Identity Is the New Battleground and Removing Adversary Persistence Is Key

When Rubrik and CrowdStrike took the virtual stage at this year's Cyber Resilience Summit (CRS), the conversation wasn't about the newest threat vector or the flashiest attack technique. It was about something more fundamental: identity. Why, even in the age of AI agents and cloud-native everything, is Active Directory  still one of the most dangerous attack surfaces in your environment?

The session, "Flag It, Fix It: Closing the Loop on Identity Attacks with Rubrik & CrowdStrike," surfaced a truth that security teams already feel in their bones but rarely say out loud: detecting a threat and recovering from one (including eviction) are two entirely different problems. And for too long, organizations have solved only one of them.

Why Identity Is the Most Exploited Attack Surface in Your Environment

Here's a stat that should stop you mid-scroll: 90% of IT and security leaders agree that identity-based attacks are a top cyber threat. And roughly 52% of attacks involve initial access, with credentials and identities bought and sold on the dark web for as little as a few dollars.

The irony is that most of this exposure isn't the result of sophisticated zero-days. It's the result of misconfiguration. It's over-provisioned accounts that haven't been audited since someone got promoted four years ago. It's the absence of Multifactor Authentication (MFA) on accounts that have no business going unprotected. Or MFA fatigue, a strikingly effective technique where an attacker bombards a user with push notifications until they give in and accept one (it’s shocking to learn how effective that approach can be).

And now, just as organizations are grappling with that baseline hygiene gap, the agentic era is multiplying the problem. Every AI agent spun up to help a team move faster is its own identity, with its own access, its own blast radius, and its own potential for exploitation. The perimeter isn't just expanding. It's becoming fluid.

The Attack Techniques That Are Embarrassingly Common—and Devastatingly Effective

What made this CRS session distinctive wasn't the problem statement. Security practitioners have heard the identity pitch many times. It was the demonstration of what a closed-loop response actually looks like in practice.

CrowdStrike provides the signal. When its Falcon platform detects suspicious domain replication, a behavioral mismatch, or anomalous activity tied to a service account—say an svc_sql account that's suddenly part of the Enterprise Admins group—that detection doesn't just sit in a queue. It gets shared with Rubrik, along with the full timeline of the attack.

This is where things get interesting. Traditionally, when a security team confirms a compromised identity, the recovery process means dumpster diving through your Security Information and Event Management (SIEM)—manually identifying every action the threat actor took, correlating those actions against the known attack timeline, and then painstakingly unpicking each one by hand. It's slow, it's error-prone, and it's exactly the kind of work that stretches a two-hour incident into a two-day ordeal.

Rubrik drastically reduces this manual effort by taking the attack timeline directly from the CrowdStrike alert and correlating every action taken by the compromised identity. No manual hunting. No piecing together a picture from fragmented logs. You get a clear view of what happened, select the changes you want to undo, and click “Revert.” Rubrik handles the rest.

Why "Restore From Backup" Isn't the Same as Removing an Attacker for Good

It's worth being explicit about what a full recovery means. The instinct when an identity system is compromised is to concentrate on backup and restore. But that  undersells what's actually happening and misses the most dangerous part of any identity attack: adversary persistence.

Attackers don't just break in. They embed. They create backdoor accounts, modify group memberships, adjust permissions, and establish footholds designed to survive a basic recovery. A traditional restore brings your environment back to a point in time. But if the attacker's persistence mechanisms were already in place before that snapshot, you've restored them too.

What Rubrik and CrowdStrike make possible is the full removal of adversary persistence. The integration between the two companies surfaces the specific actions tied to a specific attack timeline, so you're not just rolling back to a previous state. Instead, you're surgically removing exactly what the attacker did, while preserving every legitimate change that happened around it. The business keeps moving. The attacker doesn't get to stay.

How Rubrik and CrowdStrike Automatically Correlate and Revert Adversary Actions

One of the most resonant moments in the CRS session was the acknowledgment that detection teams and recovery teams often don't share the same tools, workflows, or even the same language. A Security Operations Center (SOC) analyst who identifies a compromised identity has to get that information to the Identity and Access Management (IAM) team, who has to coordinate with IT Ops and make recovery decisions—often under pressure and without full context.

The Rubrik-CrowdStrike integration addresses that coordination failure directly. When CrowdStrike telemetry and Rubrik's correlated action timeline are surfaced in the same workflow, both teams are working from the same picture. That's not a small thing. In a live incident, shared context and the same highly trusted version of truth is the difference between a two-hour recovery and a two-day one.

As Chris Kachigian from CrowdStrike put it at CRS: "Security is a team sport and I think we're not going to win and beat the adversary unless we work together. They've proven they can work together and collaborate, sometimes more effectively than enterprise teams can."

What's Next: Going Deeper at FORWARD

Cyber Resilience Summit was the conversation. FORWARD is where it becomes real.

At Rubrik's in-person user conference, you'll have the opportunity to go deeper on everything surfaced at CRS—identity resilience, the Rubrik-CrowdStrike integration, and what it actually looks like to operationalize recovery at the speed of an attack. You'll hear directly from practitioners who've closed this loop in their own environments, and you'll get hands-on time with the product capabilities that make it possible.

If the question CRS raised for you was "How do we actually do this?" FORWARD is where you get the answer.

Missed the CRS session? You can watch "Flag It, Fix It: Closing the Loop on Identity Attacks with Rubrik & CrowdStrike" on demand.

Any unreleased services or features referenced in this document are not currently available and may not be made generally available on time or at all, as may be determined in our sole discretion. Any such referenced services or features do not represent promises to deliver, commitments, or obligations of Rubrik, Inc. and may not be incorporated into any contract. Customers should make their purchase decisions based upon services and features that are currently generally available.