Some are misreading the 2026 DBIR, skimming the headlines, but missing the bigger picture.
4 Takeaways:
1) Credentials appear in 39% of breaches across the full attack chain
2) Detection stacks often fire on auth events, but attackers have moved post-auth.
3) 3rd-party identity risk up 60% YoY
4) AI agents flagged as the next target. Vulns get them in. Identity is how they move.
We can help.
The 95-day window between infostealer & ransomware is well-known now, but many programs still lose ground inside it.
3 failure modes:
1) Treating infostealer exposure as an account problem. Password resets don't invalidate cookies, tokens, or device fingerprints.
2) Not watching what the credential does in the window. Reconnaissance is detectable as a graph, not as log lines.
3) Running response on a ticket clock when identity degrades in real time.
#ITDR #IVIP #Ransomware
"If AI runs the investigation, what's left for the analyst?"
Fair concern. Here's our line:
AI does the mechanical work like pulling logs, correlating events, validating with users via Slack. The 10–15 min per alert no one signed up for.
The decision stays human. High-impact actions need approval. Every AI step is auditable.
Augment, don't replace.
gethumming.io/responsible-ai
#ITDR #IVIP #ResponsibleAI
The AI agent security conversation focuses on individual agents.
The more interesting threat is one layer up at the communication layer between agents.
Inject into the message-passing layer, and a sub-agent executes instructions the orchestrator never issued. Valid credentials. Authorized calls. No obvious anomaly.
The agent that appears responsible may be entirely innocent - used as a relay.
That's the detection frontier. We can help.
gethumming.io
#ITDR #IVIP #IdentitySecurity #AIAgents
Enterprise Strategy Group says the average enterprise spends 11 person-hours investigating a single critical identity alert.
Not 11 minutes. 11 hours.
Attackers move laterally in minutes. and the gap between those two speeds is where system damage accumulates.
Auth Sentry's AI Analysis performs every investigation automatically & delivers real, actionable results.
Average time: under 2 minutes.
Try it free for 7 days:
gethumming.io/how-it-works
#ITDR #IVIP #IdentitySecurity #SecurityOps
How many identities does your organization actually have?
Not your IdP headcount - identities across every provider, OAuth grants, every account that can authenticate somewhere.
3 problem layers:
Multi-provider sprawl: no single IdP shows the full picture
OAuth grant accumulation: persistent, often forgotten, often broad
Unconnected apps: legacy systems with no IdP connection at all
Auth Sentry Monitor covers layers 1 & 2 free.
gethumming.io/monitor
#ITDR #IdentitySecurity #IVIP #SecurityOps
SaaS-to-SaaS lateral movement doesn't look like lateral movement.
App A is OAuth-connected to App B, which connects to App C.
Compromise a session in App A, and those trust relationships come with it.
No new login. No failed auth. No privilege escalation. Just authorized API calls because the OAuth grants already exist.
Most monitoring sees the IdP layer. This movement happens after it.
See the movement you're missing: gethumming.io
#ITDR #IdentitySecurity #SecurityOps #CyberSecurity #IVIP
Detection engineers aren't being displaced by autonomous SOC capabilities. They're being asked to shift perspective
.
Not: does this rule fire correctly?
But: which signals are trustworthy enough for the system to act on without me? What confidence threshold separates automatic containment from escalation?
Same deep attacker expertise. Applied to a new layer of decisions.
gethumming.io
#ITDR #SecurityOps #DetectionEngineering #CyberSecurity
Hummingbird Security
Chema Alonso 
