Research
Cisco Talos 2024: Identity Attacks Are 60% of IR Engagements
Cisco Talos' incident-response engagements through 2024 found identity-related attacks (credential abuse, account takeover, valid-account misuse) at 60% of total IR cases — a near-doubling of the share reported five years earlier.
Key Finding
The independent IR datasets — Mandiant, Talos, IBM X-Force, CrowdStrike Services — all converge on identity dominance. The trend is not a vendor narrative; it is a measurement.
Cisco Talos' Year in Review summarises trends observed in the firm's incident-response practice. The 2024 edition reported that identity-related attacks accounted for approximately 60% of IR engagements — credential theft, account takeover via stolen sessions, and the misuse of valid accounts collectively dominating the case-load. This figure is roughly double the share Talos reported in 2019.
The IR datasets across firms (Mandiant M-Trends, CrowdStrike Services, IBM X-Force, Talos) now converge consistently on identity as the most-used attack path. Whether the data source is engagements (Talos), surveys (Sophos), provider telemetry (Microsoft, Cloudflare), or insurance claims (Coalition), the same shape appears.
The architectural conclusion is that identity is the discipline most likely to determine whether an organisation appears in next year's IR statistics. The platform controls help; the architecture decides.
Need help with your identity architecture?
Every incident on this page was preventable with the right architecture. Let's talk about yours.
Book a Conversation