Identity exposure
Identity is an exposure class you can analyze with the same rigor as CVEs — here is who attacks identity, which weaknesses admit them, and which controls actually cover it.
18 of the 243 victim-carrying actors we track used an identity technique — that is 18 of the 21 whose ATT&CK TTPs are mapped.
11,395 identity-weakness CVEs · 127 identity-using actors · 2,004 IA/AC control mappings (896 IA, 1,108 AC).
Last updated: 04 July 2026 04:24 UTC. This is identity exposure analysis from public data — not an identity posture product; we never see your IdP.
Who attacks identity
Of the 127 tracked actors with at least 10 mapped ATT&CK techniques and at least one identity technique, these lean hardest on the identity layer — ranked by the share of their toolkit that is credential access or identity abuse.
| Actor | Identity techniques | Share of toolkit |
|---|---|---|
| ShinyHunterscriminal | 2 of 5 | 40% |
| Leafminerunknown | 5 of 26 | 19% |
| 2016 Ukraine Electric Power Attackstate | 4 of 28 | 14% |
| Salt Typhoonstate | 3 of 23 | 13% |
| LAPSUS$hacktivist | 8 of 62 | 13% |
| Indrik Spiderstate | 6 of 47 | 13% |
| Leviathan Australian Intrusionsstate | 4 of 32 | 12% |
| FIN5unknown | 2 of 16 | 12% |
| Storm-0501unknown | 7 of 62 | 11% |
| Fox Kittenstate | 6 of 54 | 11% |
| Scattered Spiderunknown | 9 of 83 | 11% |
| APT33state | 5 of 47 | 11% |
Identity techniques = ATT&CK Credential Access (TA0006) plus Valid Accounts, Account Manipulation, and Create Account. How actor data is built.
Which weaknesses admit them
11,395 CVEs cite an identity-weakness CWE (broken/missing authentication, unprotected or hard-coded credentials, session flaws, weak recovery) — 2,303 published in the last year, and 107 confirmed exploited in CISA KEV. The highest composite-risk entries:
| CVE | Identity CWE | CVSS | Peak EPSS | Risk |
|---|---|---|---|---|
| CVE-2023-35078 KEVHigh EPSS | CWE-287 | 9.8 | 1.0000 | 100 |
| CVE-2023-35082 KEVHigh EPSS | CWE-287 | 9.8 | 1.0000 | 100 |
| CVE-2017-7921 KEVHigh EPSS | CWE-287 | 9.8 | 1.0000 | 100 |
| CVE-2017-10271 KEVHigh EPSS | CWE-306 | 7.5 | 0.9999 | 100 |
| CVE-2024-7593 KEVHigh EPSS | CWE-287 | 9.8 | 0.9999 | 100 |
| CVE-2023-46805 KEVHigh EPSS | CWE-287 | 8.2 | 0.9999 | 100 |
| CVE-2022-40684 KEVHigh EPSS | CWE-287 | 9.8 | 0.9998 | 100 |
| CVE-2023-42793 KEVHigh EPSS | CWE-306 | 9.8 | 0.9998 | 100 |
| CVE-2025-3248 KEVHigh EPSS | CWE-306 | 9.8 | 0.9997 | 100 |
| CVE-2020-0688 KEVHigh EPSS | CWE-287 | 8.8 | 0.9997 | 100 |
Cohort = CVEs whose NVD weaknesses include CWE-287, CWE-306, CWE-522, CWE-798, CWE-384, CWE-613, CWE-640, CWE-1390, CWE-1391, CWE-259, CWE-521. Risk is the site-wide composite — how it works.
Which controls cover it
How the cross-walk corpus grades the two NIST 800-53 families that own the identity layer. Graded mappings carry a human-QA'd extent verdict; "none" means the pair was assessed and found not to cover — reported, not hidden. STIG-derived rows come from DISA's CCI mapping and carry no grade.
| Family | Full | Mostly | Partial | None | STIG-derived | Total |
|---|---|---|---|---|---|---|
| IA — Identification & Authentication29 controls mapped | 20 | 26 | 237 | 141 | 472 | 896 |
| AC — Access Control39 controls mapped | 19 | 13 | 165 | 89 | 822 | 1,108 |
Browse the controls at /controls/ and every graded mapping at /xwalks/.
What it costs when it fails
- SEC 8-KSTRYKER CORP — material cybersecurity incidentG1055Apr 2026
Classification is precision-over-recall: a filing is flagged only when its stored text matches a credential/identity keyword (0 today) or its attributed actor's ATT&CK toolkit includes an identity technique (1 today). Most 8-K filings disclose no vector at all, so identity-vector breaches are undercounted here — never overcounted. All tracked filings: /breaches.html.