The Power of Focus: Why Specialized Identity Security Outperforms Mega-Platforms

The Modern Security Leader’s Dilemma

If you’re a security leader, you’re navigating a landscape of contradictions. You are asked to consolidate vendors, yet are left stitching together fractured platforms. You’re pressured to leverage AI, but your tools struggle with existing machine identities. You’re required to prove compliance, yet legacy Privileged Access Management (PAM) solutions can’t scale to meet audit demands.

This challenge is universal. At a time when you need smarter, simpler identity control, the market is pushing bloated platforms that promise everything but deliver little. As large tech players consolidate cybersecurity tools, the risks of innovation stalling and response times slowing are becoming a reality—especially against new threats like AI-driven identity attacks.

At Segura®, we’ve taken a different approach. We focus exclusively on Identity Security, allowing us to deliver value faster, more efficiently, and with a superior user experience that monolithic platforms cannot match.

Beyond Legacy PAM: A Modern Approach

Security teams are moving away from legacy PAM due to its complexity, cost, and slow deployment. Vendor consolidation only magnifies these issues. Before making a change, discerning leaders are asking the right questions:

• Will deployment take days or drag on for months?

• Can it manage both human and machine identities from a single interface?

• Is the pricing transparent, or will we face hidden fees?

• Will our team adopt it, or will they create workarounds?

Segura® was architected to provide clear, positive answers to these questions, delivering speed, control, and transparency.

“Segura’s support is beyond excellent—quick to respond and knowledgeable, unlike what we experienced with previous vendors.” – IT Security Analyst, Services Industry

A Unified Platform, A Singular Mission

Identity is the new perimeter, yet most platforms treat it as just another feature. Segura® is different. Every capability—from Privileged Access Management (PAM) and Cloud Infrastructure Entitlements Management (CIEM) to Endpoint Privilege Management (EPM) and DevOps Secrets Management (DSM)—is built to achieve one goal: giving your team precise control over every identity in any environment.

Our native integrations and modular design provide total control over human and machine identities through a single interface, enabling faster decisions and eliminating blind spots.

Enterprise-Grade Security Without the Enterprise Drag

When privileged access tools take months to implement, audit deadlines are missed and security fatigue sets in. Segura® deploys in hours, not months, delivering immediate control and value. This means:

• Accelerated Time-to-Value: Secure your environment from day one.

• Minimal Overhead: Reduce reliance on expensive third-party consultants.

• Maximum Team Enablement: Empower your team with intuitive tools they will actually use.

Global Scale, Local Expertise

In identity security, response time and local context are critical. Our regional Centers of Excellence provide 24×7 multilingual support from local experts who understand the regulatory and operational nuances of your region. This ensures you can resolve issues quickly and remain compliant with frameworks like GDPR, HIPAA, and SAMA.

Strategic Independence in an Age of Consolidation

While the market consolidates under a few tech giants, Segura® remains strategically independent. Our infrastructure and governance are designed to ensure digital sovereignty, freeing your security posture from the risks of vendor lock-in, forced platform changes, and geopolitical instability.

Conclusion: Clarity Over Complexity

The current wave of cybersecurity acquisitions is creating more complexity when security teams need clarity. Segura® offers a focused alternative that adapts to your environment, scales with your needs, and puts your team back in control. Join the thousands of security professionals who have switched to a solution that is faster to deploy, easier to manage, and trusted by teams worldwide.

What to Expect in this Blog:

In Part 4 of the Identity Security Intelligence series, we shift from building defenses to active response. You’ll learn how to detect identity compromise early—before attackers escalate privileges or blend in as trusted users. We’ll cover real-world indicators of identity abuse, how to triage and contain threats with minimal business impact, and why identity-centric response playbooks are essential for modern security teams. Because when credentials are the new attack vector, speed and precision in response are your best defense.

‍

In previous parts of this series, we laid the groundwork for modern identity defense:

• Part 1 uncovered identities and privileges across complex environments.
• Part 2 enforced least privilege through intelligent controls.
• Part 3 showed how to audit and govern access for accountability and compliance.
  
  

Now, we shift focus from preparation to action.

Because no matter how well you discover, control, or govern, —identities will most likely be compromised.

And when they are, the speed and precision of your identity incident response will determine whether you contain the breach… or become the next headline.

‍

The New Breach Attack Path: From Credential Theft to Full Compromise

Identity is now the adversary’s primary and top attack surface.

Attackers don’t need to drop malware if they can log in using stolen credentials.

The kill chain is no longer linear—it’s lateral and identity-based:

1. Initial Access – Phishing, token theft, credential stuffing, or session hijacking
2. Privilege Escalation – Abuse of misconfigured roles or overlooked entitlements
3. Lateral Movement – Reuse of credentials, token impersonation, and cloud hopping
4. Data Access & Exfiltration – With legitimate access and minimal detection
5. Persistence – Creation of shadow admins or token misuse for future re-entry
   
   

By the time the SOC sees unusual behavior, the attacker may have already weaponized privileges, disabled MFA, or tampered with audit logs.

This demands a shift from reactive forensics to identity-first detection and response.

‍

What Does Identity Compromise Look Like?

Identity compromise isn’t always obvious. It often appears as “normal” behavior executed by a legitimate identity, —but in the wrong context.

Here’s what defenders must watch for:

🔍 Behavioral Anomalies

• Logins from  suspicious locations or cases of impossible travel
• First-time access to sensitive systems or apps
• Sudden privilege usage not seen historically

🛠️ Misuse of Privilege

• Lateral movement via service accounts or shared credentials
• Privilege escalation followed by sensitive actions (e.g., mailbox exports)
• Admin role usage outside business hours

🔄 Token and Session Abuse

• Reuse of session tokens from new devices or geos
• Long-lived refresh tokens used across systems
• OAuth token abuse in cloud environments

🧪 Signs of Persistence

• New access grants to dormant accounts
• Creation of new roles, keys, or service principals
• Disabling of MFA or conditional access policies

You can’t detect this from login data alone. You need correlated identity intelligence (—privileges, entitlements, historical behavior, and audit context) —all tied together in near real time.

‍

Identity-Centric Incident Response: The New Playbook

When an identity is compromised, speed matters. But speed without precision causes collateral damage.

Here’s how modern security teams respond using identity intelligence:

‍

🧠 Step 1: Triage the Identity, Not Just the Alert

Instead of treating every alert as isolated, pivot to the identity in question:

• Who owns it?
• What can it do?
• Where does it have access?
• Has its behavior changed recently?

Use entitlement graphs and historical behavior to understand the potential blast radius.

‍

🛑 Step 2: Contain Without Breaking the Business

Shutting down access is easy. Doing it surgically is the challenge.

Containment options include:

• Temporarily disabling high-risk privileges (not the entire account)
• Revoking OAuth or SAML tokens across federated systems
• Suspending specific roles or group memberships
• Forcing reauthentication with step-up MFA
  
  

This minimizes disruption while blocking the attacker’s movement.

‍

🔁 Step 3: Trace the Incident Through Identity Audit Logs

Use your identity audit layer (from Part 3) to:

• Identify what the attacker did post-compromise
• Map lateral movement across systems
• Determine whether data was accessed or exfiltrated
• Reconstruct actions taken with elevated privileges

This moves you from assumptions to fact-based forensics.

‍

🧼 Step 4: Remediate the Access Footprint

Once contained, clean up:

• Remove suspicious roles, keys, and tokens
• Reset secrets and credentials
• Review group memberships and admin delegation
• Verify no new identities or backdoors were created

Use historical privilege analysis to restore only what’s necessary, not everything the identity had before.

‍

🔒 Step 5: Strengthen Controls and Update Detection Logic

Every incident is a learning opportunity. Post-incident, ask:

• Were there missed signals in identity behavior?
• Was privilege creep a factor?
• Should access reviews be more frequent?
• Can risky entitlements be removed permanently?

Update detection rules, access policies, and governance workflows to close the loop.

‍

Identity Intelligence in Detection & Response Tools

The most effective incident response programs integrate identity signals directly into their tools:

• SIEMs enriched with identity metadata (roles, entitlements, behavior baselines)
• SOAR playbooks that automate token revocation, MFA enforcement, and role removal
• UEBA tools that analyze deviations from normal identity usage
• IAM/PAM platforms that trigger step-up auth or session recordings during high-risk activity

Response becomes not just fast, —but intelligent, contextual, and minimally invasive.

‍

Don’t Wait for the Breach: Simulate It and Be Incident Response Ready

One of the most underused capabilities in identity security is attack path simulation:

• Use tools to model how an attacker might move from a compromised identity to high-value assets.
• Identify exposed privilege chains or risky access paths.
• Test incident response plans using these simulated scenarios.

This lets teams respond in practice, not panic.

‍

The Bottom Line

Identity compromise is inevitable. But uncontrolled blast radius is not.

Modern attackers exploit identity gaps faster than legacy detection tools can react. To defend effectively, you need more than logs and alerts—you need identity intelligence in every phase of your response.

By combining discovery, control, audit, and intelligent detection, security teams can:

• Recognize identity compromise early.
• Contain it precisely.
• Investigate it accurately.
• Remediate it thoroughly.
• Evolve their defenses continuously.
  
  

Because in the new perimeter, the most dangerous breach isn’t the one with malware—it’s the one that looks like a trusted user… until it’s too late.

Key Takeaways for CISOs and IT Teams:

• Machine identities now outnumber humans 45 to 1—but most go unmanaged.
  
  
• SSL/TLS certificate lifespans will shrink to 47 days by 2029, making manual management unsustainable.
  
  
• 71% of breaches now start with stolen or misused credentials—including certificates and service accounts.
  
  
• Most teams fail audits due to poor machine identity visibility, ownership, and lifecycle control.
  
  
• This guide shows how to prevent outages, avoid audit risk, and automate before it’s too late.

‍

When Microsoft Teams went dark for millions of users worldwide, the culprit wasn’t a sophisticated cyberattack or server failure. It was an expired SSL certificate. A simple piece of digital paperwork that nobody remembered to renew brought down one of the world’s most critical communication platforms. 

This isn’t an isolated incident. It’s a glimpse into a massive security blind spot that’s hiding in plain sight across every enterprise network: machine identity management.

‍

Why machine identities are the new security frontier 

While your security team has spent years perfecting human identity management (multi-factor authentication, single sign-on, privileged access controls), an invisible workforce has been quietly multiplying in the background. 

These are your machine identities: the digital certificates, API keys, and cryptographic tokens that authenticate servers, applications, and IoT devices. 

Today, these non-human identities outnumber human employees by ratios as high as 45 to 1, and security leaders expect that number to grow by another 150% in the coming year. 

When machine identities are compromised or mismanaged, the consequences range from data breaches that make headlines to outages that cost millions in lost revenue. Yet most organizations are still managing these critical credentials with the same manual processes they used a decade ago. That is, if they’re managing them at all.

‍

What Is a Machine Identity?

Think of machine identity as the digital equivalent of a passport or driver’s license, but for software, devices, and automated systems. Just as humans prove their identity with credentials, machines authenticate themselves using digital certificates, cryptographic keys, API tokens, and other secrets.

A “machine” in this context isn’t limited to physical hardware. It encompasses any non-human entity in your digital ecosystem: servers, virtual machines, containers, microservices, APIs, databases, applications, IoT sensors, and even AI models. 

Each requires some form of identifier and credential to establish trust with other systems. Common forms of machine identity include:

• X.509 certificates for establishing encrypted HTTPS connections
• API keys that authenticate applications to cloud services
• SSH keys for secure server access and file transfers
• Service account credentials that enable applications to access databases
• OAuth tokens for secure API communications
• Session-based credentials for Agentic AI acting on behalf of users across SaaS platforms or browser environments
• Access tokens used in autonomous workflows and machine-to-machine actions

When you visit a website and see the HTTPS padlock, you’re witnessing machine identity in action. The server presents a digital certificate proving its legitimacy before your browser trusts it with sensitive data. This same principle scales across your entire infrastructure. Every service-to-service connection should verify identity before exchanging information.

The challenge lies in the explosive growth of these digital credentials. The growing trend of decentralization is disrupting cybersecurity oversight, with 75% of employees expected to acquire or modify tech outside IT’s control by 2027. 

Each new application, microservice, or automated process adds more machine identities to manage, creating complexity that manual processes simply cannot handle.

‍

The Hidden Risks of Unmanaged Machine Identities

Overlooking machine identities creates serious business risks that extend far beyond IT operations. When these credentials are compromised or mismanaged, the consequences ripple through your entire organization.

‍

Breach Enablement Through Credential Compromise

Attackers are increasingly using machine credentials as entry points, and breaches that start with stolen or compromised credentials have seen a 71% year-over-year rise. 

When attackers compromise a machine identity, they effectively “become” a trusted system within your network. This grants them the ability to move laterally, access sensitive data, and establish persistent footholds without triggering traditional security alerts. 

Unlike human accounts that often show suspicious behavior, compromised machine credentials can act normally while exfiltrating data or preparing attacks unnoticed.

The SolarWinds supply chain attack is perhaps the most stark example of this threat. Hackers misused digital certificates to impersonate trusted software updates, making malware appear legitimate and bypassing security controls. As a result, they got access to over 18,000 organizations around the world. 

The Washington Post described the attack as “the computer network equivalent of sneaking into the State Department and printing perfectly forged U.S. passports.”

‍

Operational Disruptions and Revenue Loss

Certificate-related outages represent one of the most common yet preventable causes of business disruption. In addition to creating headaches for IT, they lead to lost revenue, customer frustration, and reputational damage.

Studies indicate that a single expired certificate outage can cost large organizations millions in recovery efforts and business impact.

The root cause often stems from a lack of visibility: teams simply don’t know where certificates are deployed or when they’re set to expire.

Now, the challenge is about to get harder. Starting in March 2026, the maximum validity period for public SSL/TLS certificates will drop from 398 days to 200 days, and by 2029, that window will shrink to just 47 days. This change—driven by industry mandates—will require certificates to be renewed up to 8 times a year. Manual management won’t scale. Without automation, organizations risk facing a flood of avoidable outages, compliance failures, and exposure from stale or expired credentials.

As your infrastructure grows more dynamic—with containers, microservices, and agentic AI adding complexity—automated certificate lifecycle management is no longer optional. It’s foundational.

‍

Compliance and Governance Gaps

When organizations can’t inventory or secure their machine credentials, they risk failing audits and violating data protection requirements.

It’s particularly challenging because 88% of companies still treat “privileged user” as meaning humans only, even though about 42% of machine identities have sensitive or admin-level access. This creates a dangerous gap where powerful machine credentials operate without the oversight typically applied to privileged human accounts.

Cyber insurers and regulators are beginning to scrutinize machine identity practices more closely. Organizations that can’t demonstrate proper credential management may face higher insurance premiums, regulatory penalties, or exclusion from certain contracts requiring security certifications.

‍

How Machine Identities Enable Modern Security Initiatives

Securing machine identities is a powerful enabler of transformative security and business initiatives. When properly managed, machine identities become the backbone of Zero Trust architectures, cloud-native development, and DevOps automation.

‍

Zero Trust Security: “Never Trust, Always Verify” for Machines

Zero Trust security models require verification for every access request, whether from humans or machines. The principle “validate every machine’s identity irrespective of its location” ensures that malicious devices or rogue microservices can’t exploit implicit trust relationships.

Machine identity management makes Zero Trust architectures possible by ensuring every API call and service-to-service connection presents valid credentials. No machine or workload receives implicit trust based on network location. Each must prove its identity at every interaction, similar to multi-factor authentication for users.

Implementing mutual TLS, where each service possesses its own certificate, is a good example of this approach. Services only communicate after both parties prove their identities, preventing attackers from exploiting unverified connections. Even if one service is compromised, attackers can’t impersonate other trusted machines across the network.

‍

Cloud-Native Scaling and Microservices

Modern cloud architectures depend heavily on microservices, containers, and APIs, which are essentially fleets of machines that scale dynamically based on demand. Managing identities manually in this environment becomes impossible so you need automated machine identity solutions to secure growth at scale.

Companies like Netflix show the power of this approach. Netflix uses an internal machine identity framework based on SPIFFE/SPIRE (a set of open-source standards for service identity) to authenticate thousands of microservices in real time, ensuring secure service-to-service communication across its global infrastructure. This implementation resulted in a 60% reduction in security incidents within their microservices environment.

Similar to Netflix, companies with proper machine identity management can auto-scale services without sacrificing security. Every new instance automatically receives valid credentials, and every connection maintains encryption and verification. 

This eliminates the traditional trade-off between agility and security, enabling developers to deploy rapid updates and connect to third-party APIs while maintaining least privilege access controls.

‍

DevOps and Automation: Agility with Security

DevOps environments require automation to maintain both speed and safety. Machine identity management integrated into CI/CD pipelines automates the critical tasks of issuing, configuring, and rotating credentials for applications and infrastructure.

This automation prevents human errors that cause outages while accelerating deployment cycles. When a new microservice comes online during deployment, automated machine identity services immediately issue certificates and update trust stores, enabling secure communication from the start. No helpdesk tickets, no delays, no forgotten expiring certificates.

Strong machine identities also enable advanced practices like microsegmentation and fine-grained access control in orchestration platforms. Each service maintains its own credentials and operates within defined interaction boundaries, supporting both rapid development and robust security controls.

‍

Best Practices for Securing Machine Identities

Implementing effective machine identity security requires a systematic approach that addresses discovery, automation, access control, and monitoring. These practices provide the foundation for managing machine identities at enterprise scale.

‍

Maintain Comprehensive Inventory and Discovery

You cannot protect what you don’t know exists. Start by creating and maintaining an up-to-date inventory of all machine identities across your environment, whether it’s certificates, keys, API tokens, service accounts, and other credentials. Understand where each credential resides, which systems depend on it, and when it expires or requires renewal.

Many organizations discover hundreds or thousands of forgotten certificates and secrets scattered across cloud and on-premises systems during their first comprehensive audit. Continuous discovery tools can automatically scan networks and integrate with cloud platforms to enumerate these credentials, providing ongoing visibility as new identities are created.

Your inventory should classify privileged versus non-privileged machine accounts, helping you prioritize which credentials require enhanced security controls and monitoring.

‍

Automate Credential Lifecycle Management

Given the volume and short lifespan of modern machine identities, manual management simply doesn’t scale. Automation becomes critical for handling issuance, renewal, and revocation of certificates and keys programmatically.

When new containers or virtual machines launch, automation tools should immediately provision appropriate credentials without human intervention. Implement regular rotation schedules for secrets and keys. Or even better, rotate after each use for highly sensitive credentials.

Automated workflows prevent outages by renewing certificates before expiration and ensure proper retirement of old credentials. These processes should integrate directly into your DevOps pipelines, creating a self-driving identity lifecycle where credentials are issued when needed, rotated frequently, and revoked instantly when suspicious activity occurs.

‍

Enforce Least Privilege Access Controls

Apply the principle of least privilege to all machine identities with the same rigor used for human accounts. Audit the privileges of service accounts, API keys, and certificates to ensure they grant only the access each service actually needs.

If a microservice only needs to read from one database, its credentials shouldn’t allow write access to multiple systems. Too often, machine identities receive over-provisioned permissions or retain default high privileges that create attractive targets for attackers.

Bring machine identities into your Privileged Access Management (PAM) strategy. Vault their credentials, monitor their usage, and require additional verification for sensitive actions. Implement network segmentation based on machine roles, using firewall rules, service mesh policies, or cloud IAM to constrain what each identity can access.

‍

Implement Continuous Monitoring and Response

Establish monitoring across multiple levels to detect misuse or anomalies in machine identity usage. Track certificate and key usage patterns and investigate when dormant certificates suddenly become active or API keys make calls from unusual locations.

Leverage analytics to baseline normal machine-to-machine communication patterns and generate alerts for deviations. Examples include surges in failed certificate authentications or service accounts accessing unusual resources.

Implement centralized logging for all authentication events, including mutual TLS handshakes and key usage, feeding this data into your SIEM platform. When suspicious activity occurs, have incident response playbooks ready to automatically revoke credentials or quarantine services until verification completes.

Regular testing of incident response procedures for machine identity compromise ensures your team can quickly remove or replace stolen credentials across systems, building cyber resilience through preparation and practice.

‍

The Future: AI and Machine Identity Convergence

The relationship between AI and machine identity will evolve in two critical directions: protecting AI systems through robust machine identity controls and leveraging AI to enhance machine identity management capabilities.

‍

Securing AI Through Machine Identity

81% of organizations now consider machine identity protection vital for safeguarding emerging AI and cloud initiatives. As AI-driven platforms become more common, they generate new types of machine identities that require protection. Sophisticated adversaries already target AI models and data, viewing machine credentials as keys to these valuable assets.

Malicious actors who can impersonate AI services or manipulate ML model API credentials could inject bad data, steal sensitive insights, or deploy rogue AI agents with elevated privileges. Protecting AI requires ensuring every automated agent, ML pipeline, and bot maintains a verifiable identity within defined access boundaries.

Future AI development frameworks will likely incorporate machine identity controls as standard practice. Things like digital signatures on AI model files, hardware-backed keys for computing environment verification, and Zero Trust principles applied to every algorithm and data feed.

‍

AI-Enhanced Identity Management

The volume and velocity of machine identity data create perfect opportunities for AI and machine learning analytics. Next-generation identity platforms are beginning to incorporate “self-healing identity systems” that automatically adjust and repair themselves based on learned patterns.

AI engines monitoring certificates and keys could predict optimal renewal timing, automatically suspend credentials showing anomalous usage patterns, and generate replacement credentials to prevent service interruptions. These systems will optimize lifecycle management, finding ideal rotation frequencies based on risk profiles and performing predictive threat detection.

Behavioral analytics powered by AI will help differentiate normal machine behavior from malicious activity, similar to how User and Entity Behavior Analytics (UEBA) detects account takeovers. 

This combination of robust machine identity practices with AI-assisted tools promises predictive, self-healing identity infrastructures that adapt at machine speed to protect against emerging threats.

‍

Taking the First Step: Your Machine Identity Journey

The complexity of machine identity management shouldn’t prevent you from starting. Begin with an honest assessment of your current practices: How are certificates, keys, and service accounts currently handled? What visibility exists into machine credential lifecycles?

Conduct a thorough audit to uncover unknown certificates, hard-coded credentials in scripts, and legacy keys requiring rotation. This audit will make risks tangible to stakeholders while providing the foundation for improvement planning.

Create a roadmap that prioritizes quick wins like renewing near-expiry certificates, cleaning up orphaned credentials – all the while evaluating solutions for long-term automation and management. Engage cross-functional teams across security, IT, and DevOps, since success requires collaboration across these domains.

Frame this initiative as a strategic business move rather than a technical project. Emphasize positive outcomes: preventing costly breaches and downtime, enabling faster cloud deployments, and ensuring customer trust through robust security. 

With leadership support, implement your machine identity management program iteratively. Start with automating certificate management in one infrastructure area, then expand coverage systematically. 

‍

Secure Your Machine Identities Today

Most teams don’t realize the risk until it’s too late. Machine identity security starts now with the right tools and a trusted partner. Segura® simplifies this transition, providing robust, ready-to-implement solutions like automated credential discovery, lifecycle management, and real-time monitoring that integrate seamlessly with your existing DevOps and cloud infrastructure.

Request a personalized demo of Segura® today.

‍

Frequently Asked Questions About Machine Identity Management

What is a machine identity in cybersecurity?

A machine identity is any non-human credential—like a digital certificate, API key, or service account—that systems use to authenticate and communicate securely. These identities are critical for verifying trust between applications, servers, containers, and AI agents.

Why are machine identities a security risk?

Machine identities now outnumber human users by as much as 45 to 1. When they’re unmanaged or overprivileged, attackers can exploit them to move laterally, access sensitive data, and evade detection. Most breaches involving credentials start with a compromised machine identity.

What causes machine identity outages?

Most outages are caused by expired or misconfigured digital certificates. As certificate lifespans shrink to 90 days or less, manual tracking becomes nearly impossible. Without automation, teams risk system failures, compliance gaps, and reputational damage.

How do I prepare for audits involving machine credentials?

Auditors increasingly expect clear visibility, ownership, and lifecycle control of all credentials, including machine identities. You’ll need a current inventory, automated renewal policies, access controls, and logging. Solutions like Segura help teams surface risks and streamline reporting.

What’s the best way to manage machine identities at scale?

Use automated discovery and lifecycle management across certificates, keys, tokens, and service accounts. Integrate credential workflows into CI/CD pipelines. Enforce least privilege access. And continuously monitor for anomalies—especially across cloud, hybrid, and AI-enabled environments.

What to Expect in this Blog:

In Part 2 of the Identity Security Intelligence series, we move beyond discovery to the real objective: prevention. You’ll learn how to operationalize identity intelligence through dynamic, automated controls enforcing least privilege, governing privileged access, and detecting risky behavior to proactively reduce your identity attack surface.

‍

In Part 1 of this series of blogs on Identity Security Intelligence, we explored why Identity Discovery is the critical first step in understanding and managing your organization’s modern attack surface. But discovery alone isn’t enough. Knowing which identities exist and what they can access sets the stage. The real impact comes when you act on that intelligence—by putting the right security controls in place to govern identities, enforce least privilege, and proactively reduce identity-related risk.

Welcome to the enforcement phase of Identity Security Intelligence (ISI).

‍

From Discovery to Defense: Why Controls Are the Next Frontier

Once you’ve surfaced every human, non-human (NHI), machine, and service identity,: and mapped their entitlements across environments, – the next question becomes: what do you do with that knowledge?

This is where many organizations hit a wall. The gap between insight and action is often bridged manually, with fragmented processes and point-in-time audits. But attackers don’t wait for your next quarterly review.

To operationalize identity intelligence, organizations need a controls framework that isare:

• Dynamic – Adapts to changing roles, environments, and behaviors.
• Automated – Scales with cloud-native architectures and ephemeral workloads.
• Context-aware – Informed by the risk posture of each identity and privilege.
  
  

‍

Key Pillars of Identity Security Controls

To make identity intelligence actionable, enforcement must span five key areas:

‍

1. Least Privilege Enforcement

Why it matters: Excessive access is one of the most common and dangerous identity risks. Most breaches involve over-permissioned users, stale admin rights, or standing access that attackers can weaponize.

What to do:

• Automatically compare actual entitlements against job functions.
• Use identity risk scoring to prioritize over-privileged identities.
• Remove or downgrade unused, outdated, or unnecessary permissions.
• Leverage just-in-time (JIT) access for privileged tasks to eliminate standing access.
  
  

Example: A DevOps engineer with permanent Admin access to all production accounts is a liability. With JIT access, they can request privilege temporarily, with approval and auditing built in.

‍

2. Privileged Access Governance

Why it matters: Privileged accounts—human and machine—are high-value targets. If compromised, they can grant unrestricted access to sensitive data or systems.

What to do:

• Centralize control through PAM platforms or privileged access workflows.
• Monitor privileged sessions in real time, (including service account behaviors).
• Use multi-factor authentication (MFA) and conditional access for all privileged identities.
• Rotate secrets and credentials frequently—automate where possible.
  
  

Example: A service account running backups across multiple databases should be scoped tightly, monitored continuously, and have keys rotated regularly to reduce risk.

‍

3. Access Lifecycle Management

Why it matters: Identities evolve—people change roles, leave organizations, or take on temporary projects. Without lifecycle management, access persists far beyond necessity.

What to do:

• Integrate with HR systems or identity lifecycle tools to automatically adjust access based on joiner-mover-leaver events.
• Define role-based access control (RBAC) and enforce provisioning rules.
• Regularly review and re-certify access for high-risk roles and sensitive systems.
  
  

Example: A finance intern who transfers to marketing should not retain access to payroll and financial reporting tools. Automating revocation helps prevent avoids lingering access.

‍

4. Identity Behavior Monitoring

Why it matters: Even well-configured identities can be compromised. Behavioral context is key to detecting misuse, anomalies, and early signs of intrusion.

What to do:

• Establish baselines for normal identity behavior (logins, systems accessed, time of day, etc.).
• Detect deviations—like sudden spikes in access, data exfiltration patterns, or privilege escalation.
• Integrate with UEBA (User and Entity Behavior Analytics) tools and threat detection systems.
  
  

Example: If a service account that usually runs database jobs starts making API calls to billing systems at midnight, that should trigger investigation.

‍

5. Policy and Automation-Driven Remediation

Why it matters: Manual cleanup of access and privileges doesn’t scale. Automation ensures consistency, speed, and resilience against human error.

What to do:

• Define policies that trigger automatic actions—e.g., disable orphaned accounts after X days of inactivity.
• Automate access reviews and alerts for high-risk privilege combinations.
• Use policy-as-code for cloud entitlements and infrastructure roles (e.g., Terraform + OPA).
  
  

Example: If an AWS user gains permissions that violates a least privilege policy, automation should flag it immediately and, optionally, remove excess access.

‍

Security Intelligence in Action: From Detection to Prevention

By enforcing identity controls aligned with intelligence, you shift from reactive to proactive defense. Examples include:

• Proactively preventing privilege escalation by detecting lateral paths through identity graph analysis.
• Blocking anomalous access from non-compliant locations or devices using conditional access policies.
• Auto-revoking stale entitlements through risk-based automation tied to inactivity thresholds.
• Identifying separation-of-duties violations (e.g., a user who can both initiate and approve financial transactions).
  
  

This isn’t just about better security—it’s better governance and reduced risk.

‍

What Makes Identity Control Effective?

Identity Security Intelligence becomes powerful when insight leads to intervention. The most effective enforcement models share the following traits:

• Visibility-driven: Based on complete, contextual discovery of identities and privileges.
• Risk-prioritized: Driven by real-time scoring, not static role definitions.
• Integrated: Connected interoperability between IAM, PAM, SIEM, and cloud security platforms.
• Adaptive: Responds to changing conditions—cloud resource drift, org changes, identity posture shifts.
• Auditable: Leaves a clear trail for compliance, incident investigation, and accountability.
  
  

‍

Getting Started: Operationalizing Identity Security Controls

If you’ve already begun identity discovery, the next steps involve turning that visibility into action:

1. Audit your current identity and privilege landscape for excess access and orphaned identities.
2. Define your control framework—least privilege, privilege review, access lifecycle, monitoring, and remediation.
3. Automate where possible—access revocation, risk scoring, and provisioning.
4. Continuously monitor identity behaviors and privilege drift across environments.
5. Integrate ISI into broader detection and response pipelines for holistic threat defense.
   
   

‍

The Bottom Line

Discovery gives you awareness. Control gives you power.

Without enforcement, Identity Security Intelligence is just data. With the right controls, it becomes a force multiplier—reducing attack surface, stopping privilege abuse, and elevating your security maturity.

In today’s landscape, where identity is both the front door and the battleground, defenders need more than visibility. They need automated, adaptive, intelligence-informed control over every identity, privilege, and entitlement.

Because in the end, you don’t just want to know what’s out there. You want to secure it.

Blind spots in identity are today’s biggest security risk. Here’s how to fix them.‍

‍

In today’s hyper-connected and threat-saturated digital landscape, one truth is rapidly becoming self-evident to defenders across every industry: identity is the new perimeter, and access is the new security. As traditional network boundaries dissolve in favor of hybrid and cloud-first infrastructures, adversaries are increasingly pivoting toward the exploitation of identities—privileged accounts, service identities, orphaned users, misconfigured roles—as the primary path to breach and move laterally within environments.

But here’s the catch: you can’t protect what you don’t know exists. This is where Identity Security Intelligence becomes not just useful but essential. And at the core of that intelligence lies a foundational capability: Identity Discovery.

‍

What is Identity Security Intelligence?

Identity Security Intelligence (ISI) is the ability to aggregate, analyze, and act on data about identities, their associated roles, privileges, behaviors, and risks across the entirety of an organization’s infrastructure—from on-premises directories to SaaS applications and multi-cloud platforms.

Think of it as the intersection between Identity and Access Management (IAM), risk analytics, and threat detection. It’s not just about managing identities; it’s about understanding them deeply—who they are, what they can do, where they exist, and how they behave over time.

‍

The Foundation: Identity Discovery

Before an organization can reason intelligently about identity risk, it must first discover all identities that exist across its environment. This includes:

• Traditional/On-Prem Identities: Users in Active Directory, service accounts in legacy apps, local admin accounts on servers, etc.
• Cloud Identities: Identities in Azure AD, AWS IAM users and roles, Google Workspace users, cloud-native service principals, API keys, containers, and ephemeral workloads.
• Shadow and Orphaned Identities: Legacy accounts no longer linked to active users, leftover access from decommissioned applications, services, and mismanaged credentials hiding in infrastructure-as-code.

A robust Identity Discovery capability surfaces all these identities, —whether they’re centralized or scattered, active or dormant, human or non-human.

‍

Why Identity Discovery is Challenging (Yet So Crucial)

The complexity arises from the fact that identity is now distributed. No longer tethered to one central directory, identities live in different silos across multiple environments and systems. Each cloud provider has its own model. Each SaaS app may define roles and entitlements differently. Each legacy system might still have its own local accounts.

This fragmented landscape creates massive blind spots:

• Privileged accounts in cloud environments that bypass central logging.
• Orphaned identities with persistent access to sensitive data.
• Service accounts with excessive, never-reviewed permissions.
• Redundant roles due to M&A, org restructuring, or tool proliferation.

Without discovery, these blind spots can easily lead to compromised credentials.

‍

Beyond Inventory: Discovering Roles, Privileges, and Entitlements

Discovery doesn’t stop at listing accounts. To enable true security intelligence, you must also map the roles, privileges, and entitlements tied to each identity.

This means answering questions like:

• What can this identity do?
• Where can it go?
• What data can it access?
• What systems does it control?
• Are these privileges aligned with its purpose?

For example, discovering an AWS IAM user is useful. But understanding that the user has AdministratorAccess across multiple production accounts—and the account hasn’t logged in for 90 days—is critical.

Or take an identity in Microsoft 365 that has full mailbox access across HR, Finance, and Legal departments. Is that intended? Necessary? Or a remnant of an old project no one cleaned up?

Mapping these entitlements and privilege chains across your hybrid estate helps you:

• Identify toxic combinations of access.
• Enforce the principle of least privilege.
• Detect privilege escalation paths.
• Uncover misconfigurations before attackers do.

‍

Identity Risk: The Unseen Attack Surface

The more fragmented and complex your identity environment, the greater your exposure. Attackers thrive in this chaos.

From techniques like Kerberoasting, Golden SAML, and token theft, to exploiting cloud misconfigurations and unused admin roles, modern adversaries are experts at chaining together identity weaknesses and misconfigurations.

By contrast, organizations that maintain a comprehensive view of identity risk across the board can:

• Detect anomalous behavior in context (e.g., a service account accessing finance systems for the first time).
• Shut down dormant or orphaned accounts.
• Flag privilege drift over time.
• Simulate attack paths based on current entitlements.
• Proactively remediate risk without waiting for incidents.

‍

What Makes Identity Security Intelligence Actionable?

Let’s be clear: data alone is not intelligence. Intelligence emerges when data is correlated, contextualized, and operationalized.

An effective Identity Security Intelligence program must provide:

• Continuous Discovery: Real-time or near-real-time visibility into new, removed, or changed identities.
• Entitlement Mapping: Deep visibility into fine-grained privileges across cloud and on-prem environments.
• Risk Analytics: Automated scoring based on behavior, privilege level, and exposure.
• Historical Context: Identity behavior over time—who did what, when, and whether it deviated from the norm.
• Integrations: Feeds into SIEM, SOAR, and IAM/PAM platforms for proactive and reactive response.

This turns identity data into strategic insight—fuel for critical decisions in security operations, compliance, audits, and incident response.

‍

Getting Started: Build Your Identity Intelligence Baseline

If your organization is just starting down this path, here’s a basic roadmap:

1. Inventory all identities—human, service, machine—across on-prem and cloud.
2. Map entitlements for each identity across applications, infrastructure, and data.
3. Assess privilege levels and compare against business needs and least privilege standards.
4. Identify toxic combinations—privilege escalations, cross-boundary access, unused high-risk roles.
5. Establish continuous discovery and monitoring, not just point-in-time scans.
6. Feed this intelligence into your risk models and threat detection systems.

‍

The Bottom Line

In the same way that endpoint detection changed the game a decade ago, Identity Security Intelligence is becoming table stakes for defending against modern threats. Attackers know that identity is the weakest link in many organizations. Our job as defenders is to turn it into a strength.

By investing in identity discovery—including deep insight into roles, entitlements, and privileges—you build a clear, contextual picture of your true identity surface. Only then can you manage it, reduce it, and defend it with confidence.

In a world where credentials are more valuable than malware, identity intelligence isn’t just good hygiene—it’s your first line of defense.

In the latest episode of the Security by Default podcast, host Joe Carson sits down with seasoned cybersecurity expert Filipi Pires for a thought-provoking conversation on one of the most critical—and often overlooked—aspects of modern security: identity threats.

With over a decade of experience spanning both technical and sales roles, Filipi brings a well-rounded perspective to the discussion, highlighting the growing importance of identity in the evolving cybersecurity landscape. Their conversation offers valuable lessons for practitioners, business leaders, and anyone invested in building more resilient, security-conscious organizations.

Why Identity Is the New Battleground

In today’s threat landscape, identity has become a prime target for attackers. As Filipi points out, it’s no longer just about exploiting systems or networks. Gaining access to identities unlocks the keys to the kingdom.

“Identity is central to everything we do in security,” Filipi explains. “If you compromise an identity, you bypass so many of the traditional controls.”

This shift has elevated the role of identity threats from phishing and credential theft to privilege escalation and misuse of misconfigured accounts. Yet many organizations still underestimate how misconfigurations, overlooked credentials, and legacy identity systems can quietly erode their defenses.

‍

Misconfigurations: The Silent Weakness

One of the recurring challenges discussed in the episode is the persistent problem of misconfigurations. Despite advancements in technology, simple oversights—such as exposed administrative accounts, poorly managed permissions, or forgotten legacy systems—remain among the top causes of breaches.

Filipi emphasizes that misconfigurations aren’t always the result of negligence. Often, they stem from complexity, rapid growth, or lack of visibility. That’s where the concept of observability becomes critical.

“You can’t secure what you can’t see,” Filipi reminds us. “Observability gives you the insight to spot weak points before attackers do.”

‍

Tools Are Just the Beginning

With countless cybersecurity tools flooding the market, Filipi and Joe caution against becoming overly reliant on technology without understanding the underlying techniques.

“Tools are there to help you learn and uncover patterns,” Filipi says. “But if you don’t understand how attackers operate, the tools alone won’t save you.”

This mindset aligns with the growing emphasis on research, experimentation, and reverse engineering in the community. It’s through continuous learning and hands-on exploration that defenders stay ahead of adversaries.

‍

Community, Learning, and Respecting the Journey

Beyond technical skills, both Filipi and Joe underscore the importance of community engagement in cybersecurity. Conferences, podcasts, online forums, and mentorship all play vital roles in building collective knowledge.

Filipi shares a personal reminder for anyone navigating their cybersecurity career: 

“Respect the journey. Everyone starts somewhere, and growth comes from persistence and curiosity.”

Whether you’re a seasoned expert or just starting out, cybersecurity is a field where being humble, learning, and community matter as much as technical prowess.

‍

Final Thoughts: Building Identity-Aware, Resilient Security

This episode reinforces a key message for modern defenders: protecting identities isn’t optional—it’s foundational to cybersecurity resilience.

By addressing misconfigurations, prioritizing observability, leveraging tools with purpose, and staying engaged with the community, organizations can build stronger defenses against evolving identity threats.

As the conversation between Filipi Pires and Joe Carson reminds us, effective cybersecurity is never static. It’s a continuous process of learning, adapting, and respecting the complex, human-driven journey that defines our industry.

‍

Listen to the full podcast episode on the Security by Default podcast Now!

‍

Catch Filipi Pires at Three Cybersecurity Conferences This August

Filipi Pires is hitting the summer circuit with a powerful trio of talks across BSides Las Vegas, Black Hat USA, and DEF CON 33 each focused on identity, cloud misconfigurations, and practical security tooling.

• 📍 BSides Las Vegas
  Talk: Machine Identity & Attack Path: The Danger of Misconfigurations
  Date & Time: Tuesday, August 5 | 2:00–2:45 PM (GMT+1)
  Filipi explores how attackers exploit misconfigured security and unmanaged machine identities in multi-cloud environments. Learn how to visualize IAM risks using open-source tools like SecBridge, Cartography, and AWSPX.
  
  
• 📍 Black Hat USA – Arsenal Station 3
  Talk: APIDetector v3 – Advanced Swagger Endpoint Scanner with Real-time Web Interface
  Date & Time: Thursday, August 7 | 1:00–1:55 PM
  Get hands-on with APIDetector v3, the latest version of an advanced tool for finding exposed Swagger/OpenAPI endpoints. Now with real-time results, screenshot capture, and bulk scanning support.
  
  
• 📍 DEF CON 33 – Cloud Village
  Talk: Transforming Identity Protection: Innovating with AI and Attack Paths
  Date & Time: Friday, August 8 | 2:10–2:40 PM (GMT+1)
  Discover how generative AI and graph visualizations can predict and prevent misconfigurations across AWS, Azure, GCP, and OCI. Filipi showcases tools like Neo4j and Memgraph to map identity risk and attack paths in the cloud.
  
  

Whether you’re a cloud defender, API hunter, or identity strategist, Filipi’s talks deliver the tools and insights to secure your ecosystem against today’s threats.

‍

If you want to see firsthand how protecting identities can transform your organization’s security, don’t miss the chance to discover Segura®’s platform. 
‍

Our solution is designed to help organizations identify vulnerabilities, prevent misconfigurations, and enhance visibility into identity usage—all in a simple and effective way. 

Ready to take the next step toward truly resilient defense? Request a free demo of Segura® now and discover how we can strengthen your company’s security together!

Executive Summary

This article presents a detailed analysis of one of the most severe cybersecurity incidents ever to impact Brazil’s Payment System (Sistema de Pagamentos Brasileiro – SPB), which occurred in June and July of 2025. The breach was directly linked to C&M Software, a major Information Technology Services Provider (PSTI) for the national banking sector. This incident exposed, for the first time at this scale, the critical role PSTIs play within the financial ecosystem, and how internal vulnerabilities can reverberate systemically, compromising the integrity of financial operations across hundreds of banks and institutions.

The Brazilian Financial System (Sistema Financeiro Nacional – SFN) serves as the infrastructure enabling the circulation of money, credit, and payments throughout the country. It involves the Central Bank, banks, fintechs, credit cooperatives, payment institutions, and specialized technology providers, such as PSTIs. Through the SPB and the Instant Payments System (SPI), the SFN ensures fast, secure, and traceable settlement of fund transfers between institutions, thereby upholding trust and maintaining market functionality.

This cyberattack was facilitated through the compromise of C&M Software’s internal IT environment. A malicious insider—an employee of the PSTI—was recruited by a cybercriminal group and, in exchange for financial compensation, granted privileged access to internal systems, passwords, and sensitive institutional certificates. That access allowed attackers to manipulate the credentials and private keys of several C&M clients, primarily banks and fintechs, including BMP Money Plus. From there, attackers generated fraudulent transactions, signed in proper compliance with SPI’s cryptographic and procedural standards, allowing them to be instantly settled by the Central Bank. As these operations were technically valid, they were automatically debited from the reserve accounts of the victim institutions.

Because C&M Software acted as a core technical hub for hundreds of institutions, the breach had a wide-reaching and magnified impact. Not only did BMP Money Plus suffer substantial financial losses, but at least five other institutions were also compromised. The siphoned funds were immediately funneled through accounts held by mules, then quickly transferred to cryptoasset exchanges for conversion into Bitcoin and USDT, effectively complicating their traceability and recovery.

Due to its central role, C&M was at the center of the response efforts: alerted by affected institutions, C&M notified the Central Bank, implemented emergency containment measures, and had its operations within the SPB suspended until robust new controls could be enforced. The incident underscores how shortcomings in governance, privilege management, and certificate protection can result in systemic consequences. This analysis underscores the necessity of key security measures, including behavioral monitoring, automated credential management, just-in-time access control, and strict separation of client secrets to prevent similar events within such a highly interconnected financial environment like the SFN.

‍

1. Introduction

In a financial system built on trust and speed, a single insider can bring the entire network to a halt.
‍

Over the last two decades, Brazil has emerged as a global reference in financial innovation and infrastructure modernization. Its Financial System (SFN) stands out for its level of digital maturity, robust regulatory framework, and ability to integrate multiple market actors, fostering inclusion, efficiency, and large-scale security. One of the latest milestones in this evolution is the Instant Payment System (SPI), which, in tandem with PIX, has positioned Brazil ahead of many global markets in terms of speed and ubiquity of electronic fund transfers.
‍

PIX/SPI has become the financial backbone for transactions involving individuals, businesses, fintechs, and banks, processing billions of transfers with near-immediate settlement across accounts belonging to different institutions. This orchestration is made possible not just by the Central Bank but by a network of specialized providers—the Information Technology Services Providers (PSTIs)—who perform critical functions in clearing, settlement, and interconnection for traditional banks, credit unions, payment institutions, and digital platforms. The advent of open finance has further intensified reliance on these technical intermediaries, expanding both the number and diversity of participants and interfaces within Brazil’s digital financial ecosystem.
‍

However, this growth also brings new and complex challenges. As digitalization progresses and integrations multiply, so too do points of exposure to cyber threats, fraud, governance failures, and supply chain vulnerabilities. With operations distributed across many players—often with unequal security maturity—an isolated breach has the potential to jeopardize the confidentiality, integrity, and systemic availability of services that individuals and businesses rely on daily. Additionally, given the growing use of APIs, outsourced operations, and the sharing of institutional secrets, new attack surfaces are created for insiders, cybercriminals, and advanced persistent threat (APT) actors.
‍

The case examined in this article offers a stark exemplification of the risks and critical weak points in Brazil’s so-called “chain of trust.” By analyzing a real-life breach involving a central PSTI supporting banks and fintechs, we highlight the root causes, technical and institutional impacts, and practical recommendations to strengthen system resilience, privileged access management, and behavioral security controls within a complex and highly interconnected financial environment.
‍

‍

2. Understanding Brazil’s Financial System

The SFN operates via multiple interconnected components to ensure fast and secure interbank settlements. The Central Bank of Brazil (BACEN) serves as both the top regulator and operator of the Brazilian Payment System (SPB), which includes banks, payment institutions, technology providers (PSTIs), and cryptocurrency exchanges.
‍

Reserve Accounts

A cornerstone of the SPB is the reserve account, maintained by each financial institution with the Central Bank. These accounts power SPI (Instant Payment System), enabling irreversible, real-time transaction settlements via PIX.
‍

Banking-as-a-Service (BaaS)

BaaS platforms like BMP Money Plus enable fintechs, funds, and digital platforms to leverage full banking infrastructure, maintain reserve accounts, and facilitate payments through the SPB.
‍

Role of Exchanges

Cryptocurrency exchanges such as SmartPay and Truther bridge traditional finance and the crypto world, playing an essential role in transaction traceability and regulatory compliance at scale.

‍

3. Incident Description

At 4:00 a.m. on June 30, 2025, a senior executive at BMP Money Plus—a fintech specializing in banking-as-a-service (BaaS) solutions—received an unexpected call from CorpX Bank, alerting him to an unauthorized transfer of R$18 million from BMP’s reserve account. As the person responsible for managing those reserves with the Central Bank, the executive quickly identified that other similarly unauthorized PIX transactions were actively underway at that moment. BMP’s internal team immediately launched containment efforts and, by around 5:00 a.m., officially reported the incident to C&M Software, their critical payment processing service provider.
‍

Initial investigations and information published in the media indicated that the attack originated from an internal compromise at C&M Software—one of the leading PSTIs in Brazil’s Payment System (SPB). An internal facilitator, allegedly motivated by financial gain, provided privileged credentials to cybercriminals and assisted in executing malicious commands within company systems. Possessing privileged access and the digital certificates of C&M’s financial institution clients—including BMP itself and at least five other institutions—the attackers were able to inject fraudulent PIX orders directly into the SPI/SPB infrastructure. Because the transactions were digitally signed using valid institutional certificates, the Central Bank’s core systems processed them as legitimate, immediately debiting funds from the reserve accounts of the victim institutions.
‍

It is estimated that approximately R$400 million was siphoned from BMP’s reserve account alone, with R$160 million later successfully recovered. Following the breach, stolen funds were swiftly transferred to accounts held by third parties at smaller banks and payment institutions, particularly cryptoasset platforms integrated with PIX, including exchanges, gateways, and swap platforms. Most of the stolen funds were quickly converted into USDT or Bitcoin, further complicating traceability. However, in at least one case, an exchange that detected a high volume of suspicious activity froze the settlement and immediately notified BMP, thereby preventing the dispersion of a portion of the stolen funds.
‍

Given the magnitude of the attack and in order to prevent further losses, the Central Bank ordered an emergency suspension of C&M Software’s systems from the SPB—affecting PIX operations across more than 300 financial institutions that relied on its services. Despite the substantial financial damage, BMP Money Plus publicly emphasized that no end-customer funds were affected and that institutional guarantees fully covered the stolen amounts. Meanwhile, the Federal Police, activated by the Central Bank, opened a formal investigation to examine potential crimes such as criminal conspiracy, fraud-related theft, unauthorized system intrusion, and money laundering. The case remains under active investigation.

4. Incident Timeline

Below is the timeline of key events related to the incident—from initial compromise to response—based on information available at the time.

• June 30, 2025 – 12:18 AM: Exchanges such as SmartPay and Truther detect unusually high transaction volumes in Bitcoin/USDT and alert executives at financial institutions.
• June 30, 2025 – 4:00 AM: A BMP Money Plus executive is informed of an unusual PIX transfer totaling R$18 million; multiple unauthorized transactions are identified.
• June 30, 2025 – 5:00 AM: BMP executives report the incident to C&M Software.
• June 30, 2025: The Central Bank orders the emergency disconnection of C&M Software from the SPB.
• July 1, 2025: News portal Brazil Journal publishes an in-depth report on the cyberattack.
• July 2, 2025: BMP Money Plus issues an official statement acknowledging the breach.
• July 3, 2025: The Central Bank announces the partial restoration of C&M Software’s operations and confirms the arrest of an employee involved in the incident.
• July 4, 2025: Authorities confirm the detention of a staff member suspected of aiding the cybercriminal operation.

5. Technical Analysis of the Incident

The incident that unfolded between June 29 and July 4, 2025, may represent one of the largest systemic frauds ever recorded within Brazil’s Payment System (SPB), involving a wide range of actors—from external cybercriminals and internal insiders to financial institutions, technology service providers, and regulatory authorities. Below is a technical, chronological breakdown of the attack’s modus operandi, the mechanisms exploited, the money flow, and institutional responses.

‍

1. Initial Compromise: Insider Threat and Privilege Escalation

The first step in the incident was an internal compromise at C&M Software, an authorized and mission-critical Information Technology Services Provider (PSTI) within Brazil’s financial ecosystem. According to official investigations and media reports, an employee at C&M—referred to here as the “Facilitator”—was recruited by a cybercriminal group. Motivated by financial incentives, the insider shared administrative credentials and, following external instructions, executed strategic commands that enabled the attackers to operate undetected within the company’s internal environment.
‍

This privileged access was essential. It allowed the attackers to discover and retrieve cryptographic keys and digital certificates belonging to C&M’s client institutions, enabling the group to digitally impersonate those financial institutions. In many financial environments, inadequate segregation of secrets management (keys, certificates, and credentials) between clients and tech providers makes these attacks exponentially more dangerous.

‍

2. Injection of Fraudulent Orders and Automated Settlement

Once in possession of the original digital credentials and certificates belonging to compromised institutions—particularly BMP Money Plus and at least five others—the attackers began fabricating and injecting PIX payment orders directly into SPI (Instant Payment System) and SPB. Since the digital signatures were valid and the requests followed standard cryptographic formats, the Central Bank’s settlement infrastructure processed and executed them as legitimate. The SPI system, by design, presumes the authenticity of requests from verified participants.
‍

During the night of June 29 to June 30, these operations were carried out in bulk, automated fashion, outside of business hours—when manual oversight tends to be minimal. The reserve accounts of the victim institutions—held with the Central Bank for interbank operations—were systematically debited without triggering any SPI anomalies.

‍

3. Rapid Dispersion and Chain Effect

The next step involved the immediate dispersion of stolen funds. Large amounts—often sent in batches—were moved to “mule accounts” and smaller payment institutions (PIs), many of which featured less stringent KYC, onboarding, and compliance protocols. Funds were then transferred to cryptoasset service providers such as exchanges, OTC platforms, and swap apps. There, they were converted into Bitcoin and USDT and moved to wallets held by the attackers—often split into many small transactions to evade tracing.
‍

This sequence underscores the attackers’ operational sophistication:

• Exploiting supply chain links between the PSTI (C&M) and multiple banks/fintechs;
• Leveraging scripts and automation to submit dozens of transactions in succession;
• Executing the fraud during off-peak operational hours.

‍

4. Timeline of Actions, Detection, and Response

🕛 June 30, 2025 – 12:18 AM: Initial Detection by Exchanges
SmartPay and Truther exchanges were the first to detect suspicious activity. Their monitoring systems flagged abnormal transaction volumes and unusual purchases of Bitcoin/USDT made via PIX, triggering alerts to internal compliance teams and associated financial institutions.
‍

🕓 June 30, 2025 – 4:00 AM: BMP Executives Flag the Incident
Prompted by exchange alerts and transaction analysis, a BMP Money Plus executive was contacted by a CorpX Bank representative regarding an extraordinary PIX transfer of R$18 million originating from BMP. This kicked off an internal audit that revealed several unauthorized SPI transactions debiting BMP’s reserve account.
‍

🕔 June 30, 2025 – 5:00 AM: Incident Escalation
BMP formally notified C&M Software, reporting the breach and requesting urgent assistance from the provider responsible for part of the institution’s interbank infrastructure. By this point, the breadth of the attack suggested a systemic compromise affecting multiple C&M clients.
‍

⚠️ June 30, 2025: Regulatory Response — Central Bank Intervention
With converging reports from exchanges, BMP, and other affected financial institutions, the Central Bank was officially notified of a potential systemic breach. As an emergency measure, it ordered the precautionary suspension of C&M Software’s connections to SPB—halting PIX operations across all institutions that interfaced through its platform. This action aimed to prevent further fraud and maintain system liquidity, despite triggering operational interruptions for hundreds of banks, fintechs, and payment entities.
‍

📰 From July 1, 2025 Onward: Public Disclosure, Analysis, and Partial Recovery
In the days that followed, national media widely covered the breach, and official statements from BMP, C&M Software, and the Central Bank confirmed that no end-user funds had been affected. BMP reported that, of the R$400 million initially stolen, approximately R$160 million had been recovered through rapid collaboration with crypto exchanges, court orders, and financial tracing efforts.
‍

Later, the Central Bank authorized the partial reactivation of C&M’s services—only after new control mechanisms and stricter access segregation were implemented. Amid the ongoing investigation, authorities confirmed the identification and arrest of the “facilitator”, the insider who enabled the breach. The Federal Police continues to investigate charges related to unauthorized access, banking fraud, and money laundering.

‍

5. Operational Roles Across the Attack Chain

• Cybercriminals: Strategized and executed the attack, exploiting both human and technical vulnerabilities. Used automation to scale operations and reduce execution time.
• Insider (Facilitator): Served as the human vulnerability, granting “legitimate” access to core systems. Illustrates the danger of excessive privilege and lack of behavioral monitoring.
• C&M Software (PSTI): Due to the absence of strong access segregation and behavioral controls, acted as the point of compromise that exposed its entire client base.
• Victim FIs: Banks and fintechs whose reserve accounts were debited, suffering direct financial loss and reputational impact.
• SPI/SPB: The infrastructure processed all digitally signed payment orders as expected—highlighting the limitations of automated controls against insider-originated attacks.
• Mule Accounts / Payment Institutions (PIs): Weak onboarding and due diligence processes made them attractive channels for laundering and dispersing stolen funds.
• Exchanges: A key positive aspect—proactive exchange-based compliance systems successfully detected, contained, and reported portions of the fraud, helping reduce total impact.

Below, you’ll find a step-by-step visualization of the incident flow:

6. MITRE ATT&CK Mapping

The attack on C&M Software’s environment demonstrates a well-defined chain of techniques documented in the MITRE ATT&CK Framework (Enterprise v17). Mapping these techniques supports threat hunting, incident response, and the enhancement of internal security controls across financial institutions and PSTI providers.
‍

Below, we highlight the main tactics and techniques involved, referencing specific examples from the 2025 incident.

7. APT Groups: Exploratory Assessment

It is important to highlight that, as of now, none of the groups listed below have any confirmed connection to the attack under investigation. These references are intended primarily to inform threat intelligence efforts and assist in shaping strategic defense planning.
‍

Although there has been no formal attribution to any internationally recognized Advanced Persistent Threat (APT) groups, the technical analysis of the attack on C&M Software reveals multiple operational similarities with campaigns previously carried out by sophisticated threat actors. These actors vary in motivation, technical breadth, and focus—often targeting critical financial infrastructures.
‍

The purpose of this mapping is to help place the Brazilian incident within the context of global cyber threat trends, supporting the early identification of attack patterns and contributing to more proactive and intelligence-driven defense strategies.

The groups outlined below demonstrate common Tactics, Techniques, and Procedures (TTPs) seen in supply chain compromises, banking intrusions, ransomware campaigns, and money-laundering-driven data exfiltration:

‍

Notable Examples

• Plump Spider – Known for leveraging the Clop ransomware, this group has been involved in systemic attacks on global financial institutions. Its operations often combine supply chain compromise, large-scale data and confidential information exfiltration, and laundering of proceeds via cryptoasset mixer services.
• TA505 – Specializes in malspam-driven campaigns, frequent use of Cobalt Strike for post-exploitation, and targeted attacks on banks and fintechs. Notable for its ability to rapidly convert and disperse illicit funds.
• FIN7 / Carbanak – With an established reputation for social engineering and persistent access to banking environments, FIN7 is known for extended campaigns that leverage legitimate infrastructure and internal credentials to facilitate stealthy data exfiltration and fund diversion.
• LAPSUS$ – Gained notoriety for its highly visible and theatrical attacks on major enterprises, with a particular focus on social engineering, privileged access acquisition, and the public exposure of stolen data. While the group is not a direct fit for this incident, which centers on financial operations, some alignment remains in terms of initial access and insider exploitation tactics.

‍

8. Mitigation Strategies

Given the context and the vulnerabilities exposed by the incident, we propose a set of mitigation measures focused on behavioral security, automated credential management, and strong governance across the digital supply chain:

• Behavioral Analytics: Real-time detection of anomalous privileged access; automatic blocking based on deviation patterns, with correlation by geolocation, time of access, and other indicators.
• Just-in-Time Access: Grant privileged access strictly for specific tasks or timeframes, thereby reducing exposure windows to insider threats.
• Credential Rotation (triggered by anomalous behavior): Credentials are automatically refreshed or revoked upon detection of any suspicious activity.
• Secrets and Token Management for APIs and Supply Chain: Deployment of secure vaulting tools to safely isolate and manage third-party integrations and secrets.
• Certificate Management and Rotation: Continuous monitoring and automated renewal of digital certificates used in critical financial operations.
• Third-Party Access Control: Implementation of Zero Trust policies for partners, with strict onboarding and offboarding processes.

Reference Architecture: A recommended visual design illustrating an integrated security model for PSTIs, financial institutions, and the Central Bank (suggested as a flowchart or architecture diagram).

‍

9. Conclusion

The attack that impacted C&M Software and multiple institutions connected to Brazil’s Payment System (SPB) underscores the critical role of behavioral cybersecurity and credential control in safeguarding financial ecosystems. This event exposed significant weaknesses in privileged access management, particularly within trust relationships between financial institutions and their technology service providers. It clearly demonstrates that traditional paradigms—relying solely on logical perimeters, firewalls, and network segmentation—are insufficient to defend against insider threats, supply chain compromise, and sophisticated attacks enabled by the misuse of valid credentials and seemingly legitimate but unauthorized operations.
‍

The incident revealed that insider actions, improper certificate usage, and the absence of behavioral monitoring allowed fraudulent activity to flow through automated systems without triggering alarms across various points in the chain. Additionally, it reinforced the importance of traceability, real-time threat intelligence, and collaborative defense among key ecosystem players including fintechs, banks, exchanges, and regulatory bodies.
‍

From the lessons learned, the following mitigation strategies stand out:

• Continuous Behavioral Analytics: Monitor privileged user behavior in real time, generating alerts and automated blocks when anomalies are detected—such as unusual access times, organizational changes, or abnormal geolocation data.
• Just-in-Time Access & Least Privilege: Minimize the time during which sensitive credentials remain active. Grant access strictly for specific tasks and timeframes, with comprehensive logging and traceability.
• Credential Rotation Triggered by Anomalies: Implement mechanisms for the automatic replacement of passwords, tokens, and certificates whenever suspicious behavior is detected—preventing persistence or reuse of compromised access.
• Secure Management of Secrets, Tokens, and Digital Certificates: Centralize the lifecycle control, usage auditing, and periodic renewal of these assets—especially across integrations between financial institutions, PSTIs, and APIs—to mitigate leakage and misuse risks.
• Zero Trust Policies and Tight Third-Party Controls: Define robust procedures for granting, monitoring, and revoking access to partners, vendors, and external teams. Ensure consistent due diligence and oversight.
  ‍

Ultimately, the case highlights that operational resilience, rapid intelligence sharing, transparent communication, and the integration of technical and procedural controls are foundational pillars for the systemic defense of the national financial environment in the face of evolving and sophisticated threats.

Speak to Our Experts
To learn how Segura® can support your organization in behavioral cybersecurity, privileged access management, and fraud-resistant architecture, contact us for a personalized strategic assessment.