{“lastseen”:”2025-10-15T18:53:47″,”description”:”Security has always been about controlling _who_ can do _what_ and _where_.\\n\\nIn 2025, that control is mediated entirely by **identity**. When an attacker \u201clogs in,\u201d not \\”breaks in\\”, they inherit legitimate permissions, blend into normal telemetry, and pivot across AD, Entra\/Okta, SaaS, and cloud, driving multi-million-dollar losses. Credentials, tokens, and service accounts have become the real perimeter \u2014 and most organizations still can\u2019t measure how exposed that perimeter is.\\n\\n## Identity Has Become the New Attack Surface\\n\\nRecent data quantifies the shift. IBM\u2019s 2024 breach study found stolen or compromised credentials were the slowest to detect and drives an average loss of **$4.88 million**. Hybrid attacks that pivot from AD to Entra ID show that identity compromise now spans on-prem and cloud. Machine and AI identities have exploded where machine: human ratio is ~**50:1** – yet risks from machine identities remain largely unmanaged. Deepfake and AI-assisted phishing have increased success rates. _The perimeter hasn\u2019t disappeared; it\u2019s multiplied._\\n\\nBuilt inside Qualys ETM,**Qualys ETM Identity** converts identity posture into a single risk language, correlating identities with asset context to close the most exploitable identity risks and operationalize risk reduction. It is the essence of modern risk operations and the first true quantification of the identity perimeter.\\n\\n\\n\\n## What Security Leaders Are Struggling With\\n\\n\\u003e \\u003e \\u003e _\\”_**_Most organizations already deploy IAM, IGA, PAM, ITDR, or AD assessment tools, yet identity-driven breaches persist_** _. \\”_\\n\\nThere are tools that validate access, not risk; govern provisioning workflows without business or asset context; protect credentials, but not the blast radius; detect anomalies, not root causes; visualize trust paths but lack continuous, correlated insight. These tools add more silos. Each tool solves a piece of the puzzle, but _none measure how identity exposure changes enterprise risk_.\\n\\nSecurity teams face a lack of unified visibility into identity risk, with fragmented telemetry that separates identity and asset risks into silos, ambiguous ownership, and valid login abuse that is difficult to detect. Additionally, posture drift**lacks an audit trail**.\\n\\nIn short, identity security today is where vulnerability management was a decade ago – rich in controls, poor in context. Even the most mature security programs are flying blind on identity risk. The controls exist, but the telemetry doesn\u2019t connect.\\n\\nAs a result, CISOs can\u2019t answer the simplest risk question: _**Which identities represent measurable loss potential?**_\\n\\nSecurity leaders aren\u2019t short on tools. They\u2019re short on measurable alignment between identity posture and business risk. Until that alignment exists, identity remains **the least quantified and most exploited attack surface** in the enterprise.__\\n\\n## Introducing ETM Identity\\n\\nETM Identity is the identity risk measurement and operationalization layer that makes those controls effective.\\n\\nETM Identity consolidates identity posture into a single risk score that correlates identities (human, service, machine, AI) with asset exposure to prioritize what makes a business impact and operationalize identity risk management for reducing identity-driven attack surface. ETM Identity expresses identity exposure in TruRisk, correlates posture with threat intel, maps attack paths and domain trust, and then operationalizes risk reduction through closed-loop actions and auto-rescoring.\\n\\n### **Measure Identity Risk**\\n\\nETM Identity discovers **human and machine identities** across AD, Entra ID, IdPs, IDaaS; unifies identity risk signals from Qualys Cloud Agent telemetry, native connectors, and third-party identity tools; and correlates with asset exploitability. ETM Identity turns identity exposure into one actionable per-identity score – **Identity TruRisk , **the same risk language that can be used alongside assets, vulnerabilities, misconfigurations across hosts, applications, cloud – now directories, identity providers and so on.\\n\\n### **Communicate Identity Risk******\\n\\nETM Identity transforms raw identity findings, identity insights (hygiene gaps, toxic privilege chains, misconfigurations) and attack path analysis (lateral routes, domain\/forest trust maps) into a shared risk score, aligned with enterprise risk operations. **Identity TruRisk** correlates with Asset TruRisk and rolls up to Org TruRisk, communicating board-ready metrics on _what changed, why it mattered, and how much risk was reduced_. ETM Identity creates an identity posture that\u2019s measurable, reportable, and explainable, bridging the gap between security engineers, auditors, and executives with a single risk language.\\n\\n### **Eliminate Identity Risk**\\n\\nMeasurement without elimination is just observation. ETM Identity operationalizes reduction through **risk response orchestration** , translating findings into verified, automated action. It integrates with ServiceNow and Jira to open, track, and close remediation tickets; executes over 200 AD policy controls, patches, and ready-to-run automation scripts; and performs one-click identity-aware actions. Additionally, it automatically validates closure and creates measurable before\/after deltas for TruRisk, ensuring accurate scoring. When patching isn\u2019t feasible, it applies compensating controls \u2014 such as policy hardening, conditional-access updates, or containment \u2014 to reduce exploitability immediately.\\n\\nWith ETM Identity, the enterprise can **measure what matters, communicate it credibly, and eliminate what\u2019s exploitable, all within one platform and one risk language.**\\n\\n* * *\\n\\n* * *\\n\\n## Key Capabilities \u2014 Built to Measure, Communicate, and Eliminate Identity Risk\\n\\n * **Comprehensive Identity Inventory – **Discovers human, service, and machine\/non-human identities across AD, Entra ID, Okta and other IdP, IDaaS systems; maps owners, life-cycle state, entitlements, and change history.\\n\\n\\n\\n\\n\\n * **Unified Identity Risk View – **Consolidates identity risk signals from Qualys Cloud Agent, native identity connectors, and 3rd-party tools (IGA, PAM, ITDR, AD assessors like BloodHound, SailPoint, etc.), unifying identity posture with endpoint, workload, and network telemetry.\\n\\n\\n\\n\\n\\n * **Attack Path Analysis \\u0026 Domain Trust Map -** Visualize hidden relationships inside AD, see blast radius with toxic privilege combinations, choke points, and rank exploitable paths by TruRisk. The Domain Trust Map surfaces lateral movement routes across domains\/forests\/tenants to identify easy pivots. \\n\\n\\n\\n\\n\\n * **Identity Insights – **Flags weak password policies, plaintext credentials, stale\/admin rights, excessive permissions, risky OAuth consents, and ADCS misconfigurations. Targets the \u201cneed of the hour\u201d: AD hardening, service-account risk (e.g., Kerberoasting), and certificate abuse vectors for high ROI fixes that rapidly shrink the blast radius.\\n\\n\\n\\n\\n\\n * **Identity TruRisk – **Quantifies per-identity risk from aggregated misconfigurations, excessive privileges, vulnerabilities, and IOR, correlates with asset exposure (internet-facing, vuln\/KEV proximity), and rolls up to Asset TruRisk and Org TruRisk. It provides one risk language for ROC, SecOps, and the executive board.\\n\\n\\n\\n\\n\\n * **Risk Response Orchestration \u2013** Executes **200+ policy controls for AD** , out-of-the-box automation scripts, patch, mitigate or isolate, automates one-click identity actions (enforce MFA, de-privilege, disable\/quarantine, remove toxic rights). It integrates ITSM workflows for **ServiceNow\/Jira** ticketing with evidence, approvals, and auto-rescore on closure. \\n\\n * **Agent Grant, an agentic AI coworker for identity security – **Built on the Qualys Agentic AI fabric, Agent Grant is a pre-built Cyber Risk Agent specialized for ETM Identity. It continuously maps identities, flags toxic privilege chains and AD to cloud attack paths, and then executes next-best actions, including opening\/advancing ServiceNow or Jira tickets, prompting MFA enforcement, de-privileging, or quarantining risky accounts while capturing evidence and re-scoring Identity TruRisk. Agent Grant benefits from 25+ threat intel feeds, Cloud Agent telemetry, and CMDB business context inside the Qualys Enterprise TruRisk Management (ETM), which can be tailored (or even cloned) for your workflows via the agent marketplace\/no-code builder.\\n\\n\\n\\n\\n\\n * **Compliance Mapping \\u0026 Audit Lineage – **Maps identity controls\/findings toDISA STIG (AD), CIS M365**,** HIPAA\/PCI\/GDPR, etc. and maintains versioned change history (who\/what\/when\/where). Replaces screenshots with continuous, non-repudiable evidence; speeds audits and proves control effectiveness. \\n\\n * **Identity Integrity Monitoring – **Tracks configuration drift across AD, Entra\/Okta, and SaaS tenants; alerts on high-risk changes to policies, trusts, or entitlements.\\n\\n\\n\\n\\n\\n## The Next Evolution of Qualys ETM (and Your Stack)\\n\\nEvery security team says the same thing today: \u201cWe have identity tools, but we still don\u2019t know which identities actually matter.\u201d That\u2019s the heart of the problem ETM Identity was built to solve. ETM Identity is how Qualys extends its risk operations DNA to the identity perimeter, giving you a unified and auditable view of cyber risk across people, machines, and systems.\\n\\nInside the Qualys Enterprise TruRisk Management (ETM) platform, ETM Identity becomes another high-fidelity, first-class telemetry source. Qualys ETM unifies asset, vulnerability, configuration, and now identity exposure under TruRisk so ROC teams can make trade-offs with evidence. It correlates identity findings and asset exploitability and then rolls up those findings into the single TruRisk score that fuels your Risk Operations Center. It\u2019s also deeply integrated. Qualys Cloud Agent data, threat intelligence from 25+ feeds, business context from CMDB and Business Entities – all converge to create one view of exposure. Whether the risk stems from a vulnerable workload, a stale admin, or a misconfigured trust path, it\u2019s visible, correlated, and prioritized.\\n\\nPlus, it fits neatly into what you already have. Qualys ETM Identity doesn\u2019t replace your existing IAM, IGA, or PAM stack – it connects them. ETM Identity ingests from AD, Entra ID, Okta, and third-party tools like PingCastle, BloodHound, and SailPoint, ensuring your existing investments keep working, now with a measurable ROI.\\n\\n\\n\\n**Why it matters**\\n\\n * Identity exposure is quantified in the same units as vulnerabilities and misconfigurations, so you can choose the _highest risk-reduction_.\\n * Instead of chasing alerts, teams follow a repeatable loop, proving reductions in MTTR.\\n * Non-repudiable change history and consistent roll-ups replace screenshots and spreadsheets.\\n\\n\\n\\nWhen you can measure risk across identities, assets, cloud, and applications in one model, prioritization stops being a guessing game. Because risk isn\u2019t about how many controls you have – it\u2019s about how well you can measure, communicate, and eliminate what truly drives business impact.\\n\\n_**Ready to see your identity perimeter in measurable terms?** **Explore** **how ETM Identity turns identity exposure into quantifiable insight.**_ \\n\\n\\n* * *\\n\\n**Discover how quickly identity risks can be eliminated from your environment when you have the right insight**.\\n\\nStart Your Free 30-Day Trial\\n\\n* * *”,”published”:”2025-10-15T14:10:00″,”modified”:”2025-10-15T14:10:00″,”type”:”qualysblog”,”title”:”Qualys ETM Identity \u2014 The First True Quantification of the Identity Perimeter”,”source”:””,”references”:””,”id”:”QUALYSBLOG:AD525F487579C2E57652A4C2D3E22441″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.qualys.com\/category\/product-tech”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-15T18:53:47″,”description”:”Security has always been about controlling _who_ can do _what_ and _where_.\\n\\nIn 2025, that control is mediated entirely by **identity**. When an attacker \u201clogs in,\u201d…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,120,7,11,5],"class_list":["post-21953","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n