Read: When Identity Infrastructure Fails, Can Your Business Recover?

For years, cybersecurity leaders have focused on protecting endpoints, networks, applications, and data. Those investments remain critical. But the way attacks actually work has changed, and attackers have found a far more efficient path into enterprise environments.

Attackers are no longer breaking in. They’re logging in.

Phishing, credential theft, MFA fatigue attacks… attackers have figured out that the front door is easier than the window. Why exploit a vulnerability when you can just log in?

As a result, identity has become one of the most important battlegrounds in cybersecurity. Yet many organizations continue to focus their resilience strategies on data recovery while overlooking the systems that control access to that data. At WEI, we’re increasingly having conversations around a concept that wasn’t part of most cybersecurity discussions just a few years ago: identity resilience. It’s a topic we explored recently on the WEI Tech Talk podcast with Patrick Haverty and Parker Gaines from Rubrik, and the conversation reinforced just how wide the gap remains between where most organizations think they are and where they actually need to be.

Identity resilience may be one of the most important cybersecurity discussions happening today, yet many organizations have not addressed it directly. The data supports that concern. Verizon’s 2025 Data Breach Investigations Report found that credential abuse was responsible for 22 percent of breaches analyzed, underscoring how often attackers gain entry through trusted identities rather than technical exploits.

Security leaders should ask a fundamental question: if an attacker compromises identity infrastructure, can the organization quickly recover? More importantly, can it recover with confidence?

The Stryker Lesson

A more recent example comes from the March 2026 cyberattack against medical technology giant Stryker. Ars Technica’s reporting on the incident found that attackers gained administrative control over identity and device management systems and used that access to remotely wipe corporate endpoints across the organization, with no traditional ransomware involved.

The incident demonstrated a reality many organizations are only beginning to appreciate: attackers don’t need malware to create disruption. Control over the identity infrastructure is enough. And recovery gets especially hard when the systems you’d use to fix the problem are the same ones that got hijacked.

For security leaders, the lesson extends beyond healthcare. The same exposure exists whether the environment runs on Active Directory, Microsoft Entra ID, Okta, or a mix of identity platforms. Prevention alone doesn’t solve it. What matters is how quickly the organization can recover once trust in that infrastructure is gone.

Read: Why Rubrik Identity Recovery Is Strategic For IT Leaders

What We’re Seeing in the Field

WEI is seeing a growing disconnect between identity protection and identity recovery. Most organizations have done the work. MFA, PAM, Zero Trust, conditional access. Those investments matter. But every one of them is built around keeping attackers out. None of them answer the harder question: what happens when someone is already in?

The MGM breach in 2023 is a good example. Scattered Spider didn’t exploit a technical vulnerability. They called the help desk, impersonated an employee, got an MFA reset, and walked straight through the front door. Then they went after the identity layer itself. Whether that’s Active Directory, Microsoft Entra ID, Okta, or a combination of identity providers, compromising the systems that control authentication gives attackers a powerful path to disrupt business operations. The damage ran north of $100 million.

When we ask organizations how they would recover from a compromised identity platform, the conversation often becomes much less certain.

Today’s identity environments span Active Directory, Microsoft Entra ID, Okta, SaaS applications, cloud services, and hundreds of interconnected business systems. As those systems get more tightly woven together, a disruption in one identity provider ripples across the whole organization fast. Many have tested their backups. Far fewer have tested the recovery of the systems responsible for authenticating users, enforcing access policies, and establishing trust across the enterprise.

Most have invested heavily in protecting identities. Far fewer have a clear answer for what happens when those protections fail.

The New Reality: Attackers Target Trust

Recent high-profile attacks continue to demonstrate a common pattern. Attackers compromise a user account through phishing, credential theft, social engineering, or password reuse. Once inside, they escalate privileges, establish persistence, and begin targeting identity infrastructure.

Accessing data is often only part of the objective. What attackers really want is control over the environment itself. Who gets in, who gets locked out, and who decides. They get there by manipulating administrative accounts, group policies, identity providers, or access controls. Restoring that control is a harder problem than most recovery plans account for.

Why Traditional Recovery Strategies Fall Short

When identity infrastructure is compromised, organizations often face two difficult options.

The first is restoring from backup. Determining whether a backup represents a truly clean recovery point is where things become difficult. If an attacker maintains persistence in the environment before discovery, organizations risk restoring malicious changes alongside legitimate configurations.

The second option is rebuilding identity infrastructure from scratch. Whether the environment is centered on Active Directory, Microsoft Entra ID, Okta, or a hybrid identity architecture, recovery can quickly become a complex and time-sensitive exercise. Rebuilding forests, domain controllers, trusts, policies, permissions, and integrations can become a lengthy and error-prone process that places significant operational pressure on IT teams.

Neither option inspires confidence, and confidence is exactly what organizations need during a cyber crisis.

Most recovery strategies were built around attackers exploiting systems rather than authenticating into them. When a trusted identity becomes the vector, you need more than backup plans. You need to be able to rebuild confidence in the environment itself. It’s a problem Rubrik has spent considerable time solving, and it’s what drew us to partner with them on this.

How Rubrik Addresses the Identity Recovery Gap

Some of what Rubrik’s incident response team has documented stopped me cold. When companies try to rebuild Active Directory from scratch after an attack, the process fails roughly 80 percent of the time. The manual runbook runs about 150 pages. One step out of sequence and you go back to the beginning. And the people who know that process well enough to execute it when you are under real pressure? In most organizations, that’s one or two people. If they’re traveling, or on vacation, you have a serious problem on top of an already serious problem.

The “last known good” problem also came up in our conversation, and it’s worth dwelling on. Restoring from backup sounds straightforward until you realize you can’t always be certain the backup itself is clean. If an attacker had been sitting in the environment for weeks before discovery, you risk pulling their persistence right back in. Rubrik identifies clean recovery points automatically and won’t let you restore to a state that contains ransomware or anomalous activity. During an incident, that takes one very difficult question completely off the table.

At WEI, we talk a lot about being “left of bang” versus “right of bang” — preparing before an attack versus responding after one. Rubrik is genuinely built for both. Their posture monitoring identifies misconfigurations and overprovisioned privileges before anyone exploits them. The recovery side handles what comes next if prevention fails. What I keep coming back to is that they treat identity the same way mature security programs treat data: not just something to protect, but something you actually have to be able to recover. That’s a different standard than most of what I see in the market.

Are You Prepared to Recover Trust?

Most security leaders can identify their RTO for data recovery, although fewer know how long it would take to restore a compromised Active Directory, Entra ID, or Okta environment, or whether they’d even know what a clean recovery point looks like.

That’s the gap worth closing. No prevention strategy is perfect, and the organizations that weather attacks best are the ones who’ve already thought through what comes next.

MFA matters. Backups matter. But neither tells you what to do when authentication infrastructure itself is what’s been compromised. If your identity infrastructure went down tomorrow, would you know what to do? If the answer isn’t an immediate yes, that’s worth a conversation before it becomes a crisis.

Next Steps: A few years ago, identity recovery wasn’t on most security roadmaps. That’s changed fast. It is now a core component of cyber resilience, operational continuity, and business risk management.

WEI helps organizations evaluate identity risks, validate recovery strategies, and identify gaps that traditional security and disaster recovery assessments often miss. Whether you’re assessing Active Directory, Microsoft Entra ID, or Okta dependencies, modernizing identity architecture, or evaluating your ability to recover from an identity-based attack, our team can help you develop a practical path forward. If you’d like to see Rubrik’s identity recovery in action before making any decisions, we can also arrange access to their hosted lab environment where you can run real recovery scenarios without touching your production systems.

If you’re not completely confident in the answer, now is the time to find out, not during a cyber incident.

Frequently Asked Questions

What is identity resilience in cybersecurity?

Identity resilience refers to an organization’s ability to recover its identity infrastructure, including Active Directory, Entra ID, Okta, and access management systems, after a cyberattack or outage. It goes beyond identity protection to address what happens when prevention fails.

How do organizations recover Active Directory after a ransomware attack?

Recovery typically involves restoring from a known clean backup or rebuilding from scratch, and the same challenge applies to Entra ID and Okta environments. Both options are complex. The bigger challenge is confirming the backup itself is free of attacker persistence before restoring it.

What did the 2026 Stryker attack reveal about identity resilience?

The Stryker attack gave attackers administrative control over the company’s identity and device management systems, which they used to remotely wipe devices across the organization. No ransomware was involved, since control over identity alone was enough to cause the damage.

What is the difference between identity security and identity resilience?

Identity security focuses on preventing unauthorized access through tools like MFA, Zero Trust, and privileged access management. Identity resilience focuses on recovering trust and access after those protections have been breached.

LinkedInFacebookEmail