disablement. If any of them carry elevated privilege, treat that as urgent.
Ask your IT team how shared credentials are handled in your environment. Shared accounts — where multiple people know the same password — mean that when something goes wrong, you cannot attribute the action to a specific person. That is an audit failure and a forensics failure at the same time.
Find out whether your organization has a formal process for disabling accounts when someone leaves or a contractor engagement ends. If the answer is "it depends on the manager remembering to submit a ticket," that is a process gap with real security consequences.
Check where your privileged credentials actually live. If any admin passwords exist in a spreadsheet, a shared drive, a sticky note, a chat message, or a configuration file, those are not credentials under management. Those are credentials waiting to be stolen.

The attacker does not need to be smart. They need you to leave the door unlocked. PAM is how you start locking it.