Threat actors exploit identity at “industrial scale” as trust becomes the attack surface
Adversaries are pushing beyond the perimeter to exploit the trusted infrastructure that keeps global businesses running.
The trust infrastructure underpinning modern enterprises is now a prime target for threat actors who are “industrialising” the exploitation of identity and automation systems.
That’s the warning from SentinelOne in its annual threat report, which describes “a clear shift in adversaries’ strategic focus”.
Rather than concentrating on initial breaches, attackers are increasingly abusing legitimate credentials and operating beyond the perimeter in spaces that traditional security telemetry tools often struggle to monitor, researchers found.
"While targeting core systems such as identity, infrastructure, and automation is not new, we observed these tactics executed at an industrial scale in 2025," SentinelOne wrote.
"As traditional perimeters have softened, much of the meaningful activity now takes place inside the systems organizations rely on every day rather than at the initial point of entry."
In practice, this means attackers are no longer simply breaking in and stealing data before being detected. Instead, they are embedding themselves inside the machinery of modern enterprises - abusing credentials, manipulating software pipelines and exploiting ageing infrastructure to operate quietly at scale.
At the same time, defenders are grappling with an explosion of telemetry generated by cloud platforms, SaaS services and identity systems that were never designed to be monitored as a single environment. This fragmentation creates structural blind spots where malicious activity can blend into routine operational noise.
The result is a widening gap between attackers and defenders. Threat actors are becoming more systematic and more persistent, while many organisations are still attempting to secure highly interconnected digital estates using perimeter-era assumptions and manual investigation workflows.
Identity sits at the centre of this shift. A single compromised account can provide access to dozens of systems across cloud environments, developer tools and internal applications, allowing attackers to operate inside normal business processes while appearing to behave like legitimate users.
The pivot to identity has been particularly visible in state-linked campaigns. North Korean threat actors, for example, have gone beyond credential theft by constructing entirely false digital identities to get jobs inside Western technology firms. Once embedded as legitimate insiders, they can access development environments, cloud infrastructure and sensitive data without triggering traditional intrusion alarms.
"Living off the pipeline"
SentinelOne said that hackers are now focusing on targeting software development pipelines, where security visibility is often weaker and trust assumptions are higher. By compromising build systems and automation workflows earlier in the lifecycle, attackers can introduce malicious code, extract secrets or manipulate releases before software ever reaches production.
Beyond human users, attackers are increasingly exploiting machine identities, including service accounts, API tokens, and automated integrations that quietly connect enterprise systems. This allows data to be moved between platforms without triggering traditional alerts tied to suspicious logins or malware execution.
Security researchers have also observed intruders abusing legitimate remote management tools to blend into routine IT activity. By persuading employees to install trusted support utilities, attackers can establish persistent access that appears indistinguishable from authorised maintenance operations.
READ MORE: Bank of England: Cloud outages and DDoS attacks pose risk of cascading systemic failure
READ MORE: Beyond Zero Trust: Strategies for securing the multi-domain digital battlespace
At the network edge, legacy infrastructure such as VPN gateways and firewalls is increasingly providing footholds for attackers as “edge decay” leaves ageing devices exposed. These systems are often difficult to patch or replace without operational disruption, creating persistent blind spots that intruders can use to move deeper into enterprise environments.
Meanwhile, the tempo of intrusions is accelerating as criminal groups adopt automation and AI-assisted tooling. Vulnerability scanning, credential harvesting and lateral movement can now be orchestrated at machine speed, shrinking the window defenders have to detect and contain attacks. In some cases, organisations have moved from initial compromise to widespread system impact in minutes rather than days.
“The threat landscape is always evolving, but the underlying lessons remain,” said Steve Stone, Chief Customer Officer at SentinelOne. "Attackers are relying less on single exploits or malware families and more on the gaps between security and operations, on blind spots in trusted systems, and on defenders being slower to adopt the same machine multipliers that adversaries now use as standard.
"Closing the gap is not about chasing every new tool threat actors deploy, but about continuously testing whether the controls can withstand the kinds of pressure of modern attacks."
