What Master OccupyTheWeb Taught Us About Identity as Target #1
What does your environment look like to someone whose job it is to break into it?
That was the question we set out to answer in the first episode of our new webinar series, Through the Eyes of the Adversary, where we sit down with offensive security practitioners and walk through how real attacks actually work — not the sanitized, assume-the-breach PowerPoint version, but the actual steps.
Our guest for the premiere was Master OccupyTheWeb — a well-known figure in the offensive security community, educator, author of Linux Basics for Hackers, and someone who has spent his career training U.S. military and intelligence personnel on attacking and defending systems. He has also played a significant role in cyber operations during the Russia-Ukraine conflict, targeting Russian industrial infrastructure in support of Western defense.
Here’s what we learned…
Identity Is the Front Door — and It’s Usually Unlocked
Before we even got into tradecraft, we set the stage with numbers that should make every security leader uncomfortable. Ninety percent of organizations experienced an identity-related breach in the past year. Non-human identities — service accounts, API keys, workload credentials — outnumber human identities by ratios ranging from 50-to-1 to 144-to-1. Forty percent of those non-human identities have no identifiable owner, and 42 percent carry sensitive privileges. They’re growing three to five times faster than human identities, year over year.
That is not an access management problem. That is an attack surface problem. And attackers know it.
We wanted to see how our own audience stacked up against those industry numbers, so we asked them directly: do you have a complete inventory of non-human identities across your environment? Out of 136 respondents, 62.5 percent said no. Nearly two-thirds of the security professionals in the room cannot account for the service accounts, API keys, and workload credentials that represent the fastest-growing — and least-governed — segment of the modern identity landscape. That number alone should reframe any conversation about identity security maturity.
62.5% (85 of 136 respondents) don’t have a complete inventory of non-human identities across their environment
Reconnaissance: You Can’t Attack What You Don’t Understand
OccupyTheWeb walked through how offensive operations begin: reconnaissance. Using OSINT (open-source intelligence) tools, social media platforms like LinkedIn and Facebook, and scanning services like Shodan and Censys, attackers build a detailed picture of an organization’s infrastructure, its people, and its vulnerabilities — often before a single packet is sent.
The takeaway for defenders is sobering. The amount of information people voluntarily publish about themselves and their organizations is a treasure trove for adversaries. Job titles, reporting structures, technology stacks, personal interests — all of it feeds the attacker’s playbook, from crafting spear-phishing emails to guessing password variations.
The Easiest Way In? Just Log In.
The most striking theme of the conversation was how consistently identity — not sophisticated exploits — provides the path of least resistance. OccupyTheWeb was blunt: the first thing he looks for is a username and password he can use to simply walk in through the front door.
The top one million passwords from the dark web get him into roughly 30 percent of all systems. If he can identify the person behind a target account, he checks the dark web for previously breached credentials — a pool of roughly three billion passwords. If the exact password doesn’t work, minor variations usually do, since people tend to make predictable, incremental changes when forced to rotate credentials.
He shared a story about compromising a major industrial system where the admin account still used “admin” as the username and the administrator’s birthdate — found on social media — as the password. No zero-day required. No advanced tooling. Just a login.
And from the defender’s perspective, that login looks like a perfectly normal authentication event.
Once Inside: Scan, Escalate, Move
After gaining initial access — even with a low-privilege account — the next step is network reconnaissance. Attackers scan the internal environment to map the topology, identify systems, and locate high-value targets like databases.
Then comes privilege escalation. OccupyTheWeb noted that the lateral movement potential from a single compromised low-level account is effectively unlimited, depending on the environment — especially once an attacker escalates to root or system admin privileges.
Particularly valuable targets include abandoned contractor accounts that were never deprovisioned, service accounts with excessive privileges and no identifiable owner, and database servers running on default ports.
His advice to defenders on that last point was practical and surprisingly simple: move your database to a non-standard port. It won’t stop a determined, targeted attacker, but it will frustrate 80 to 90 percent of opportunistic ones who are scanning for default ports.
Our second poll question cut to the heart of why lateral movement succeeds: can you correlate human, workload, and AI agent identities in a single system of record? Of 121 respondents, 64.5 percent said no — the weakest result across all three polls. Without a unified view that connects human operators to their automated workloads and emerging AI agents, defenders simply cannot see the relationships and trust chains that attackers traverse as they move laterally through an environment. It’s the identity equivalent of fighting in the dark.
64.5% (78 of 121 respondents) said they cannot correlate human, workload, and AI agent identities into a single system of record
The Emerging Threat: Agentic AI
The conversation turned to agentic AI, and OccupyTheWeb offered a sharp warning. As organizations adopt AI tools and agents, they are creating entirely new attack surfaces. AI applications often collect and have access to vast amounts of data on the systems they run on, and if those AI systems are compromised, that data is exposed.
The message wasn’t anti-AI — he emphasized that he loves the technology. But he urged caution around implementation, particularly around what data AI agents are allowed to access and what guardrails govern their behavior.
From the attacker’s side, AI is already supercharging social engineering. LLMs can generate highly personalized spear-phishing emails by aggregating publicly available information about a target, creating messages that are almost indistinguishable from legitimate communication.
The Best Hack Is When Nobody Knows They’ve Been Hacked
One of the most memorable lines from the session came when we discussed how attackers approach persistence and stealth. OccupyTheWeb was clear: the best hack is when nobody knows they’ve been hacked, because then the target takes no action to recover or improve their defenses.
This is the philosophy behind advanced persistent threats and state-sponsored operations — making intrusions look like system failures rather than attacks, maintaining access for as long as possible, and covering tracks meticulously.
Our third poll brought this full circle: have you experienced identity-based lateral movement in the last 12 months? Out of 128 respondents, 39.1 percent said yes. Nearly four in ten confirmed it — and those are only the ones who know it happened. Given OccupyTheWeb’s point about the best hacks being invisible, the real number is almost certainly higher.
39.1% (50 of 128 respondents) said they have experienced identity-based lateral movement in the last 12 months
Connect the three poll results and a clear pattern emerges. Organizations that can’t see their non-human identities (62.5%) can’t correlate them with human and agentic identities in a unified view (64.5%), and when they can’t correlate, they can’t stop attackers from moving through their environment (39.1% confirmed lateral movement). It’s the same attack chain OccupyTheWeb walked us through — reconnaissance, initial access, escalation, lateral movement — reflected back as capability gaps on the defender’s side.
What Should CISOs Do First?
When asked for his single most important recommendation for CISOs, OccupyTheWeb’s answer mapped directly to identity: make credentials complex and obscure, and implement multi-factor authentication. MFA can be bypassed — through session hijacking, MFA fatigue attacks, or compromising the email used for second-factor delivery — but it significantly raises the cost for attackers. And attackers are often opportunistic. If your system is hard enough to break into, many will simply move on to easier targets.
Beyond those basics, the deeper lesson from the entire conversation was this: defenders need to think like attackers. Too many security teams implement controls without understanding why they exist or how adversaries will attempt to circumvent them. Compliance should never be a checkbox exercise — the controls exist for a reason, and understanding that reason is what separates effective defense from security theater.
Three Questions You Should Be Able to Answer
We closed the session by returning to the three questions we opened with — questions that, based on our live audience polls, most organizations still cannot answer:
Can you enumerate all identities in your environment — human, non-human, and agentic — and tell me who owns each one? Our poll says 62.5% of you can’t.
Can you map the real privilege landscape — not what your IGA says exists, but what actually exists across Active Directory, Entra ID, cloud IAM, SaaS applications, and PAM vaults? With 64.5% lacking unified identity correlation, most organizations don’t have the foundation to even begin.
If someone created a new service account outside your governance workflow right now, how long would it take before you discovered it? With 39.1% already confirming lateral movement incidents, the cost of not knowing is no longer theoretical.
If those numbers made you uncomfortable, good — that’s exactly what this series is designed to do. Identity visibility isn’t a nice-to-have. It’s the foundation that every other security control depends on.
Coming Up Next
Episode 2 of Through the Eyes of the Adversary features Marcus Hutchins — the security researcher who stopped the WannaCry ransomware attack and then found himself arrested by the FBI. You won’t want to miss it.
Through the Eyes of the Adversary is a webinar series produced by Radiant Logic, exploring how real-world attackers exploit identity to compromise enterprise environments. The series is designed for security leaders, IAM practitioners, and anyone responsible for protecting organizational infrastructure.
You can watch the full webinar on-demand here: https://www.radiantlogic.com/resource/ttea-why-identity-is-the-first-battlefield/
