A new summary of the MITRE ATT&CK Enterprise Round 7 evaluation reveals that the highest protection score any tested vendor achieved was a mere 31 percent — meaning that 69% of attacks went entirely undetected by even the best-performing vendor in the field.
But the more significant finding was buried beneath that number. Across every identity-specific attack scenario in the evaluation, all vendors scored zero blocking — not partial detection, not near misses, but zero. The tools enterprises invest in to stop modern attacks did not intercept a single identity attack, which is precisely the class of threat that now defines the modern threat landscape.
Consider what that means in practice: we have spent fortunes on security stacks that illuminate dashboards, generate cascading alerts, and produce polished forensic reports after an attacker is already inside the network, moving laterally, and extracting value. When the attack begins with stolen credentials, a convincing social engineering call, a fraudulent login page, a hijacked session token, or a relayed MFA prompt, the most trusted and widely deployed products in the industry are largely spectators. They watch. They log. They build timelines. But they do not stop the login.
This is not a theoretical gap. It is the precise vector through which the real world is being compromised right now, at scale, with costs that are no longer theoretical either.
Microsoft reported that the Tycoon2FA adversary-in-the-middle phishing kit was linked to more than 96,000 phishing victims globally since 2023, including more than 55,000 Microsoft customers specifically. Read that number carefully: more than 96,000 successful identity compromises — not attempts, not near-misses, but confirmed successful breaches. That figure alone should close any remaining debate about whether authenticator apps, SMS one-time codes, and legacy MFA implementations remain sufficient defenses in the current threat environment. They are not. They are being defeated at industrial scale, systematically, by toolkits that any moderately capable threat actor can now access.
Stryker disclosed to the SEC that it cannot predict its recovery timeline following a cyberattack that disrupted orders, manufacturing operations, and shipping. Reuters reported on the disruption, and additional reporting suggests that more than 200,000 systems may have been wiped or rendered inoperable. If the attack path proves to be identity-led — and all publicly available indicators suggest it is highly plausible in a Microsoft-centric environment where attackers reportedly abused internal access privileges — this is not a nuisance event that security teams can absorb and move on from. This is the kind of incident that can plausibly cost $150 million or more and require six months or longer to fully remediate, a cost estimate grounded in the documented outcomes of comparable identity-led breaches at major enterprises.
The pattern extends across industries and geographies without exception. Clorox absorbed $380 million in damages following a social-engineering-led breach. MGM disclosed that its breach would reduce quarterly results by approximately $100 million. Marks and Spencer reported that its 2025 cyberattack — attributed to social engineering executed through a third party — would cost approximately £300 million, or roughly $400 million. Co-op disclosed that the same wave of attacks reduced its profits by £80 million in the first half of the year, with the potential to reach £120 million for the full year. Caesars fell victim to the same social engineering campaign that struck MGM. Qantas reported that approximately six million customer accounts were exposed after a contact center platform was breached. Hawaiian Airlines, WestJet, Aflac, Erie Insurance, Philadelphia Insurance Companies, Ingram Micro, and Harrods all occupy space on the same growing roster of organizations publicly connected to the same underlying pattern: identity-first compromise, help desk manipulation, session theft, and social-engineering-driven access.
When the cumulative cost of identity-led attacks is assessed against the full weight of public evidence, it becomes difficult to avoid the conclusion that this class of breach is already costing the world $20 billion or more annually. That is not a figure drawn from a single industry report — it is a conservative directional estimate derived from the documented public evidence. IBM's 2025 global cost of a data breach report placed the average cost at $4.4 million per incident, with phishing-related breaches averaging meaningfully higher across most analyses. Apply that against tens of thousands of confirmed successful identity compromises, and the economic damage compounds to a figure that is very large, very real, and, importantly, entirely preventable.
The cybersecurity industry has spent a decade refining its detection capabilities — building more sophisticated threat intelligence platforms, more granular behavioral analytics, faster incident response playbooks — while the foundational problem has remained intact and unaddressed. The problem is not that organizations fail to detect breaches quickly enough. The problem is that the authentication layer at the front of every enterprise system remains exploitable, and no amount of detection sophistication changes that structural fact.
Token’s Biometric Assured Identity is designed to stop this entire class of attack before it reaches the threshold where detection becomes relevant. Token requires a live biometric match, meaning the person authenticating must be the registered individual — not a device, not a code, not a synced credential, not a shared secret. It cryptographically binds authentication to the verified, registered domain, so that a convincing counterfeit login page cannot succeed regardless of how precisely it replicates the legitimate origin. It requires physical proximity to the device being used, eliminating the attack surface that remote session hijacking and relay attacks depend on entirely. The private key never leaves the hardware under any circumstances. There is no one-time code to intercept in transit, no push notification to approve under social pressure, no relay that can succeed against a domain the attacker does not control, and no fake login page that can pass cryptographic verification.
If the site is wrong, authentication fails. If the biometric does not match, authentication fails. If the user is not physically present at their registered device and connecting to the correct verified domain, authentication fails. These are not conditional outcomes that depend on configuration, policy enforcement, or user behavior — they are structural properties of how Token works, by design, without exceptions.
Not better alerting. Not faster forensics. Not more comprehensive dashboards.
No login. No breach.
The cybersecurity industry now has public, documented, independently-evaluated proof that legacy MFA and authenticator applications have failed at the scale and sophistication of modern identity attacks. The body count of breached organizations is visible. The financial costs are visible and auditable. The recovery timelines are visible and sobering. Every security leader carrying personal accountability for their organization’s security posture should be asking a single, direct question: why is the authentication layer that underlies every system we operate still exploitable by methods that were documented years ago?
The solution already exists. The architecture is proven. The evidence that the alternative is unacceptable is no longer ambiguous or contested.
Every day that organizations continue to operate on an authentication model the attackers have already learned to reliably defeat, they are placing the full weight of that decision on a single, fragile assumption: that this time, the login flow will hold.