Most identity security strategies are still designed around what happens after a user has already logged in. Security teams have invested heavily in session monitoring, anomaly detection, MFA, and identity threat detection and response (ITDR) platforms that focus on identifying suspicious behavior once access has already been granted. Those controls are necessary, but they are increasingly misaligned with how modern identity attacks actually succeed.
The latest SANS data points to a different reality. Identity risk is no longer something organizations can treat solely as a post-authentication problem. In many cases, it begins earlier—at the point where credentials have already been exposed and are ready to be used.
This is what defines pre-authentication risk.
Credentials exposed through phishing campaigns, infostealer malware, third-party breaches, and password reuse create a condition where authentication systems can be used against the organization. Attackers are not always bypassing controls. More often, they are passing them with credentials that are technically valid but already compromised.
According to the SANS survey, 35% of organizations cited credential phishing or stolen credentials as a contributing factor in identity-related cyberattacks, while 24% reported brute force or credential stuffing activity. The SANS data makes the point clearly: many identity attacks still succeed because compromised credentials remain the root cause for most breaches.
This fundamentally changes how the login workflow should be viewed.
Authentication is no longer just a gate. It is a control surface.
To understand pre-authentication risk, it’s important to separate two concepts that are often treated as the same: password correctness and credential safety.
A password can be correct and still be unsafe.
That is the core issue.
Credentials are continuously exposed through a range of sources that sit largely outside the organization’s control. Phishing kits harvest login data at scale. Infostealer malware extracts saved credentials from browsers and endpoints. Breach datasets circulate across forums and marketplaces, often long after the original incident. And password reuse ensures that a compromise in one system can translate into risk in another.
In each of these cases, the credential itself becomes the vulnerability.
By the time a user attempts to authenticate, the exposure event has already occurred. The authentication system simply validates whether the credential matches what is on record. It does not determine whether that credential has been compromised elsewhere.
This is why credential-based attacks remain so effective. They do not rely on breaking defenses. They rely on using credentials that already satisfy them.
The SANS data reinforces that this is not a marginal issue. Stolen credentials continue to play a central role in identity-related attacks, making pre-authentication risk one of the most important and least addressed layers in modern identity security.
Credential stuffing is one of the most visible expressions of pre-authentication risk, and it highlights the structural weakness in many authentication systems.
In a credential stuffing attack, attackers take previously exposed username and password combinations and systematically test them across login endpoints. Because password reuse remains common, even a small success rate can provide meaningful access into enterprise systems or customer accounts.
Credential stuffing matters because it allows attackers to turn previously exposed credentials into direct login attempts against enterprise and customer-facing systems. According to SANS, 24% of organizations experienced brute force or credential stuffing as a contributing factor in identity-related attacks.
What makes this particularly challenging is that these attacks operate entirely within expected authentication behavior. There is no need for malware, exploit chains, or vulnerability scanning. The attacker is simply attempting to log in using valid credentials.
This exposes a critical limitation in traditional authentication models.
Authentication systems are designed to answer a single question: Is this credential correct?
They are not designed to answer a second, equally important question: Has this credential already been compromised?
That gap is what allows credential stuffing to succeed.
Even in environments with stronger authentication controls, the first factor remains critical when credentials are already exposed. The initial foothold still depends on the credential.
The impact of pre-authentication risk becomes even more significant when viewed in the context of enterprise identity infrastructure.
According to the SANS data, 47% of organizations report that their most important identities still reside in on-premises Active Directory or legacy applications.
This is a critical point.
Despite ongoing cloud adoption, Active Directory remains deeply embedded in authentication workflows, administrative processes, and access control models. It continues to serve as the backbone for identity in many organizations, particularly in hybrid environments.
When compromised credentials exist within Active Directory, attackers do not need to bypass perimeter defenses or exploit vulnerabilities in the traditional sense. They can authenticate directly into the environment using valid credentials, often gaining access to systems that support lateral movement, privilege escalation, and persistence.
The risk is amplified by the nature of many AD environments, which often include long-lived credentials, service accounts, legacy integrations, and broad access to critical systems.
This makes credential exposure within Active Directory particularly dangerous. It turns authentication into the entry point rather than the control.
These patterns are forcing a shift in how organizations think about identity defense.
Historically, authentication has been treated as a checkpoint—something that confirms identity and grants access. Security controls were layered around that checkpoint, primarily focused on detecting abnormal behavior after login.
That model is no longer sufficient.
If the credential itself is compromised, the authentication event may appear legitimate. The user logs in successfully. The system behaves as expected. From the perspective of many controls, nothing is wrong.
This is why even organizations with mature identity programs continue to experience successful attacks. The SANS research highlights that 55% of organizations experienced at least one identity-related attack leading to unauthorized access, despite widespread investment in identity tooling.
The issue is not a lack of controls. It is a misalignment of where those controls are applied.
Pre-authentication risk exists before most of those controls activate.
As a result, organizations are looking for ways to move security controls earlier in the authentication process.
Instead of relying exclusively on post-authentication detection, more teams are integrating controls directly into the login workflow. This includes evaluating password safety during creation and reset, checking credentials against known exposure datasets at the point of authentication, and continuously monitoring for newly exposed credentials that may impact existing users.
This represents a meaningful shift in how authentication is used.
Authentication is no longer just about verifying identity. It is increasingly about verifying the integrity of the credential being used.
This approach allows organizations to address risk at the point where it originates, rather than reacting after access has already been granted. It also reduces reliance on broad, disruptive controls that affect all users equally, regardless of risk.
The SANS product brief provides additional context on how organizations are operationalizing this shift.
It highlights the limitations of manual breach-data investigation and time-based password reset policies, both of which are difficult to scale and often introduce unnecessary friction.
A more targeted response is real-time credential intelligence that allows security teams to identify exposed credentials as they emerge, screen passwords during authentication workflows, and focus remediation efforts on the accounts that are actually at risk.
This approach reduces the burden on security teams while improving the effectiveness of identity controls. It also aligns with the broader shift toward continuous monitoring and targeted response, rather than blanket enforcement.
Most importantly, it brings security controls into the login workflow itself, where pre-authentication risk can be addressed directly.
The SANS data points to a clear conclusion.
Identity risk is no longer defined solely by how well organizations can detect suspicious behavior after login. It is increasingly defined by how effectively they can identify and mitigate compromised credentials before authentication succeeds.
The data reinforces the same pattern: 35% cited credential phishing or stolen credentials, 24% reported credential stuffing, and 47% said their most important identities still reside in Active Directory and legacy systems.
These are not isolated findings. They describe a consistent pattern in how identity attacks occur.
The login workflow is no longer just an access mechanism.
It is a security boundary.
And pre-authentication risk is now one of the most important layers to address.