Cyber Posture

Identity exposure

Identity is an exposure class you can analyze with the same rigor as CVEs — here is who attacks identity, which weaknesses admit them, and which controls actually cover it.

18 of the 243 victim-carrying actors we track used an identity technique — that is 18 of the 21 whose ATT&CK TTPs are mapped.

11,395 identity-weakness CVEs · 127 identity-using actors · 2,004 IA/AC control mappings (896 IA, 1,108 AC).

Last updated: 04 July 2026 04:24 UTC. This is identity exposure analysis from public data — not an identity posture product; we never see your IdP.

Who attacks identity

Of the 127 tracked actors with at least 10 mapped ATT&CK techniques and at least one identity technique, these lean hardest on the identity layer — ranked by the share of their toolkit that is credential access or identity abuse.

ActorIdentity techniques Share of toolkit
ShinyHunterscriminal2 of 540%
Leafminerunknown5 of 2619%
2016 Ukraine Electric Power Attackstate4 of 2814%
Salt Typhoonstate3 of 2313%
LAPSUS$hacktivist8 of 6213%
Indrik Spiderstate6 of 4713%
Leviathan Australian Intrusionsstate4 of 3212%
FIN5unknown2 of 1612%
Storm-0501unknown7 of 6211%
Fox Kittenstate6 of 5411%
Scattered Spiderunknown9 of 8311%
APT33state5 of 4711%

Identity techniques = ATT&CK Credential Access (TA0006) plus Valid Accounts, Account Manipulation, and Create Account. How actor data is built.

Which weaknesses admit them

11,395 CVEs cite an identity-weakness CWE (broken/missing authentication, unprotected or hard-coded credentials, session flaws, weak recovery) — 2,303 published in the last year, and 107 confirmed exploited in CISA KEV. The highest composite-risk entries:

CVEIdentity CWECVSS Peak EPSSRisk
CVE-2023-35078 KEVHigh EPSSCWE-2879.81.0000100
CVE-2023-35082 KEVHigh EPSSCWE-2879.81.0000100
CVE-2017-7921 KEVHigh EPSSCWE-2879.81.0000100
CVE-2017-10271 KEVHigh EPSSCWE-3067.50.9999100
CVE-2024-7593 KEVHigh EPSSCWE-2879.80.9999100
CVE-2023-46805 KEVHigh EPSSCWE-2878.20.9999100
CVE-2022-40684 KEVHigh EPSSCWE-2879.80.9998100
CVE-2023-42793 KEVHigh EPSSCWE-3069.80.9998100
CVE-2025-3248 KEVHigh EPSSCWE-3069.80.9997100
CVE-2020-0688 KEVHigh EPSSCWE-2878.80.9997100

Cohort = CVEs whose NVD weaknesses include CWE-287, CWE-306, CWE-522, CWE-798, CWE-384, CWE-613, CWE-640, CWE-1390, CWE-1391, CWE-259, CWE-521. Risk is the site-wide composite — how it works.

Which controls cover it

How the cross-walk corpus grades the two NIST 800-53 families that own the identity layer. Graded mappings carry a human-QA'd extent verdict; "none" means the pair was assessed and found not to cover — reported, not hidden. STIG-derived rows come from DISA's CCI mapping and carry no grade.

FamilyFullMostly PartialNoneSTIG-derived Total
IA — Identification & Authentication29 controls mapped2026237141472896
AC — Access Control39 controls mapped1913165898221,108

Browse the controls at /controls/ and every graded mapping at /xwalks/.

What it costs when it fails

Identity-vector disclosures — SEC 8-K filings1 of 77 tracked

Classification is precision-over-recall: a filing is flagged only when its stored text matches a credential/identity keyword (0 today) or its attributed actor's ATT&CK toolkit includes an identity technique (1 today). Most 8-K filings disclose no vector at all, so identity-vector breaches are undercounted here — never overcounted. All tracked filings: /breaches.html.