Notifications
Clear all
Topic starter
07/06/2026 8:08 pm
TL;DR: Dark Reading’s 2025 Incident Response Survey found that organisations are treating data breaches as increasingly inevitable, pushing many security programmes toward faster response and resilience across more than 20 industry sectors. The shift matters because identity governance, access containment, and recovery playbooks now have to work under breach assumptions rather than prevention-only models.
NHIMG editorial — based on content published by Cyera: The State of Enterprise Incident Response Report
By the numbers:
- Dark Reading’s 2025 Incident Response Survey queried respondents from organizations across more than 20 industry sectors.
Questions worth separating out
Q: How should security teams prepare incident response for non-human identities?
A: Security teams should prepare incident response for non-human identities by grouping secrets, tokens, certificates, and service accounts into explicit containment tiers.
Q: Why do non-human identities make incident response harder?
A: Non-human identities make incident response harder because they often outlive sessions, bypass human review cycles, and can be reused across systems.
Q: What breaks when incident response does not include NHI governance?
A: When incident response does not include NHI governance, teams lose control over the credentials that attackers can replay after initial access.
Practitioner guidance
- Classify identities by containment priority Group human accounts, service accounts, API keys, and certificates into separate IR revocation tiers so responders know which access paths to disable first.
- Pre-stage identity revocation playbooks Document the exact sequence for disabling high-risk credentials, rotating secrets, and invalidating delegated access before the incident has fully propagated.
- Test recovery with access revalidation Require every restoration step to confirm that the identity being brought back is still trusted, still scoped, and still needed.
What's in the full report
Cyera's full report covers the operational detail this post intentionally leaves for the source:
- The survey methodology behind Dark Reading’s incident response findings, including the respondent mix across senior security roles.
- The detailed breakdown of current IR tools and processes that organisations say they rely on during material incidents.
- The specific concerns, obstacles, and capability plans respondents reported for the coming year.
- The full set of questions used to gauge how teams are balancing prevention, response, and resilience.
👉 Read Cyera's report on the state of enterprise incident response in 2025 →
Incident response in 2025: what IAM teams need to prepare for?
Explore further
07/06/2026 9:55 pm
Enterprise incident response is now an identity governance problem as much as a SOC problem. The survey’s core message is that organisations are designing for breach inevitability, which means response success depends on knowing which identities can still act when controls fail. That includes human accounts, service identities, secrets, and any delegated access path that can widen the blast radius. Practitioners should treat identity containment as a first-class IR capability.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who is accountable when a compromised service account expands a breach?
A: Accountability sits across security operations, IAM, and the application or platform owner that depends on the service account. If no team owns revocation, rotation, and recovery validation, the credential becomes a persistent breach pathway. Frameworks such as NIST CSF and zero-trust models both expect clear access responsibility, especially when compromise affects business-critical systems.
👉 Read our full editorial: Enterprise incident response is shifting from prevention to resilience
