ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Identity Breach Patterns Library
A comprehensive catalog of 40+ real-world identity-centric attacker behaviors observed across nation-state APT groups, ransomware operators, insider threats, cloud-native adversaries, and hybrid intrusion teams.
Understanding Modern Identity Attacks
What IBP Delivers
The Identity Breach Patterns Library consolidates the most common identity-focused attack behaviors into a unified reference. This library helps security and identity teams understand what attackers do, which weaknesses they exploit, and which detection signals reveal them before privilege escalation or persistence occurs.
Each pattern maps directly to the Identity Attack Chain (IAC), showing where behaviors fit in the attack lifecycle and which threat actors actively use each technique.
Strategic Purpose
Enable early recognition of identity attacks by providing security teams, threat hunters, and identity engineers with actionable intelligence. The library bridges the gap between abstract threat models and concrete attacker tradecraft, offering detection logic, prerequisites, and misconfigurations for each pattern.
Focus on preventing lateral movement and privilege escalation by identifying indicators during reconnaissance and initial access phases.
Breach Pattern Categories
Nine distinct categories organize 40+ breach patterns (BP-001 → BP-049), each representing a critical phase of identity-centric attacks. Navigate to any category to explore detailed patterns with detection signals, threat actor associations, and Identity Attack Chain mappings.
Reconnaissance & Enumeration
Domain scanning, user harvesting, identity surface discovery
Credential Acquisition & Token Theft
Password sprays, browser cookie theft, token extraction
Authentication Abuse & Federation
SAML manipulation, federation trust exploitation, MFA bypass
Privilege Escalation Techniques
App role elevation, permission abuse, admin path exploitation
Machine Identity Abuse
Service account hijack, machine identity drift, API key theft
Cloud & SaaS Lateral Movement
Cross-tenant pivots, OAuth abuse, cloud identity traversal
Token Replay & Session Hijack
Refresh token theft, session cookie replay, JWT manipulation
Identity Persistence Techniques
Golden ticket, skeleton key, persistent admin backdoors
Identity-Led Exfiltration & Impact
Cross-cloud pivots, data export via stolen credentials
Breach Pattern Structure & Navigation
What Each Pattern Includes
Every Breach Pattern page follows a consistent, comprehensive structure designed for rapid threat analysis and detection engineering. Each pattern provides clear descriptions of attacker techniques, prerequisites and enabling conditions, misconfigurations that enable the behavior, and detection logic signals.
Patterns map to the Identity Attack Chain (IAC), include threat actor associations, provide executive storyline linkages, and feature text-based identity graph annotations for visual context. Clean navigation allows movement across the entire library.
Example Pattern Index
  • BP-001 — Domain & Identity Surface Scanning
  • BP-005 — Valid Username Harvesting
  • BP-010 — Password Spray Credential Acquisition
  • BP-013 — Browser Session Cookie Theft
  • BP-018 — SAML Trust Manipulation
  • BP-021 — App Roles → Admin Escalation
  • BP-027 — Refresh Token Theft
  • BP-034 — Machine Identity Privilege Drift
  • BP-040 — Cross-Cloud Identity Pivot → Exfiltration
40+
Breach Patterns
Documented attack behaviors
8
Categories
Organized attack phases
100%
IAC Mapped
Full chain coverage
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation