ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Identity Attack Chain (IAC)
A comprehensive 9-stage model mapping how modern adversaries compromise, escalate, and persist through identity systems rather than traditional infrastructure
The Foundation of Modern Identity Threats
The Identity Attack Chain (IAC) represents the first publicly available, end-to-end structured framework specifically designed for identity-centric attacks in cloud environments. Unlike traditional cyber kill chains focused on network infrastructure, IAC addresses the reality of modern enterprise security where identity has become the primary attack surface.
This framework maps the complete adversary lifecycle across cloud identity systems, SSO platforms, federation protocols including OAuth and SAML, machine identities, API automation frameworks, and sophisticated token abuse techniques. IAC serves as the foundational taxonomy for understanding how APT groups, ransomware operators, and malicious insiders navigate identity systems to achieve their objectives.

Core Focus Areas
  • Cloud identity platforms
  • SSO & federation protocols
  • OAuth & SAML workflows
  • Machine & service identities
  • API security & automation
  • Session hijacking & token abuse
The 9 Stages of the Identity Attack Chain (IAC)
Each stage represents a critical phase in the adversary's journey through your identity infrastructure. Understanding these stages enables security teams to implement defense-in-depth strategies and detect threats earlier in the attack lifecycle.
Stage 1
Reconnaissance
Intelligence gathering on identity infrastructure, user populations, and authentication mechanisms
Stage 2
Identity Enumeration
Active discovery and validation of user accounts, service principals, and identity attributes
Stage 3
Credential Acquisition
Obtaining authentication materials through phishing, credential stuffing, or token theft
Stage 4
Authentication Abuse
Exploiting authentication weaknesses and bypassing multi-factor authentication controls
Stage 5
Privilege Escalation
Elevating permissions through misconfigured roles, delegation abuse, or identity exploitation
Stage 6
Token Tampering
Manipulating JWT tokens, SAML assertions, or hijacking active authentication sessions
Stage 7
Lateral Movement
Traversing environments using compromised identities to access additional systems and data
Stage 8
Persistence
Establishing long-term access through backdoor accounts, OAuth apps, or hidden privileges
Stage 9
Action on Objectives
Executing final mission goals: data exfiltration, system disruption, or financial fraud
Comprehensive Stage Documentation
What Each Stage Includes
Every stage in the Identity Attack Chain framework provides comprehensive, actionable intelligence designed for security professionals and threat hunters. Each stage page delivers executive-level descriptions of attacker methodologies, detailed breakdowns of key adversary behaviors and techniques, identification of commonly exploited identity misconfigurations, and relevant detection signals for security operations teams.
The framework includes direct mapping to real-world breach patterns, attribution to threat actors known to exploit each stage, integration with attack storylines and campaigns, and clear contextual positioning within the broader attack chain. All documentation is written for immediate operational use without requiring cross-referencing.

Framework Integration
IAC serves as the core foundation for the complete Identity Threat Intelligence Framework (ITIF). All breach patterns, detection logic, misconfiguration catalogs, threat actor profiles, and attack storylines reference and map back to these nine fundamental stages.
This unified structure enables security teams to understand not just individual techniques, but how they chain together in real-world attack scenarios.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation