Kay Daskalakis

The shift from service principals to user-based service accounts feels like progress until you realise what it actually means. Now your automated workloads authenticate like humans. Same MFA exemptions. Same session lifetimes. Same inherited group memberships nobody audits. We didn't solve the identity sprawl problem. We renamed it.

Automatic attack disruption sounds like the dream. Isolate the device. Contain the threat. But what if the compromised identity has already traversed three trust boundaries before the device gets flagged? The device is one node. The identity is the path. Disrupting the endpoint doesn't disrupt the graph.

Something I keep coming back to. Techniques change. Phishing, AiTM kits, poisoned pipelines. The vector shifts every quarter. But the graph stays. The relationships, the trust chains, the inherited permissions. That structure is the constant underneath all the noise. I think defending the graph matters more than chasing techniques. But I'm curious. Where do you spend most of your defensive energy?

I've started wondering if "defence-in-depth" sometimes becomes "defence-in-debt." 60 Conditional Access policies. DPAPI keys nobody tracks. Certificate templates granting enrollment to Domain Users. Layer after layer, but each one carrying its own unaudited risk. Does anyone else feel like depth without visibility is just complexity in disguise?

There's a scheduled task on a Tier-1 server I found recently. Running as Domain Admin. Created in 2021. The person who made it left the company two years ago. Nobody reviewed it. Nobody questioned it. It's a servant door. Quietly holding open a path nobody's watching. How many of these do you think exist in your environment right now?

Something I've been thinking about. Most SOC analysts live in Kusto. Not Cypher. So when someone rebuilt BloodHound's queries in KQL for Sentinel, it felt like meeting defenders where they already are. I think that's the pattern worth copying. Don't ask people to learn a new language. Bring the insight to their existing workflow. What tools have you seen succeed because they met people where they already work?

An AI agent completed a 32-step corporate network attack in hours. It didn't need zero-days. It walked through open doors. Misconfigured delegations, stale credentials, inherited permissions. I think the uncomfortable part isn't that AI can hack. It's that the paths were already there waiting. What's your take? Are we building for AI-speed adversaries yet?

"Apply security updates and try Cyber Essentials." That's what AISI recommended after an AI agent compromised a corporate network in hours. I wonder if we're past the point where patching alone is a credible response to structural identity problems. What do you think? Is this guidance keeping pace with the threat?

I keep finding permissions granted in 2019 that nobody's reviewed since. Tier 0 access inherited through nested groups. Service accounts with Domain Admin that outlived the project they were built for. It's not malice. It's just time doing what time does to access. Anyone else doing regular access archaeology on their environment? What's the oldest permission you've found still active?

I sat across from a CISO once. Fully patched. MFA everywhere. Logs shipping beautifully. Then we showed them the graph. One path from helpdesk to Domain Admin through nested group memberships nobody had audited in years. It's like an X-ray that shows a problem you didn't know you had. How many of you have run that exercise on your own environment?