The Real Pen Test Isn't Your Firewall. It's Your Identity

You've locked down your network. Patched your firewalls. Deployed next-gen detection. And attackers walked in through the front door anyway - because they had valid credentials.

Unit 42's 2026 Global Incident Response Report just confirmed what we're seeing in every pen test: identity weaknesses played a material role in almost 90% of their investigations. Nearly 9 out of 10 intrusions started with stolen or compromised credentials. Not exploits. Not zero-days. Stolen keys.

This is the gap that changes everything about how you think about red teaming.

Why Identity Is The New Perimeter

The old playbook was simple: find a vulnerability, chain exploits, escalate privileges. That still happens. But adversaries have gotten smarter about the math. Compromising an identity is faster, cheaper, and more reliable than hunting for a zero-day.

Consider what happened this week. SimpleHelp - a remote monitoring and management tool trusted by thousands of IT teams - shipped an authentication bypass vulnerability (CVE-2026-48558, CVSS 10.0). Attackers immediately weaponized it. But the real damage wasn't from the RCE. It was from the accounts they compromised and the lateral movement that followed using those valid credentials.

Then there's PAN-OS CVE-2026-0257. An authentication bypass in GlobalProtect that lets attackers establish legitimate VPN sessions. Unit 42 observed unidentified actors using this to probe devices. Most probes failed - but the ones that worked? They established sessions that looked exactly like legitimate remote workers.

From a defender's perspective, these are indistinguishable from actual access.

The Device Code Phishing Explosion

If you haven't heard of device code phishing yet, you will. Microsoft and CISA are tracking a 37x spike in detections since early 2026.

Here's how it works: An attacker generates a device code and tricks a user into authorizing it via email, chat, or SMS. The user sees a legitimate-looking Microsoft/Google/AWS login screen and approves access. The attacker now has a valid OAuth token - and can bypass MFA entirely.

It's elegant because it's human-centered. No malware. No exploits. Just social engineering and a compromised account that survives even MFA.

What This Means For Your Pen Tests

Most traditional pen tests measure success in shell access: "We got into the domain controller, game over." That's still valid. But if your pen testers aren't spending 70% of their time on identity-based vectors - credential harvesting, phishing simulation, MFA bypass techniques, lateral movement using valid accounts - they're testing the wrong thing.

The 2026 threat landscape doesn't care about your firewall rules if attackers can log in as a real user.

Effective red teaming now means simulating the full identity attack chain: how hard is it to harvest credentials? Can you detect when an account is being used from an impossible location? Do your employees know device code phishing when they see it? What's your mean-time-to-respond when a valid account starts accessing sensitive data at 3 AM?

These questions require systematic testing at scale - not one-off vulnerability hunts.

The Compressed Timeline Problem

Here's the scariest stat from Unit 42: attack lifecycles have compressed from 5 hours to just 72 minutes. Once attackers have valid credentials, the window for detection and response shrinks fast.

That means your identity-focused pen tests need to measure detection speed as much as they measure access. Can your SIEM catch a compromised account? Can your PAM systems detect suspicious token usage? How quickly can you revoke a session once it's flagged?

Automated identity-based pen testing can run these scenarios repeatedly - simulating compromised accounts, token theft, lateral movement through valid credentials, and privilege escalation. Human-led pen tests are valuable, but they're one snapshot. Continuous identity testing gives you a baseline you can track.

The Vendor Reality Check

SimpleHelp. PAN-OS. These aren't edge cases. They're trusted infrastructure software. Neither vendor shipped a product intended to be exploited - but both became vectors for identity compromise because authentication layers failed.

This is a reminder: your pen test should assume vendor software is compromised at some point. How does an attacker escalate from a foothold in a single device to controlling entire zones? Almost always through identity - cached credentials, token theft, or stolen session files.

A good identity-focused pen test will:

- Simulate credential harvesting from common locations (browser caches, PowerShell history, temp files)

- Test lateral movement patterns using valid accounts

- Measure detection time for impossible logins, bulk data exports, or privilege escalation via credentials

- Verify that old tokens and sessions are revoked when users reset passwords

- Check whether your PAM system catches when service accounts are accessed from unexpected locations

How To Know You're Testing Identity Right

If your pen test report says "We got admin," but doesn't answer "How fast did you detect us?" or "Did we need malware to do it?" - you're missing the point.

The best identity-focused tests simulate what adversaries actually do: steal credentials, log in, escalate, move laterally, persist through valid accounts. Then measure how long it takes your SOC, your SIEM, your PAM, and your identity governance tools to catch it.

Unit 42 found that 65% of initial access comes through identity-based techniques. Attackers don't waste time on exploits when logging in works.

The question isn't whether identity-driven attacks will hit your organization - they will. The question is: how fast will you know? And can you respond before the attacker escalates to the data they came for?

That's the pen test that matters in 2026.

SOURCES

Unit 42 2026 Global Incident Response Report - Palo Alto Networks
Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 - Unit 42 / Palo Alto Networks
CVE-2026-48558: SimpleHelp Authentication Bypass - CISA Known Exploited Vulnerabilities Catalog
Device Code Phishing Analysis - Microsoft Security Blog & Push Security
Industry reports on identity-driven attack chains and attack lifecycle compression.