Editor's note: This report was authored by Alexander Capraro
Key Points
Identity has emerged as the top source of cloud risk, driving 44% of all true-positive security alerts, with privilege escalation accounting for 52% of the identity-based alerts
This risk is compounded by internal failures, with 99% of cloud identities being over-privileged and 71% of vulnerability alerts stemming from just four legacy CVEs that persist because of outdated processes and automation flaws.
Modern attack chains are surprisingly simple: Attackers use valid credentials to bypass defenses and exploit over-privileged roles. This tactic blends seamlessly with legitimate activity, making security approaches that focus on sophisticated exploits ineffective.
Organizations need to stop fighting fragments of the attack chain. By connecting the dots across identity, cloud, and endpoints, security teams can expose these attacks and enable decisive, automated responses that match the speed and scale of modern cloud threats.
Our analysis of the Q3 2025 threat landscape suggests that the most impactful cloud attacks didn’t come from sophisticated zero-day exploits. Instead, they stemmed from two foreseeable failures: identity compromises and process breakdowns.
Identity failure occurs when attackers simply log in with stolen credentials and exploit over-privileged roles to achieve their objectives. Meanwhile, process failure involves the systemic redeployment of legacy vulnerabilities at cloud scale, creating widespread and uniform weaknesses.
These attack paths, while capable of converging, are individually sufficient to cause significant consequences for businesses—ranging from operational shutdowns due to ransomware to public data extortion and significant financial losses.
In this report, we detail two systemic weaknesses that drive these attack patterns:
The Identity Crisis: Identity-related weaknesses emerged as the primary source of risk in the cloud. Our analysis shows that 44% of true-positive alerts from cloud security tools in Q3 2025 trace back to identity issues. Coupled with the fact that researchers found 99% of cloud identities were over-privilegedi, attackers can easily escalate access after an initial compromise.
Born Broken: The rapid pace of DevOps inadvertently fuels risk, with legacy vulnerabilities like CVE-2025-32463 (a local privilege escalation vulnerability within Linux command-line tool Sudo) embedded in cloud templates and automatically deployed at scale. This practice systematically re-introduces risk, with our data showing that 71% of critical vulnerability alerts originate from a handful of well-known, years-old CVEs.
This report provides specific detection strategies, automated response actions, and proactive measures to help your team unify defenses and effectively contain these threats.
Attackers Aren't Breaking In—They're Logging In
Traditional network defenses are still part of the security equation, but attackers can often sidestep them by simply logging in. As organizations have moved to the cloud, security strategies have shifted from guarding a fixed network perimeter to controlling access through user identities. Unfortunately, for many organizations, this new security layer has become a critical point of failure. The problem boils down to two core issues:
Cloud keys and credentials often leak due to insecure storage (e.g., exposed repositories, logs, or misconfigured applications) and are easily bought.
Excessive permissions granted to these credentials allow attackers to escalate their access to dangerous levels.
Threat actors can exploit this reality, using stolen cloud keys and credentials to walk into networks unimpeded and leverage over-privileged accounts to turn initial compromises into full-blown breaches.
Identity Is the Modern Perimeter
With company data and applications now scattered across multiple cloud platforms, software-as-a-service (SaaS) providers, and remote employee devices, the traditional idea of a single, defensible network border has become obsolete. Clinging to this outdated security strategy leaves you defending a line that no longer contains your most critical assets. As such, organizations are blind to a foundational risk—your attack surface now extends to every credential your employees use.
Figure 1: Breakdown of true-positive cloud security alerts by category (Q3 2025)
44% of Alerts Relate to Identity
Nearly half of all the verified cloud incidents we analyzed involve attackers abusing valid credentials. Our analysis paints a clear picture of the scale of the problem.
Identity and access management (IAM) is the largest risk.
When investigating true-positive alerts from cloud security posture management (CSPM) tools, 44% of these alerts were rooted in an identity-related weakness, such as excessive permissions, misconfigured roles, or credential abuse (see Figure 1). Computational Resources represent another significant category of cloud security alerts. This category encompasses the misuse or exploitation of virtual machines (VMs), containerized environments, or serverless functions to perform malicious activities. These incidents often stem from vulnerabilities like exposed APIs, unpatched software, or misconfigured resource policies.
Identity issues generate the most alert noise.
33% of raw CSPM alerts (ones not confirmed as malicious) that security teams must triage daily were identity related. This dual burden—where identity is both the top cause of confirmed breaches and the noisiest source of alerts—overwhelms security teams and drives up operational costs. These alerts are particularly costly to triage because, while automated systems can message users for verification, security teams still need to manually assess whether the activity is benign or malicious, often relying on specific organizational risk policies.
Why This Works So Well for Threat Actors
Cheap and easy: Attackers can buy legitimate credentials on the dark web for as little as $2 (see Figure 2). No coding, no exploitation—just username, password, and login. While basic credentials like usernames and passwords are inexpensive, more costly options often include leaked access keys—frequently exfiltrated via Continuous Integration and Continuous Delivery (CI/CD) pipelines, malicious code packages, or misconfigured environments—which are used as initial access points.
Invisible: Logins with valid credentials mimic legitimate user activity to bypass standard alerts. Some threat groups like “Scattered Spider” elevate this tactic by emulating the user's location, making malicious logins virtually indistinguishable from genuine ones—even to advanced detection tools.
Everywhere: The average company manages thousands of identities across AWS, Azure, Google Cloud, and dozens of SaaS applications. Each identity represents a potential entry point and a target for data exfiltration. Leaked credentials frequently originate from phishing attacks, exposed repositories (e.g., GitHub), or malware like infostealers that exfiltrate data from employee devices.
Figure 2: “Russian Market” credential listing for “Vidar” infostealer containing AWS credentials for $10
Organizations must realign their security strategies to treat identity as the true modern perimeter. This shift requires a proactive stance that starts beyond the boundaries of the network.
A critical step is implementing a robust Digital Risk Protection (DRP) capability. By continuously monitoring the dark web for compromised credentials tied to your organization, DRP tools allow you to find and invalidate stolen credentials before they can be weaponized in an attack. This proactive defense strategy neutralizes a major vector of initial access, significantly reducing the likelihood of credential-based breaches.
Excessive Permissions Are the Key to Privilege Escalation
Once inside your cloud environment, an attacker’s primary objective is often to exploit a seemingly minor misconfiguration: an identity with excessive permissions. By doing so, they can escalate privileges and move laterally through your environment, turning a low-level user compromise into a significant breach. This method is far stealthier than "noisy" methods like running vulnerability scanners or executing exploit code for known CVEs, which are more likely to trigger alerts.
Our data shows that attackers are actively and successfully exploiting this pathway. Among our customers, identity-related privilege escalation accounted for 52% of all confirmed identity-based alerts. The root cause? The overwhelming availability of over-privileged identities.
Cloud platforms like AWS offer pre-packaged roles (such as AdministratorAccess) that grant hundreds of permissions by default. While these roles are convenient, they often bypass the more secure—but time-consuming—principle of least privilege (PoLP). As a result, 99% of cloud identities are over-privileged, creating a sprawling attack surface that threat actors are eager to exploit.
To counter this, security teams should shift to a "zero standing privileges" model built on the PoLP. At the user level, permissions should be granted through just-in-time (JIT) authentication, where access is temporarily "checked out" following multifactor authentication (MFA) approval and expires automatically. For access keys, which are commonly exploited for initial access, teams should enforce short-lived session tokens. These tokens offer similar security benefits as long-term access keys and can be tracked and revoked in shorter timeframes while supporting automated workflows.
Although managing these permissions adds complexity, using IAM services ensures roles are provisioned securely and consistently across environments. To strengthen this approach, automated incident response tools like GreyMatter Automated Response Playbooks can play a crucial role. These playbooks can instantly disable accounts or revoke sessions, containing active threats in real time and minimizing the attacker’s window of opportunity.
Automating Insecurity: How DevOps Creates Legacy Risk
The cloud’s greatest strength—on-demand infrastructure deployments—is also a source of systemic risk. In the race for speed, along with unclear ownership of risk remediation, organizations often unknowingly perpetuate vulnerabilities. This push for rapid deployment can lead to the systematic redeployment of years-old flaws.
Every automated deployment of a new server, container, or serverless function can replicate a single flaw from an old template across the environment in minutes. As this cycle repeats daily, new assets are created faster than security teams can manually scan and address them. The result is an ever-expanding attack surface and an unmanageable vulnerability backlog.
Why Automation Is Resurrecting Legacy Flaws
Vulnerabilities embedded in the foundational DNA of cloud environments pose a great risk to security. These flaws aren’t limited to niche applications; they’re found in ubiquitous components like logging libraries (e.g., Log4j) and remote-access tools (e.g., OpenSSH). Many of these components are baked into “golden images” or containerized images used to create servers and infrastructure as code (IaC) scripts used for resource deployment.
While cloud automation can magnify unresolved vulnerabilities, it also creates an opportunity: When integrated effectively, automation can apply fixes consistently and at scale. However, this requires efficient processes for identifying and remediating issues before they spread.
This isn't just a theoretical risk. Our Q3 2025 analysis of cloud-based vulnerability alerts indicates that most risks come from a small number of well-known flaws. While the top CVEs aren’t exclusive to the cloud, automation magnifies their impact. A vulnerability that might have affected a few on-premises servers can now be replicated across hundreds of cloud hosts with every automated deployment.
In fact, over 71% of all critical vulnerability alerts stemmed from just four CVEs, including some that are years old:
CVE-2021-44228 (Log4Shell): Allows unauthenticated remote code execution (RCE) through a ubiquitous Java logging library.
CVE-2024-6387 (OpenSSH): Enables potential code execution in the OpenSSH server.
CVE-2023-36884 (Microsoft Windows): Enables RCE through specially crafted files.
CVE-2024-23897 (Jenkins): Lets attackers read arbitrary files, leading to RCE in Jenkins environments. (As of October 2025, there are over 14,700 Jenkins servers exposed to the internet that are still vulnerable to CVE-2024-23897.)
For valid business reasons, many organizations still operate on a traditional “patch-after-deployment” model. However, our analysis shows this approach is no longer tenable against the speed of modern cloud. The speed of DevOps introduces risks faster than security operations teams can remediate them, creating a growing security debt. This debt doesn’t just pose a security risk—it also stifles innovation. When deployed applications are sent back to development for patching, it creates friction, slows release cycles, and costs time and resources.
The solution? Stop treating security as a final checkpoint. Instead, integrate it directly into the development process. Think of it as an assembly line: Instead of inspecting a fully assembled car for defects, you check components at every step. In practice, this means:
Integrating automated security scanning into the development pipeline and the "golden image" templates—or containerized images—before they’re deployed.
Scanning containers—widely used assets for hosting code and applications—for vulnerabilities early to prevent flaws from propagating across the cloud environment.
Step Up Your Defenses Against Cloud Threats
Cloud threats exploit the very tools of speed and innovation that organizations rely on to grow. For security leaders, the challenge is to defend against adversaries who turn these advantages into weaknesses. The solution isn’t to slow down progress—it’s to build a security operations model that’s as integrated and automated as the attack itself. This means moving away from siloed tools that address individual stages of the attack chain and instead adopt a unified defense that can see and act across the entire campaign.
ReliaQuest’s Approach
GreyMatter Digital Risk Protection (DRP) provides an external view of threats by continuously monitoring the open, deep, and dark web. This capability helps organizations detect risks before they materialize into active attacks.
Detect Compromised Credentials: Monitor in real time for brand impersonation, data leaks, and threats targeting executives, employees, and infrastructure.
Correlate Threats to Internal Risk: Automatically connect external threats like leaked passwords with internal asset data to immediately understand their true business impact.
Disrupt the Credential Theft: Identify phishing sites and spoofed login pages targeting your organization and initiate takedowns to prevent employees from unknowingly exposing their credentials.
GreyMatter Discover focuses on internal risks by providing visibility into your attack surface and giving you the context needed to find and fix exposures.
Achieve Full Visibility: Map and monitor assets across dynamic cloud environments, where assets are constantly created and decommissioned, to identify gaps and blind spots that could create opportunities for attackers.
Prioritize and Act on Risk: Proactively find the most critical cloud misconfigurations and vulnerabilities so security teams can focus their efforts on the exposures that matter most.
Integrate Context for Faster Investigations: Combine asset and vulnerability data into a unified view to streamline investigations and reduce the need to pivot between security consoles.
ReliaQuest detection rules are continuously updated to identify the tell-tale signs of a modern cloud breach. Organizations can significantly reduce their mean time to contain (MTTC) multi-stage threats by deploying detection rules alongside the following GreyMatter Automated Response Playbooks:
Disable User: Automatically disables the user account in the identity provider when identities are abused.
Block IP: Automatically blocks the source IP address of identities if they begin to act suspiciously.
GreyMatter Agentic AI: In addition to detection rules, the GreyMatter AI Agent automatically enriches alerts with user context from connected integrations and historical data from similar incidents to determine appropriate next steps. This allows security teams to enable Automated Response Playbooks with confidence when the Agent identifies activities that don’t meet customers’ prescribed thresholds.
Your Action Plan
Eliminate Static AWS Access Keys for Human Users: To neutralize the threat of stolen credentials, eliminate long-term IAM user access keys for human users requiring programmatic access to AWS. Instead, mandate the use of short-term credentials generated via AWS Security Token Service (STS). These temporary credentials expire within minutes or hours, dramatically shrinking the window of opportunity in the event of a leak.
Enforce Least Privilege with Cloud-Native Tools: Excessive permissions are a favorite target for attackers. Use identity analysis tools—often categorized as cloud infrastructure entitlement management (CIEM)—like AWS IAM Access Analyzer, GCP IAM Recommender, or Microsoft Entra Permissions Management to evaluate usage logs and automatically create least-privilege policies. These tools systematically remove unused permissions, reducing the risk of privilege escalation.
Automate Security Validation for IaC and Golden Images: Prevent insecure assets from reaching production by embedding automated security validations into your CI/CD pipeline. Use static analysis tools like Checkov or tfsec to scan IaC templates for risky misconfigurations. For containerized images (or “golden images”), use tools like HashiCorp Packer to build them and automatically scan the resulting images with a vulnerability scanner (e.g., Qualys, Tenable, or AWS Inspector). Centralizing these validations ensures consistent fixes and prevents vulnerabilities from scaling across deployments.
Key Takeaways and What’s Next
While sophisticated zero-day exploits often capture headlines, our findings suggest a more immediate and widespread cloud security risk: attackers logging in with valid credentials to exploit preventable misconfigurations. Stolen credentials grant access to the front door, but over-privileged and misconfigured identities leave every subsequent door wide open. This toxic combination, scaled by modern DevOps processes, creates pathways attackers are increasingly adept at exploiting.
Automating Initial Access
The prediction of a fully automated credential-to-intrusion pipeline isn’t just based on the trajectory of tools—it’s driven by clear economic and operational incentives driving the cybercrime ecosystem. In 2025, attackers already manually chain steps together: purchasing access from initial access brokers (IABs), using infostealer logs to find valid credentials, and using the credentials to gain footholds. The next logical and imminent progression is connecting these proven steps into a single, automated service.
Given this, in the next three to six months, we anticipate the rise of criminal services capable of automatically scraping dark-web markets for newly leaked credentials and validating them against corporate login portals at machine speed. This would compress the time from credential leak to active intrusion from days or hours to mere minutes, overwhelming security teams reliant on manual alert triage. To counter this, proactive threat detection and automated response must become a baseline necessity.
