TL;DR: Attackers turned Stryker’s Microsoft Intune plane into a non-encrypting wiper, factory-resetting about 200,000 endpoints across 79 offices after an AiTM session-theft chain and privilege escalation, according to SlashID. The breach shows endpoint management platforms can become destructive control planes when privileged identity is not tightly bounded.
NHIMG editorial — based on content published by SlashID: Analysis of the 2026 Stryker Breach and cloud endpoint management abuse
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, and organisations failing to scope AI access properly are 4.5x more likely to experience a security incident.
Questions worth separating out
Q: What breaks when a cloud endpoint-management identity is stolen?
A: A stolen endpoint-management identity can turn legitimate administrative access into destructive fleet action if it carries standing privileges.
Q: Why do privileged device-management sessions create such a large blast radius?
A: Privileged device-management sessions create large blast radius because a single identity often reaches every enrolled endpoint.
Q: What do security teams get wrong about endpoint-management compromise?
A: Security teams often treat endpoint-management compromise as an administrative nuisance instead of a high-impact identity event.
Practitioner guidance
- Map device-management blast radius Inventory every identity that can issue Intune, MDM, or cloud-management commands, then document the exact actions each one can trigger across the fleet.
- Require phishing-resistant authentication for privileged consoles Move high-impact admin and control-plane access to phishing-resistant methods and bind sessions to device or context where possible.
- Add just-in-time elevation for destructive actions Separate read-only administration from write-capable management, then gate fleet-wide actions behind just-in-time privilege and explicit approval.
What's in the full article
SlashID's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step reconstruction of the Stryker attack chain from infostealer logs to Intune control-plane abuse.
- Detailed discussion of SlashID’s MITM and AiTM detection approach for identifying compromised sessions.
- Operational guidance on phishing-resistant authentication and just-in-time privileged access for management planes.
- Behavioral anomaly detection patterns that can flag suspicious device reset or policy activity.
👉 Read SlashID’s analysis of the 2026 Stryker breach and Intune control-plane abuse →
Cloud endpoint management as a wiper path: what IAM teams missed?
Explore further
Identity compromise is now a control-plane risk, not just an account-takeover risk. The Stryker breach shows that once an attacker controls the identity that administers a fleet, the platform itself becomes the weapon. This is especially relevant where endpoint management, cloud administration, and NHI-style privileged access converge. Practitioners should treat admin planes as executable infrastructure with blast radius, not as neutral configuration layers.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who is accountable when a cloud management plane is used to wipe devices?
A: Accountability sits with the teams that govern privileged identity, endpoint management, and operational resilience together. If destructive actions were available through a compromised admin session, then IAM, PAM, and endpoint operations all share responsibility for the exposure. NIST CSF and OWASP NHI both support treating this as a governance failure, not only an incident response issue.
👉 Read our full editorial: Stryker breach shows cloud endpoint management can become a wiper
Identity compromise is now a control-plane risk, not just an account-takeover risk. The Stryker breach shows that once an attacker controls the identity that administers a fleet, the platform itself becomes the weapon. This is especially relevant where endpoint management, cloud administration, and NHI-style privileged access converge. Practitioners should treat admin planes as executable infrastructure with blast radius, not as neutral configuration layers.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who is accountable when a cloud management plane is used to wipe devices?
A: Accountability sits with the teams that govern privileged identity, endpoint management, and operational resilience together. If destructive actions were available through a compromised admin session, then IAM, PAM, and endpoint operations all share responsibility for the exposure. NIST CSF and OWASP NHI both support treating this as a governance failure, not only an incident response issue.
👉 Read our full editorial: Stryker breach shows cloud endpoint management can become a wiper