Identity-based attacks surged 850% in 2025, accounting for 53% of all detected threats. The Red Canary researchers noted this spike reflects both increased identity-focused attacker activity and expanded visibility, including broader adoption of identity products, better coverage for risky logins, and more automation-based detection.
The new data is based on analysis of more than 110,000 confirmed threats across endpoints, cloud infrastructure, identities, and SaaS applications during 2025. According to the report, identity threats represented just 20% of detections in 2024, making the jump to 53% in one year a significant change in the threat landscape.
Red Canary said the figures reflect how enterprise environments have moved toward cloud services, SaaS applications, as well as hybrid-work scenarios where identity systems have largely replaced traditional network perimeters as the primary control point.
In the report, the security researchers said that attackers are increasingly targeting valid user accounts instead of relying on software flaws because account compromise usually allows immediate access to several systems and services at once.
Identity is Now the Primary Security Boundary
The report also outlined several common identity attack techniques documented in 2025, including device code phishing, Adversary-in-the-Middle (AitM) phishing, credential harvesting through infostealer malware, and MFA bypass techniques.
Credential theft remains a major driver of identity attacks, particularly via infostealer malware that collects session tokens, passwords, and API keys.
Attackers also frequently exploited exposed credentials in source code repositories, environment variables, and cloud workloads, especially for non-human identities often not protected by MFA.
The report concluded that identity-based systems are now the most critical security boundary for most organizations, particularly as companies continue moving applications, infrastructure, and data into cloud environments.
For security teams, the priority is clear: treat identity infrastructure with the same rigor as the network perimeter. That means MFA enforcement on both human and non-human accounts, monitoring for risky logins, and auditing exposed credentials in source code and cloud environments.
