How BeyondTrust detects privilige escalation and dark web threats

Keith Shaw: Hi everybody, welcome to DEMO, the show where companies come in and show us their latest products and services. Today, I'm joined by Morey Haber, the Chief Security Advisor at BeyondTrust. Welcome to the show, Morey! Morey Haber: Keith, thank you for having me today.

Keith: So tell us a little bit about BeyondTrust, and then what you're going to show us on DEMO today.

Morey: BeyondTrust is the leader in identity security and Privileged Access Management solutions. Today, we're going to cover a product called Identity Security Insights. Keith: So who in the company is this designed for?

I would imagine you've got security involved in this and identity, so the security teams are going to be most interested. But are there others in the company who would benefit?

Morey: Yes, there are two primary audiences that benefit from this type of solution. The first is the security team itself — those concerned with identity-based attacks and maintaining proper identity hygiene in the environment.

The second is the identity and access management team — those responsible for governance, access control, single sign-on, and so on — who are focused on misconfigurations or poorly integrated technologies. Identity Security Insights really focuses on all of these.

Keith: And the main problems that Identity Security Insights is solving — is it based on identity threats? Are companies seeing more of these attacks on the rise? How are you helping companies with these problems?

Morey: Yes, 90% of today's attacks have an identity-based component. What we're solving for is identity fabric security. When you think about an identity fabric, you're talking about all of the plumbing and interactions within your IAM inventory — identity providers, PAM solutions, single sign-on, multifactor authentication.

Instead of relying on partial solutions that say, "Here's an event," or "MFA wasn't used there," we offer a holistic solution that looks at everything — from PAM to SSO to IDPs and authentication — and helps detect and recommend security improvements.

There are two key contexts here: detection and recommendation. Detection is like a vulnerability assessment — identifying hygiene issues. Recommendations are real-time observations: What’s going wrong? How are users interacting? The solution provides visibility into both.

Keith: I think you just answered my next question: What would companies be doing if they didn't have this? Sounds like many would be relying on siloed point solutions that aren’t well integrated. I heard the word "holistic" — so this is more of an all-in-one approach?

Morey: Right, that is correct. It’s a bit of a unicorn because it brings all that data together — far beyond what a traditional SIEM or analytics platform can do. It even gives you visibility into concepts like “paths to privilege,” which we'll talk about in a moment.

Keith: All right, let’s get into the demo. Show us some of the key features of the product. Morey: Sure.

We're going to log into the BeyondTrust Pathfinder platform. It’s a centralized location with role-based access and reporting across all BeyondTrust solutions. For this demo, we’re focusing on Identity Security Insights.

When you log in, you're greeted with a dashboard: how many identities are in your environment, detections and recommendations, and what we call “escalation paths” — ways an account could be abused to gain root or domain admin access.

You’ll see components like high-risk accounts, an Identity Security Risk Assessment (we’ll talk about that later), and the individual threats facing the organization. Let’s look at identities. We use proprietary algorithms — there’s some AI behind the scenes — to aggregate accounts and associate them with actual owners.

The system can tell if an account is human or machine, and whether behavior matches expectations. For example, if a machine behaves like a human, or vice versa, the system flags that. Let’s look at a specific user — her name is Amy.

She has a poor profile in terms of threats, entitlements, and detections. The tool maps her “path to privilege” — a pathway where her compromised accounts could escalate to domain admin. This type of analysis isn’t trivial.

You need data from your IDPs, run-time behavior, and the IAM infrastructure to build that map. It tells you which accounts could be leveraged for a full-blown compromise. Keith: Got any other features you want to show? Morey: I absolutely do. Let’s return to the dashboard and look at Detections.

These flag runtime anomalies — like spray attacks, unauthorized changes in Okta, etc. — with full details and automation options for remediation. Then there’s Recommendations. These highlight hygiene issues — like misconfigurations or places where best practices aren’t followed — and help harden the environment.

Keith: Before the show, we talked about AI agents. Are you seeing more of these entering systems and causing problems? Do they behave differently from standard machine identities?

Morey: They do, and that’s where our narrow AI capabilities come in. When an AI compromises an identity — machine or human — the behavior patterns change. Whether it’s keystroke logging, timing anomalies, or other signals, we can detect that kind of infiltration.

Keith: Was there anything else you wanted to show? I think there was one more feature.

Morey: Yes — two key things. First, the “path to privilege” concept I mentioned helps understand an account’s true privilege. Second, we have the Identity Security Risk Assessment. This is a free assessment available to anyone.

It takes about 24 hours to deploy and identifies hygiene issues in your identity infrastructure — flaws, risky accounts, remediation needs, and so on. It’s like a traditional vulnerability assessment, but for identities.

We support a wide range of connectors — IDPs, SSO, PAM — and the assessment shows where you're exposed, what your risks are, and even if credentials from your environment are found on the dark web. It offers a health check of your entire identity landscape and continuous monitoring afterward.

Keith: What are the most common issues you find in these assessments? I don’t want to say “vulnerabilities,” but what are the biggest problems?

Morey: Often, the biggest issues are credentials exposed on the dark web. You can’t always tell if the password’s the same, but the risk is high. We also find many misconfigurations and lack of MFA, especially for privileged accounts.

We’ve even spotted signs of session hijacking — commands being executed without prior authentication. The list is long, but the dark web credentials are usually the biggest surprise.

Keith: When companies get that risk assessment, are they surprised by the recommendations?

Morey: Yes — sometimes the findings are just basic misconfigurations, but sometimes we uncover active breaches. Some clients think they’ll fix the issues and be done, but the truth is, the risk assessment is just a snapshot. Environments change.

That’s why the continuous detections and recommendations are critical — both for hygiene and real-time threat detection.

Keith: So the risk assessment is free. Where can people go for more information or to get started with a trial?

Morey: Visit us at beyondtrust.com. You'll see the free risk assessment right on our landing page. Sign up and someone will contact you within 24 hours. The setup takes about a day using read-only connectors.

If you want to keep using the solution after that, it can be converted into a full license — but even if you don’t, you’ll walk away with a full view of your identity environment and hygiene posture. Keith: Great stuff.

Morey Haber from BeyondTrust, thanks for being on the show and thanks for the demo. Morey: You're very welcome. Thank you for having me today. Keith: That’s going to do it for this week’s episode of DEMO.

Be sure to like the video, subscribe to the channel, and add any thoughts you have in the comments. Join us every week for new episodes of DEMO. I’m Keith Shaw — thanks for watching.