Identity-driven attacks on management planes are the new disruption path

At a glance

What this is: This is an analysis of the Stryker cyberattack and its lesson that compromised privileged identities can turn legitimate management tools into weapons.

Why it matters: For IAM and NHI practitioners, it underscores that the security boundary has shifted from endpoints to administrative identities, management platforms, and blast-radius control.

👉 Read Unosecur's analysis of the Stryker identity-driven cyberattack

Context

Identity-driven intrusion is the practical risk here: attackers do not need malware if they can take over the administrative identities that govern device management and internal access. In that model, the management plane becomes the attack surface, and the resulting disruption maps directly to NHI governance because service accounts, admin tokens, and privileged sessions can all function as non-human identities.

The Stryker incident is being read as a case of legitimate enterprise tools being used for destructive ends rather than a conventional endpoint compromise. That is not a one-off pattern anymore. It fits a broader shift in which adversaries pursue privilege over payload, then use trusted platforms to create enterprise-wide operational disruption.

Key questions

Q: How should security teams reduce the blast radius of privileged identities?

A: Security teams should define a small set of tightly governed admin identities, give them the minimum authority needed, and make elevation time bound. The goal is to prevent one compromise from cascading across identity, device, and SaaS control planes. Continuous review of who can administer what is more important than periodic access cleanup.

Q: Why do legitimate admin tools make identity attacks harder to detect?

A: Legitimate admin tools are already trusted by monitoring systems and users, so attacker activity can look like routine administration. The right defence is to focus on behaviour, such as unusual session timing, bulk actions, and policy changes outside change windows. Detection must follow the identity, not just the tool.

Q: What is the difference between endpoint compromise and management-plane compromise?

A: Endpoint compromise affects a device or workload directly, while management-plane compromise gives the attacker control over the systems that administer many endpoints at once. The second is more dangerous because it can create organisation-wide disruption through trusted commands. For IAM teams, that means admin identities deserve PAM-level scrutiny.

Q: When should organisations treat an identity incident as an operational crisis?

A: Organisations should escalate when a privileged identity can change device state, revoke sessions, or alter access policy at scale. At that point the issue is not only account security, it is business continuity. If the compromised identity can affect manufacturing, logistics, or core user access, incident response should shift into crisis management.

Technical breakdown

Why management planes are high-value targets

Identity and device management systems concentrate the ability to control thousands of endpoints, applications, and policy decisions. If an attacker compromises the admin identity behind those systems, they inherit trusted execution paths that can disable devices, alter access, and suppress normal operations without dropping malware. That makes the management plane a force multiplier: a single credential or session can produce organization-wide effects. For NHI governance, this is the same problem seen with over-privileged service accounts. The access path is legitimate, but the authority behind it is too broad and too persistent.

Practical implication: Limit the number of identities that can administer core platforms and treat those identities as high-risk NHIs.

How living-off-the-land attacks change detection

Living-off-the-land means using approved tools already present in the environment, such as identity consoles, device management systems, and SaaS admin portals, instead of malware. That reduces classic indicators of compromise and shifts detection to behaviour: unusual admin actions, impossible travel, abnormal policy changes, and bulk session invalidation. In identity-driven operations, the question is not whether the tool is trusted, but whether the identity using it is behaving as expected. That is why identity telemetry must be correlated with admin actions and control-plane logs.

Practical implication: Build detections around privileged behaviour patterns, not just endpoint malware alerts.

Why destructive operations differ from ransomware

Destructive operations aim to disable services, wipe configurations, or deny access rather than encrypt data for payment. This matters because the attacker objective is disruption, sometimes as retaliation or geopolitical signalling, and recovery depends on restoring identity trust and control-plane integrity, not just decrypting files. In this kind of incident, even clean endpoints can remain unusable if identity infrastructure is compromised. The recovery challenge is therefore both operational and governance-related: you have to know which identities can reissue trust and which ones must be cut off first.

Practical implication: Prepare recovery playbooks that include identity reset, admin revocation, and management-plane rebuild steps.

Threat narrative

Attacker objective: The attacker objective was to disrupt core enterprise operations by weaponizing trusted administrative control of the management plane.

1. Entry likely occurred through compromise of Microsoft identity and device management administration rather than endpoint malware.
2. Escalation followed once privileged administrative access was used to issue trusted commands across internal systems.
3. Impact was operational disruption, including employee lockouts and interruption of manufacturing, logistics, and order processing.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity-driven disruption is now a core NHI governance problem, not just a cyber incident pattern. The important shift is that privileged non-human identities can now control the same systems defenders rely on for scale and resilience. When those identities are compromised, the enterprise’s own management stack becomes the attacker’s execution layer. Practitioners should classify administrative identities as operational assets with blast-radius potential, not just access records.

Management-plane compromise creates an identity blast radius that conventional endpoint thinking misses. The security question is no longer only how an attacker got in, but how much authority the compromised identity carried across devices, policies, and sessions. That means entitlement scope, session duration, and administrative segregation matter more than perimeter assumptions. Teams should map where a single identity can fan out into multiple control domains.

Legitimate tooling is becoming the preferred attack surface because it is quieter than malware. Abuse of trusted administration consoles blends into normal operations and can delay detection until services fail. That raises the value of behavioural monitoring, control-plane logging, and just-in-time administrative access. The practitioner conclusion is straightforward: assume admin tools will be targeted and design governance around that assumption.

Destructive identity operations force a different recovery model than ransomware. If attackers can revoke access, alter policies, or disable devices through legitimate control channels, restoration requires more than cleaning endpoints. Recovery must include identity reset, privileged session review, and validation of administrative trust chains. Teams should rehearse identity-centric incident response before an outage proves the gap.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
• For a control framework lens, review OWASP NHI Top 10 for the access, privilege, and trust assumptions that agentic systems inherit.

What this signals

Identity blast radius is the right planning concept for incidents like this. If a single administrative identity can disrupt device trust, policy enforcement, and user access across the enterprise, then the control question is no longer only prevention. It becomes how fast the organisation can detect, isolate, and rebuild those trust paths without compounding the outage.

With 69% of security leaders already saying identity management must fundamentally shift for agentic systems, the governance model for privileged access is moving toward tighter separation, shorter sessions, and stronger control-plane observability.

Teams should map their highest-impact administrative identities now, before a geopolitical or criminal actor does it for them. That mapping should include non-human identities, device-management roles, SaaS super-admins, and any session that can alter trust at scale.

For practitioners

• Inventory every identity with management-plane authority Catalogue accounts that can manage endpoints, identity systems, SaaS admin consoles, and policy engines. Prioritise service accounts, automation tokens, and super-admin roles that can affect thousands of assets in one action.
• Shrink privileged session duration Apply just-in-time access and short-lived elevation for administrative work. Long-lived sessions make it easier for attackers to reuse legitimate access after initial compromise, especially in centralized device management.
• Separate device control from identity administration Do not let the same principals both issue device commands and manage identity policy. Segregation reduces the chance that one compromised account can control authentication, enrollment, and remediation at the same time.
• Alert on bulk administrative actions Detect mass device lockouts, policy pushes, token revocations, and remote wipe activity as high-severity events. Those actions are normal in small numbers but dangerous when they occur outside approved change windows.
• Rehearse identity-led recovery Build incident runbooks that start with admin revocation, session invalidation, and control-plane rebuilds. Recovery speed depends on how quickly the team can re-establish trusted identity paths.

Key takeaways

• Identity-driven attacks turn trusted management tools into high-impact execution paths, which is why privileged identities now require incident-level scrutiny.
• The breach pattern matters because disruption came from control-plane abuse, not from conventional malware or endpoint exploitation.
• Security teams should reduce administrative blast radius now by shortening sessions, separating duties, and rehearsing identity-led recovery.

Key terms

• Identity Blast Radius: The amount of enterprise damage a single identity can cause if it is compromised. In NHI contexts, blast radius is shaped by privilege scope, session duration, and what systems that identity can administer across identity, device, and SaaS control planes.
• Management Plane: The layer of tools and consoles used to administer devices, identities, policies, and access at scale. If attackers gain control of this plane, they can issue trusted commands that affect many systems without deploying malware to each one.
• Living-Off-the-Land: An attack pattern where adversaries use legitimate tools already present in the environment instead of dropping obvious malware. In identity-led incidents, this usually means abusing admin consoles, policy engines, or remote management systems to hide in normal operations.
• Identity Threat Detection and Response: A security approach that monitors identities, sessions, and privilege use for signs of compromise and then automates containment. It is especially useful when the attacker’s path runs through trusted administrative access rather than endpoint malware.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• How the vendor frames Identity Threat Detection and Response for identity-first attack paths.
• The specific alerting, correlation, and automated containment workflows used to spot suspicious identity behaviour.
• The article's breakdown of identity posture risks such as over-privilege, dormant admin accounts, and unsafe third-party integrations.
• The implementation framing for revoking sessions and isolating suspicious identities during response.

👉 Unosecur's full post covers the identity-first detection and response details behind the Stryker disruption.

Deepen your knowledge

Identity blast radius, privileged session control, and management-plane recovery are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your organisation relies on centralized admin tooling, the course provides a practical baseline for governing those identities.