The Identity Security Market: Dynamics and Drivers

How initial access brokers (IABs) complicate defensive measures

Note: This post is the second in a series examining the identity security market (see Part 1 here). Here, we discuss the dynamics shaping the market. Our next post will examine the technology trends shaping the market.

The identity security market exists because credentials remain the most exploited weakness in enterprise environments. The first major wave of identity-based attacks surged during the COVID-19 shift to remote work. Now, the widespread adoption of AI—by both attackers and enterprises—is intensifying the threat. Identity has become the new battleground, and the rise in identity-driven attacks is fueling rapid growth.

For attackers, the motive is simple: money. According to Fortinet’s research, ransomware attacks surged 350 percent from 2018 to 2021, with settlements more than doubling and downtime incidents increasing by 200 percent. While overall attack volume dipped slightly in 2022–2023, the financial impact grew as threat actors targeted larger enterprises. (See our bibliography page for data breach reports.)

Small and midsize businesses (SMBs) aren’t spared. Verizon’s 2025 Data Breach Investigation Report (DBIR) found that SMBs are nearly four times more likely to be targeted than large organizations. Attackers are simultaneously raising ransom demands for big enterprises while broadening their reach into smaller firms. The following table shows relevant findings from the DBIR.

Attacks by Organization Size (From Verizon DBIR)

The Shadow Economy for Credentials

Modern ransomware attacks increasingly start with identity system infiltration, but the process has become a sophisticated value chain. Initial Access Brokers (IABs) quietly breach identity systems and sell access on the dark web, often as insiders who avoid executing attacks themselves. Ransomware groups then purchase this access to launch attacks, sometimes weeks or months later. (For a detailed description of how IAB groups perform initial infiltration, see this article from Curated Intelligence.)

This handoff introduces dangerous delays between breach and detection, allowing identity vulnerabilities to persist undetected. Traditional monitoring and response tools often miss these gaps.

According to a report by Cyberint (acquired by Check Point in 2024), IAB revenue surged nearly 1,000 percent last year, largely due to access sales targeting large U.S. enterprises. The following graphics from the Cyberint Report show IAB activity and the size of the organizations they target.

IAB Activity (from Cyberint Report)

Average Revenue of Targeted Organizations by IABs (from Cyberint Report)

The 2025 Verizon DBIR reinforces the trend: credential abuse remains the top attack vector, with ransomware linked to 44 percent of breaches, up from 32 percent the year prior. Phishing continues to be a common entry point for credential compromise.)

Known Initial Vectors (From Verizon DBIR)

The following graph, also from the Verizon 2025 DBIR, shows the presence of ransomware in reported breaches, which is an indicator of attempted ransomware attacks. The number of vulnerable enterprises is certainly much higher.

Ransomware Action Over Time (From Verizon DBIR)

These trends underscore the urgent need for proactive identity protection. Most legacy monitoring tools lack the precision to detect dormant or brokered credential compromises.

Cross-Functional Confusion

Coordinating a defense against identity-based attacks is challenging due to fragmented ownership across teams. SOC analysts often lack deep familiarity with IAM systems, making it hard to identify critical signals or construct an effective kill chain without disrupting operations. IAM teams, meanwhile, focus on access provisioning and data quality, not threat response. Help desk staff face growing volumes of AI-driven vishing attacks with limited guidance on escalation paths.

Attackers exploit these disconnects. The lack of coordination across security, IAM, and support functions is a key reason identity-based attacks remain so effective.

As these trends illustrate, the problem isn’t improving, and it’s driving product development plans and enterprise security budgets to address the problem. Our next post will examine how these factors affect technology development.