How Identity Security Became Impossible to Ignore

A few years ago, a large videoconferencing product faced a sudden and crippling denial-of-service outage. At first glance, it didn't look like a typical large-scale DDoS attack because the traffic came from a single IP address.

As the investigation unfolded, the truth was unsettling – the attacker was a former employee using a stolen API key.

Unfortunately, this wasn’t a unique experience, as every organization faces similar challenges. Even with well-funded security budgets and all the major identity platforms (IAM, IGA, PAM), they still lack real control. We kept thinking this shouldn't still be happening today.

There were operational lapses, like not rotating keys. But the deeper realization was more troubling – the identity surface area had silently expanded beyond control. Systems trusted too many tokens, credentials, and connections long after they should have expired. What seemed like simple key misuse was, in fact, an identity breach hiding in plain sight.

We all should have seen this coming.

The Pattern We Kept Seeing

While leading engineering teams at Netskope, we had front-row seats to the cloud security revolution, helping enterprises secure their transition to SaaS, building technology that protected billions of transactions. We were good at what we did.

But we kept seeing the same pattern play out, over and over. Enterprises would invest millions (sometimes billions!) in security technology. They'd implement every best practice. They'd check every compliance box. And attackers would still get in.

Not through sophisticated zero-day exploits. Not through elaborate social engineering campaigns. They were exploiting something simpler, something most security teams had completely missed – 

Identity security ended at the login screen.

The Problem We Couldn't Stop Thinking About

We needed to understand how widespread this problem was. As co-founders, we analyzed more than 300 publicly disclosed breaches, digging into root causes wherever possible. Some investigations were detailed and brutally honest; others offered vague explanations like “human error.” What stood out was how identity-related breaches resembled a game of whack-a-mole. In some cases, the cause was operational, like failing to enforce MFA. In others, it was service account misuse or, with more sophisticated attackers, session hijacking through AiTM proxies.

There was no single solution that could detect all of these scenarios. Most organizations had to stitch together a fragile, interdependent toolchain to cover the spectrum – and that, we realized, was the real problem. A few organizations managed it well, but most did not. Worse, these tools often spanned multiple organizational boundaries.

Companies would implement Single Sign-On, deploy multi-factor authentication, and genuinely believe they'd solved identity security. Meanwhile, their actual identity attack surface was exploding.

When we asked a customer if their SOC had visibility into OAuth tokens with tenant-level access to Entra. The answer was a firm “no.” Something as fundamental as that should not be an issue in 2025. Yet it is. And attackers are exploiting those seams.

The Gap No One Was Addressing

Every cloud service. Every SaaS application. Every API integration. Every AI agent. Each one created new identities that needed to be secured. Machine identities were proliferating faster than anyone could count them, let alone secure them.

And almost no one was watching what happened after those identities were authenticated.

The authentication systems would say, "Yes, you're allowed in," and then... nothing. No monitoring of active sessions. No detection of anomalous behavior. No visibility into what those identities were actually doing.

We'd built our careers in security, and we were watching the industry make the same mistake we'd seen in other domains by defending the perimeter while attackers walked in through side doors that weren't even locked.

The Breach That Proved Our Point

The Salesloft/Drift incident gave us an unexpected opportunity to validate our approach in real time.

We first noticed something was off, not with the Salesforce app, but with the Google Workspace integration. It began triggering multiple detections, some obvious and others showing subtle behavioral changes. One pattern stood out – a specific Google Workspace API used to download user messages was being invoked repeatedly by a single application. That unusual behavior set off our alarms. When our system not only detected the activity but also correlated it to IOCs later published by Mandiant, it felt like a strong validation of our approach.

The attack itself followed the pattern we'd been studying, showing that attackers didn't need to break through firewalls or exploit zero-days. They stole OAuth tokens (machine identities that had already been authenticated) and used them to access Salesforce, Google Workspace, and Microsoft data.

The authentication happened. The security controls said, "Yes, you're allowed in." And then there was nothing watching what happened next.

This wasn't an anomaly. These post-authentication attacks (session hijacking, token theft, credential abuse) were already becoming the primary way organizations were breached. The entire identity security industry was focused on the front door, while attackers were walking in through the side entrance.

We saw the same pattern in other sophisticated attacks, such as the 2025 ByBit breach, where an AWS session was stolen by device-resident malware. Another example is the Storm-0558 attack, where the group minted tokens to access Exchange Online accounts belonging to U.S. government officials. That intrusion went undetected for more than four weeks and was finally uncovered only because a diligent State Department employee followed up on a rule detection.

We wrote a blog about the Storm-0558 incident and asked a simple question: how can any enterprise realistically write and maintain these kinds of detection rules for itself?

The answer: they can't. Not without a fundamentally different approach.

The Full-Picture Advantage

Traditional identity security focuses on the singular moment of authentication. Is this the right user? Do they have the right credentials? Should we let them in? That's like watching a single door with a magnifying glass while dozens of windows around the building are wide open.

In astronomy, widefield imaging reveals objects that narrow telescopes miss. In identity security, widefield visibility reveals threats that point-in-time authentication checks miss. We pull back the lens to see the entire identity landscape – human identities, machine identities, AI agents, active sessions, privilege relationships – everything. Not just at the moment of login, but continuously, across the entire lifecycle.

You can't defend against post-authentication attacks if your field of view ends at authentication. You need to see what's happening across the whole environment, all the time.

That's what the name means. That's what we built.

The Validation We Needed

When we launched WideField at the RSA Conference in early 2025, we didn't know exactly how the market would respond. We believed in the problem we were solving, but would CISOs and security teams see what we saw?

The response was overwhelming.

Security leaders immediately understood what we were talking about because they'd been living with this gap for so long. They had authentication covered, but lacked visibility into active sessions. They knew they had machine identities scattered across their environment, but had no way to monitor or secure them. They'd been breached through post-authentication attacks and still had no tools to detect or prevent them.

One of our early customers, John McLeod, CISO at NOV, told us: "Like many enterprises, we had good authentication controls in place, but limited visibility into what happened after users and services authenticated. WideField immediately put eyes on our entire identity attack surface, including the machine identities. It's rare to deploy a security tool and immediately see value. WideField delivered from day one."

What We're Building 

The identity attack surface isn't just growing—it's accelerating. AI agents, cloud services, API integrations – each one creates new identities that need visibility and protection. Organizations are drowning in identities they can't see, let alone secure.

And it’s not a problem companies can solve by trying harder with existing tools because those tools weren't designed for the world we live in now. In today’s world, identities outnumber employees, where sessions matter more than passwords, and where post-authentication is the new battlefield.

To our customers: thank you for trusting us with your identity security. Your feedback, your challenges, and your willingness to partner with us in solving this problem mean everything.

To our team: Starting a company is hard. Starting a company to change how an entire industry approaches a fundamental problem is even harder. Thank you for joining us in this fight. Your expertise, your passion, and your commitment to doing this right (not just fast) are what make WideField possible. We're building the future of identity security together, and we're grateful to have you on this journey.

This is just the beginning.

– Abhay and Kartik

‍

We're hiring talented people across product, sales, and marketing – UX designers, product managers, sales engineers, and digital marketing specialists. Check out our open roles at https://www.widefield.ai/about#careers