A credential shows up in a breach dump on Tuesday. Nobody uses it until Friday. For those three days the account is exactly as compromised as it will be during the attack itself, and almost nothing in the stack treats it that way.
Detection is built to wait for the login.
What Detection Waits For
Most identity defenses key on behavior. An impossible-travel sign-in, a new device, a session that drifts from baseline. All of it fires after someone authenticates. That's the right design for most threats, but it leaves a gap. The riskiest identities in the building, the ones whose passwords are already sitting in a public dump, look completely normal until the attacker moves. An attacker can buy the dump, wait for the noise to fade, and sign in clean weeks later. There's no anomaly in a valid login with a valid password. The behavioral alert, if it comes at all, arrives with the attack, not ahead of it.
Exposure Is a Signal on Its Own
The stretch between a credential leaking and its first use is the one window defenders hold the advantage, and most tooling ignores it. A password sitting in a breach corpus, unrotated since the leak, is worth acting on before any behavior confirms it. It should raise the identity's priority the day the dump lands, not the day the login finally looks strange. Pair that exposure with what's already known about the identity: its access and its normal patterns, and you can act inside the window instead of investigating after it closes.
Behavioral defense has always been about acting before the damage is done. The pre-login window is exactly where that thinking belongs next.
See the latest from Abnormal's product and engineering teams.
