Most identity attacks don’t begin with malware. They start with a valid credential — a misconfigured account, an over-privileged service identity, or stolen credentials that give an attacker a quiet way in. By the time anyone knows something is wrong, the attacker has already moved laterally through the environment and found their way to the thing that matters most: identity infrastructure.
When that infrastructure fails — whether from an attack, ransomware, or a cascading failure — the response tends to follow a familiar pattern. Restore from backup. Spend hours or days trying to figure out what’s actually clean. Attempt to rebuild a trusted environment while the business waits.
Robert Bobel, CEO of Cayosoft, describes this as disaster recovery theater. I sat down with him ahead of RSAC to understand what he thinks should replace it.
Active Directory Is Still the Target
Active Directory has been around long enough that some security teams treat it as a solved problem. Bobel doesn’t see it that way. And despite years of speculation about AD’s eventual replacement, it remains the core identity infrastructure for a large portion of organizations.
“I think Active Directory is showing its age,” Bobel said, “but I think you probably have another five to ten years on AD. The volume of people using it in the world, the integrations — people are still swiping door badges tied to Active Directory accounts. That’s going to take a long time to unwind.”
Microsoft is pushing Entra ID, and hybrid environments are increasingly common. But the migration is slow. In the meantime, AD remains a well-understood target — and the misconfigurations and over-privileged accounts that tend to build up inside AD environments over the years give attackers a lot of room to work.
Restore to What?
When an identity attack hits, the natural question is how quickly you can get back to normal. Bobel argues that’s not actually the first question. Before you can restore anything, you need to answer a harder one: restore to what?
If an attacker has been inside an environment long enough to compromise identity infrastructure, it’s not always clear when the compromise started. Restoring from a recent backup could mean restoring a compromised state. Determining what’s actually clean — forensics, analysis, identifying a trustworthy point-in-time — has to happen in real time, under pressure, while operations are disrupted. That’s the scenario Cayosoft is trying to help organizations avoid.
Bobel’s position is that recovery shouldn’t be something organizations figure out after an incident. According to Cayosoft, it should already be done before one occurs.
Shifting Recovery Left
Cayosoft’s approach, as Bobel describes it, involves continuously building and validating a known-good recovery environment rather than waiting for an incident to trigger the process. The idea is that when something does go wrong, the response is a cutover to an environment that’s already been tested and validated — not a rebuild from scratch under pressure.
The technical foundation is what Bobel calls observational change. “We take a baseline so we know what it looks like,” he explained. “Then we’re either polling or watching the change notification services to figure out how things are changing. So we get this layered history of change.”
That change history enables targeted rollback rather than all-or-nothing restores. Organizations can undo specific changes — to memberships, policies, permissions — without wiping and restoring the entire environment. “Microsoft provides undelete for users and groups, but they don’t have rollback of membership,” Bobel noted. “We’re providing probably the most detailed change history there is. You need to know who did it — it could be a service account, it could be a human.”
The goal, according to Bobel, is that the recovery environment isn’t a contingency plan sitting on a shelf. It’s maintained and validated continuously so that cutting over is a straightforward operational decision rather than a crisis response.
Hardening the Environment Before the Attack
Part of Cayosoft’s argument is that the blast radius of an identity attack depends heavily on what compromised credentials can actually access. Bobel says that over-permissioned accounts — where privileges have accumulated over years without being reviewed or trimmed — are a significant part of what makes these attacks so damaging.
Cayosoft’s platform includes controls for restricting standing permissions on administrative accounts. “If somebody does compromise an administrator account, the impact is limited,” Bobel said, “because they don’t have the native standing permissions that attackers are going to want to use.”
Enforcing least privilege and continuously tracking changes won’t stop every attack. But Bobel’s case is that it shrinks the window an attacker has to operate in — and that a better-managed environment is also easier and faster to recover when it’s needed.
Non-Human Identities Are the Next Problem
The identity security conversation has historically centered on human users — usernames, passwords, phishing, shared credentials. Bobel thinks that framing is increasingly incomplete. AI agents, service accounts, and API integrations all operate with identity, often with significant permissions, and they don’t behave the way human users do.
“Whether it’s an agent off doing something on your behalf — inheriting your identity — or an agent running on its own as a separate identity, finding out what those things are doing and keeping an eye on them is a critical piece,” Bobel said. “Once you understand what’s normal, then you can start to look for what’s not normal.”
Cayosoft plans to extend its monitoring to non-human identity activity in the wake of RSAC 2026 — tracking what agentic identities are doing, what authorized the activity, and whether the behavior looks anomalous. “There are very few groups now providing that sort of visibility to people in IT,” Bobel said. He described non-human identities as one of the more significant near-term threats as AI becomes more embedded in enterprise environments.
What Cayosoft Announced at RSAC
Cayosoft came to RSAC 2026 with two announcements. The first was the expansion of its non-human identity monitoring — giving IT and security teams visibility into what AI agents and other automated identities are doing inside their Microsoft environments.
The second was a forensic advisory service, offered in partnership with an outside firm, that gives organizations access to an identity recovery specialist. When a potential breach occurs, that specialist can assess the Active Directory environment and help shape recovery and resilience planning.
Both announcements reflect the same underlying argument Bobel makes about how identity resilience should work: the organizations that recover fastest from identity incidents are the ones that did the preparation before anything went wrong — not just hardening and monitoring, but building and validating the recovery environment in advance so there’s something solid to cut over to when it’s needed.
- How Cayosoft Is Pushing Identity Security ‘Left’ of the Attack - April 13, 2026
- The Browser Was Already a Problem – Now Add a Billion AI Agents - April 10, 2026
- The Internet Is No Longer Built For Humans - March 30, 2026
