A $50 Million Signal You Should Not Ignore
Linx Security has raised $50 million in funding to accelerate its identity security and governance platform, according to SecurityWeek. The round will fund product development, go-to-market expansion, and global growth. That is a large number for a focused niche — and it tells you exactly where sophisticated investors believe the biggest unsolved problem in cybersecurity sits right now. Identity security is not a new concept. But the scale of capital flowing into this space over the past 18 months reflects something more specific: organisations are losing the battle to control who has access to what, and attackers know it. Identity-based attacks now account for the majority of breaches across enterprise and mid-market environments. Verizon's 2024 Data Breach Investigations Report found that stolen credentials were involved in 77% of web application breaches. Investors are following the threat.
Why Is Identity Security Attracting This Level of Investment?
Identity has become the primary attack surface. When perimeter defences tightened through the widespread adoption of next-generation firewalls and endpoint detection tools, attackers shifted to the path of least resistance: logging in with valid credentials rather than breaking in. The problem is structural. Most organisations have accumulated years of identity debt — orphaned accounts, over-privileged users, service accounts with excessive permissions, and federated identity systems that were never properly governed. A departing employee's account left active for 30 days is an open door. A contractor with admin rights they were granted for a one-off project and never had revoked is an attack waiting to happen. Governance is where the gap is most acute. Many businesses have some form of identity and access management (IAM) in place. Far fewer have identity governance — the continuous process of reviewing, certifying, and enforcing who should have access to which systems, and revoking access automatically when circumstances change. That distinction matters enormously. IAM tells you who has access. Governance tells you whether they should.
What Does an Identity-Based Attack Actually Look Like?
The mechanics are straightforward, which is part of why they are so effective. An attacker obtains credentials through phishing, credential stuffing, or purchasing them from a dark web marketplace. They authenticate to a legitimate service — a cloud application, a VPN, a SaaS platform — using those credentials. From there, they move laterally through the environment, escalating privileges where possible, until they reach the data or systems they are after. Nothing in this chain looks unusual to a basic monitoring tool. The user authenticated correctly. The access request matched a valid account. The session looked normal. By the time something flags as suspicious, the attacker may have been resident in the environment for days or weeks. This is the scenario that identity security and governance platforms are built to disrupt. By continuously assessing whether access rights are appropriate, flagging anomalous access patterns, and enforcing least-privilege principles in real time, they close the window of opportunity before it becomes a breach. The 2023 MGM Resorts attack is a clear example. Attackers used social engineering to impersonate an employee and gain access to the company's identity provider, ultimately causing an estimated $100 million in damages. The credentials were valid. The access looked legitimate. The governance controls were not sufficient to catch the anomaly in time.
Why Mid-Market Businesses Face the Highest Exposure
Enterprise organisations with dedicated identity teams and mature governance programmes are not immune to identity-based attacks, but they are better positioned to detect and respond. The more exposed segment is the mid-market: businesses with between 100 and 2,000 employees who have adopted cloud infrastructure at pace but have not built the governance layer to match. These organisations typically present a specific combination of risk factors: First, they run a fragmented SaaS environment. The average mid-market company uses over 100 SaaS applications, according to BetterCloud's 2023 State of SaaSOps report. Each application represents a separate identity surface, often with its own access controls and no centralised visibility. Second, they lack dedicated identity governance resources. Identity reviews — the process of periodically certifying that users still need the access they have — either happen infrequently or not at all. Third, they face the same threat actors as large enterprises. Ransomware groups and financially motivated attackers do not discriminate by company size. They target the path of least resistance.
- Orphaned accounts from employee departures or contractor offboarding left active for weeks or months
- Over-privileged service accounts used by applications but never reviewed after initial setup
- Federated identity configurations that grant access across multiple systems when one set of credentials is compromised
- No automated process to detect when a user's role changes but their access rights do not
What the Investment Wave Tells UK and NZ Security Teams
The Linx Security raise is not an isolated event. CrowdStrike's 2024 Global Threat Report identified identity-based attacks as the fastest-growing initial access technique. SentinelOne acquired PingSafe partly to address cloud identity exposure. The Microsoft Security Response Centre dedicated significant resources in 2023 and 2024 specifically to combating identity attacks against Entra ID and Azure Active Directory. For security teams in the UK and New Zealand, the signal is the same regardless of geography: if identity governance is not currently a funded priority, it needs to become one. In the UK, organisations subject to the FCA's operational resilience requirements, the NIS2 Directive's access control obligations, or the ICO's expectations under UK GDPR have regulatory reasons to act as well as security ones. NIS2, which took effect in October 2024 across EU member states and influences UK equivalent frameworks, explicitly requires organisations to implement access control policies and privileged access management. In New Zealand and Australia, the Privacy Act 2020 and the Australian Privacy Act create accountability for access control failures that result in personal data exposure. Regulators in both countries have demonstrated increasing willingness to pursue enforcement action following breaches where basic access hygiene was not in place. The investment community is pricing in the fact that identity governance will become table stakes. Security teams that wait for regulatory compulsion will be managing incidents rather than preventing them.
How to Assess Your Identity Security Posture
Before investing in any platform, it helps to have an honest picture of where the gaps are. Most organisations underestimate their identity exposure because the risk is not visible through traditional security dashboards. A useful starting point is a structured access audit: a review of active accounts against current staff and contractor lists, a report of privileged accounts and when they were last reviewed, and an assessment of which SaaS applications are connected to your primary identity provider versus operating with separate credentials. Beyond the audit, continuous attack surface monitoring gives you an ongoing view of exposed identity assets — including cloud misconfigurations, exposed authentication endpoints, and credentials found in data breach corpora. Hadrian, Kyanite Blue's AI-driven attack surface management platform, performs this type of continuous external assessment, identifying exposed assets and access points that internal teams often miss. Where identity infrastructure is externally visible or misconfigured, Hadrian will surface it. You can explore what Hadrian covers at /products/hadrian. For organisations that have experienced a breach or suspect credential compromise, the priority shifts to detection and response. Sophos MDR provides 24/7 managed detection and response, with analysts who specifically monitor for lateral movement and privilege escalation patterns consistent with identity-based intrusion. When an attacker is using valid credentials, the detection signal is behavioural rather than signature-based — and that requires human expertise operating at speed.
How to Protect Your Business Against Identity-Based Threats
Identity attacks succeed when organisations lack visibility into how access rights are assigned, used, and reviewed. The controls that close those gaps span several layers, and Kyanite Blue's security stack addresses each one. For external attack surface exposure — including misconfigured identity providers, exposed authentication endpoints, and credentials leaked in third-party breaches — Hadrian provides continuous automated reconnaissance from the attacker's perspective. It identifies the same entry points that adversaries find during reconnaissance, before they act. For UK businesses concerned about their external identity footprint, start with a review at /products/hadrian. For email-based credential theft, which remains the most common initial access technique for identity attacks, Coro delivers unified email and endpoint protection that blocks phishing attempts before credentials are ever entered. UK businesses can explore Coro's capabilities at /products/coro. For organisations in New Zealand and Australia, ESET enterprise endpoint protection provides equivalent coverage with regional support — details at /products/eset. For network-level detection of lateral movement following a credential compromise, Sophos XDR and MDR correlate signals across endpoint, network, and identity telemetry to identify attacker behaviour that bypasses perimeter controls. When an attacker is already inside using valid credentials, this is the layer that catches them. Learn more at /products/sophos. For third-party and supply chain identity risk — where a vendor's compromised credentials provide access to your environment — Panorays gives you continuous visibility into the security posture of your supply chain, including access control practices. Review your supplier risk profile at /products/panorays. If you are unsure where your greatest identity exposure sits, the most practical next step is a structured assessment. Talk to our team about mapping your current identity security posture and identifying the controls that will have the most impact for your specific environment at /contact.
Frequently Asked Questions
What is identity security governance and why does it matter?
Identity security governance is the ongoing process of controlling, reviewing, and enforcing who has access to which systems and data across an organisation. Unlike basic access management, governance ensures access rights are continuously validated and revoked when no longer needed. It matters because most modern breaches begin with compromised or over-privileged credentials rather than technical exploits.
How do attackers use stolen credentials to breach organisations?
Attackers obtain credentials through phishing, credential stuffing, or dark web purchases, then authenticate to legitimate services such as VPNs, cloud platforms, or SaaS applications. Because the login appears valid, basic monitoring tools do not flag it. From there, attackers move laterally, escalate privileges, and access sensitive data — often remaining undetected for days or weeks before the breach is discovered.
What should UK businesses do to improve their identity security posture?
UK businesses should start with an access audit: review active accounts against current staff lists, identify orphaned and over-privileged accounts, and assess which applications connect to their central identity provider. Combining continuous attack surface monitoring with 24/7 managed detection gives both proactive visibility and active response capability when credentials are compromised. NIS2-aligned access control policies are also now a regulatory expectation for many sectors.