A new incident response report from Palo Alto Networks Unit 42 — drawn from 750 real-world cases — finds that identity-based techniques drove 65 percent of initial intrusions. Identity played a role in nearly 90 percent of all breaches, from initial access through lateral movement and data exfiltration. This is not a technology failure. It is an architecture failure. And it has a precise solution.

Anthropic’s Claude Code Security addresses a real risk. The larger one remains unaddressed. Anthropic recently announced Claude Code Security—an AI system designed to identify vulnerabilities in code, surface potential zero-day exposures, and accelerate remediation before attackers can exploit them. It is a meaningful technical advance. If it performs as described, it will reduce the exploitable software attack surface across the enterprise. That matters. But it does not address the attack surface that is closing the majority of breaches in 2026. Stronger code does not stop an attacker who authenticates with stolen credentials. And that is the primary breach path enterprises face today.

Attackers are accelerating. AI tooling has lowered the cost of sophisticated campaigns to near zero, while the scale of attacks has expanded across every phase of the attack chain — reconnaissance, initial access, lateral movement. The 2025 Tidal Cyber Threat Led Defense Report confirms what security leaders already understand: defenders no longer hold an inherent speed advantage. This is the Red Queen dynamic. Running harder sustains position. It does not advance it. But there is a more precise problem underneath the noise. Phishing and social engineering have changed structurally. Training-based defenses, however disciplined, are now insufficient by design. The architecture of the threat has shifted. The architecture of the response must follow.

Cybercriminals claiming affiliation with the ShinyHunters group have reportedly breached Wynn Resorts, demanding $1.5 million to prevent the release of stolen data. If accurate, the intrusion follows a pattern that has now repeated itself across hospitality, retail, insurance, and aviation. (Read the full article on Casino.org) The method is consistent. The attackers did not defeat network defenses. They authenticated.

Microsoft, Europol, Trend Micro, and a global coalition just disrupted Tycoon 2FA — one of the most prolific phishing-as-a-service platforms ever documented. That is a meaningful outcome. It is not safety. Tycoon 2FA is offline. The attack model that made it successful is not.

What happened at Stryker today isn't a malware story. It's an identity story. And it's one the industry has seen before — the Sony hack, twelve years ago, followed a similar path. A dozen years later, the attack surface has changed. The fundamental failure hasn't.

A new summary of the MITRE ATT&CK Enterprise Round 7 evaluation reveals that the highest protection score any tested vendor achieved was a mere 31 percent — meaning that 69% of attacks went entirely undetected by even the best-performing vendor in the field. But the more significant finding was buried beneath that number. Across every identity-specific attack scenario in the evaluation, all vendors scored zero blocking — not partial detection, not near misses, but zero. The tools enterprises invest in to stop modern attacks did not intercept a single identity attack, which is precisely the class of threat that now defines the modern threat landscape.

For years, security leaders have debated frameworks, tools, awareness programs, and incremental improvements to authentication workflows, while attackers continued to succeed through the same predictable path: logging in with stolen or relayed credentials rather than breaking through hardened infrastructure.

The Betterment breach should not have surprised anyone paying attention, and it certainly should have ended the long-running argument about whether modern MFA is sufficient against today’s attacks. Instead, it became just another entry in a growing list of incidents that organizations explain away as bad luck, poor training, or unfortunate human error.

Attackers Are Not Hacking In. They Are Logging In. Ransomware, phishing, and credential-based attacks are hitting small and midsize businesses every day because attackers have learned the easiest trick in the book. They do not need to hack in. They simply log in with stolen credentials. The moment an employee enters a password or approves a code, the attacker has everything.

Most organizations still think of authentication as a cost of doing business.

Device Based Biometrics Are the Only Way to Restore It.