MSSP, MSP, Endpoint/Device Security, IT management, Networking, Security Management, AI benefits/risks, Application security, Attack surface management, Cloud Security, Identity, Active Directory, IAM Technologies, Privileged access management, Network Security, Threat Management

As Identity Becomes the Target, MSSPs Inherit the Risk – SpecterOps Extends BloodHound Enterprise Reach

Quick Wins

Palo Alto Networks made a big statement when it announced it was spending $25 billion to buy CyberArk, the identity security provider. It was a major investment, with the deal in size trailing only Google’s $32 billion acquisition of Wiz, which closed last month, and Cisco Systems’ $28 billion purchase of Splunk in 2024.

Identity is now a key focus of threat actors looking for access into corporate IT systems, and security teams are determined to stop them. In Palo Alto’s Unit 42 2026 Global Incident Response Report, released in February, researchers found that attackers used social engineering, credential abuse, and other identity-based methods in 65% of initial access.

Given that, along with the explosion of identities – not only those connected to people but also non-human identities (NHIs) for service accounts, bots, and AI agents – it’s not surprising Palo Alto was willing to spend so much money to add identity security capabilities to its growing platform.

“The acquisition underscores the notion that identity is clearly the new endpoint, both for users and machines,” wrote Michael Versace, digital asset risk, governance, and cyber markets lead for Chartis Research. “The line between identity and endpoint is not just blurring, as CrowdStrike, Microsoft, and others suggest. CISOs need to acknowledge that the line has completely disappeared. Identity security is the cornerstone of defense against modern threats, especially with the accelerating adoption of AI and agents (many of which operate at elevated privileges by default).”

Threat of AI-Powered Attacks

AI-powered attacks also make it more difficult to protect against identity attacks, Jack Gold, principal analyst with J.Gold Associates, told MSSP Alert. It’s something that both enterprise security teams and security services providers need to understand.

For MSSPs and MSPs, "If they are managing the security of companies, then they need to make sure both the identities of the company, as well as those of the MSP employees and systems who have access to managed company systems are protected,” Gold said. “Several large attacks were a result of an MSP being compromised, and that led to a larger company compromise that cost the enterprise a very large amount of money to remediate.”

Identity at RSAC

Identity security was also a key topic at the recent RSAC 2026 conference, with companies like Microsoft, Armis, and Resecurity making key announcements, including emphasizing the need for external attack surface management (EASM) tools.

SpecterOps was another company that made identity-related news at the major cybersecurity conference in San Francisco. The Alexandria, Virginia-based firm specializes in identity attack path management (APM), focusing on helping organizations and MSSPs proactively close the avenues that bad actors can take through enterprises’ highly distributed IT systems.

Identity in modern environments is no longer confined to a single system, SpecterOps CTO Jared Atkinson wrote in a blog post. It stretches across a range of platforms, such as Microsoft’s Active Directory (AD), Entra, and GitHub, as well as Okta, that are connected via federation, synchronization, and single sign-on (SSO).

“Each connection serves a legitimate purpose, enabling organizations to manage identity centrally while extending access across platforms,” Atkinson wrote. “But these connections also introduce something else. They create relationships between systems that are seldom evaluated as a whole. These relationships are implicit, distributed across teams, and not well understood in aggregate. They don’t exist cleanly within any one platform; they emerge in the gaps between them. Those gaps are where attackers can operate with the least visibility, and where risk is least understood.”

Touching More Bases

It’s a key reason why SpecterOps at RSAC 2026 said it is adding new OpenGraph extensions to its BloodHound Enterprise, a SaaS-based identity APM solution for eliminating risks in such platforms. BloodHound Enterprise already covered Microsoft AD and Azure AD. Adding OpenGraph – which was introduced with the release last year of the vendor’s BloodHound v8.0 solution – to BloodHound Enterprise means security teams can extend identity APM to Okta, GitHub, and Apple Mac systems.

SpecterOps said it was also integrating BloodHound Enterprise capabilities with Palo Alto’s Cortex XSOAR, Microsoft’s Sentinel, and ServiceNow’s Vendor Risk Management (VRM) solutions, which will translate BloodHound Enterprise attack path finding into incidents.

Connecting to Okta

Adding Okta and its cloud-based identity and access (IAM) platform to BloodHound Enterprise coverage was an important step, according to Atkinson. Okta is central to many modern identity architectures, he wrote, but it can be misunderstood.

“It is typically treated as a control plane, an identity provider responsible for authentication and policy enforcement,” he wrote. “And while that is true, it is only part of the picture. In reality, Okta functions as a translation layer for identity, taking identity from one environment and projecting it into another. Through federation, directory synchronization, and SSO, Okta connects upstream identity sources to downstream applications. It rarely creates identity; it propagates it.”

This creates what he called a “form of nested dependency,” where the security of a downstream platform is not only determined by its own configuration but also by that of the system that supplies and mediates its identity.

“The security of a platform cannot be understood in isolation; it must be understood in the context of the platforms on which it depends,” Atkinson wrote.

Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds