Why Attackers Are Skipping Exploits and Going Straight for Identity

CVE-2023-44487 was a rude reminder that attackers do not need a new bug when they can weaponize an old protocol assumption at scale. HTTP/2 Rapid Reset turned a design feature into a DDoS amplifier, and the lesson was bigger than the traffic graphs: if the path of least resistance is to abuse something already trusted, attackers will take it. Darktrace’s 2026 threat report points to the same pattern in a different layer of the stack: identity is becoming the preferred control plane for compromise because it is faster, quieter, and does not require a noisy exploit chain.

That should make you uncomfortable if your defensive muscle memory still starts with patching. Patches matter. But the report’s core takeaway — summarized by Industrial Cyber as a shift from exploit-driven breaches to AI-enabled credential abuse — says attackers are optimizing for valid access, not technical elegance. That means tokens, sessions, MFA workflows, and support processes are now the front line. The exploit is often just the opening act; the show starts when the attacker logs in.

Exploits are losing to valid credentials

Darktrace says its 2026 threat data shows a move away from exploit-heavy intrusion toward faster credential abuse across the Americas, with nearly 70% of observed activity fitting that pattern. That matches what incident responders have been seeing for years: once an attacker has a working password, a stolen token, or a hijacked session, they can often skip the messy part entirely. No kernel zero-day. No weaponized document. No flashy crash. Just a login and a boring stream of legitimate-looking API calls.

That is why password spraying, session theft, and MFA fatigue attacks still work against environments that are otherwise “well patched.” You can run CrowdStrike, Microsoft Defender for Endpoint, and Palo Alto Networks gear all day and still lose if your identity stack treats a valid session as proof of trust forever. The uncomfortable truth is that many breaches now succeed because the attacker behaves like a user with an overdue expense report.

AI is scaling credential abuse, not inventing it

The report’s real warning is not that AI creates magic hackers. It is that AI lowers the cost of scale and iteration. A human operator can test a few phishing lures or login attempts; an AI-assisted operator can generate dozens of variants, tune them by response, and pivot quickly when a tenant blocks one path. That matters when you are defending Okta, Entra ID, Google Workspace, or any SSO layer where a single successful credential event can cascade into dozens of downstream systems.

This is where defenders still underestimate the threat. AI does not need to crack bcrypt to be useful. It can sort leaked credentials, tailor phishing to a user’s role, and automate the follow-up after a first foothold. If your detection logic only wakes up on exploit indicators, you are already behind. The better question is whether you can spot impossible travel, token reuse, anomalous consent grants, or a service account suddenly acting like a part-time sysadmin.

Your real breach surface is the identity workflow

The Okta support system breach in 2023 is the kind of incident people should remember more often than they do. Attackers accessed customer HAR files through a support case management system, and those files exposed session tokens. That was not a “break the app” story; it was a “break the trust boundary around identity artifacts” story. SolarWinds had a similar flavor: the compromise lived in the supply chain and the trust model, not in a garden-variety unpatched endpoint.

That is the non-obvious shift Darktrace is pointing at: the weakest link is often not authentication itself, but everything around it — support workflows, token handling, session duration, helpdesk resets, consent grants, and privileged access approvals. If your threat model does not include your own supply chain and your own identity operations, it is not a threat model. It is a wish list with audit screenshots.

Defend sessions like they matter

The practical answer is not “buy more AI.” It is boring controls applied ruthlessly. Short-lived sessions, phishing-resistant MFA, least privilege, device posture checks, and aggressive log review still beat heroic detective work after the fact. If you are running Entra ID, Okta, or Google Workspace, instrument the identity plane like it is production traffic: alert on token replay, new device enrollment, privilege escalation, and unusual admin consent. If you use ServiceNow, Zendesk, or any support channel that can expose auth artifacts, treat it like a sensitive system, not a ticket bucket.

You should also red-team your own AI integrations before an attacker does it for you. LLM-connected copilots, internal chatbots, and agent workflows often inherit broad permissions and weak auditability. That is a lovely setup if your goal is “productivity.” It is less lovely if a stolen session can turn an assistant into a data exfiltration relay. The best security control here is still the old one: reduce what any one identity can do, and log everything it touches.

Bottom line

Darktrace’s 2026 report is not saying exploits are dead. It is saying attackers have found a cheaper route to the same outcome: valid identity, faster movement, less noise. That should force a hard reset in how you prioritize defense. Patching still matters, but if your highest-confidence control is still “we are current on CVEs,” you are defending yesterday’s breach model.

The next incident is more likely to start with a stolen token than a zero-day. If you want to get ahead of that, do three things now: shorten session lifetimes, require phishing-resistant MFA for privileged access, and alert on token replay, consent abuse, and unusual admin behavior. Stop treating identity as a login problem and start treating it as the primary attack surface it already is.