When Infostealer Frontiers Meet Identity-Centric Defense: Lessons from BSides SATX 2025

San Antonio was founded in 1718 around the Spanish mission, San Antonio de Béxar. This frontier crossroads was shaped by cultural collisions, strategic geography, and evolving defense paradigms. Over 300 years later, the home of the Alamo was the backdrop for security practitioners talking about other frontiers across the modern IT landscape, at BSides SATX 2025. This year marked the 12th edition of the event, which saw around 500 security professionals gather for a full day of workshops, villages, and three tracks of sessions from 32 talented speakers. Here are just a few highlights of this year's event.

Credentials Are Currency: Welcome to the Dark Market Exchange

Jonathan Gonzalez, AVP of Cyber Threat Intelligence at Synchrony, delivered "Your Info, Their Payday: A Look into the Infostealer Economy," where he explored the mechanics, scale, and consequences of the growing market around credential theft. What was once limited, in the early 2000s, to email trojans and clunky keyloggers has evolved into a full-fledged cybercriminal economy, thriving on stolen logins, browser sessions, and digital identities. Today’s infostealers, such as Lumma and RedLine, operate with alarming speed and sophistication, bypassing multi-factor authentication and leveraging AI to separate usable data from noise. Johnathan broke down how credentials aren’t just stolen, they’re monetized, weaponized, and reused long after the initial breach.

The economics of stolen access are alarming. 88% of web app attacks involve compromised credentials, while over half of ransomware incidents begin with credentials harvested by infostealers. This isn't just a phishing problem. From builder kits that let low-skill attackers generate custom payloads, to forums that allow buyers to preorder logins for specific enterprises, it’s an access supply chain with specialized roles. These platforms operate with the efficiency of e-commerce, offering plug-and-play malware, support docs, customer service, and even trust ratings to avoid scams. It’s not chaotic, it’s organized crime with agile delivery.

Awareness alone will not keep your data safe in an environment where malware-as-a-service thrives and takedowns barely dent momentum. Jonathan outlined practical mitigations, ranging from inspecting outbound TLS traffic for exfiltration attempts to enforcing stricter MIME-type validation and disabling browser-based password storage at scale. Security teams need to understand the adversary’s playbook. Infostealers aren't just tools. They’re the infrastructure behind a thriving, persistent, and fully automated attack economy that turns your overlooked credentials into someone else’s payday.

Detection With Free and Open Source Tools Takes Tuning

"My Cyber Sense Is Tingling! Detection Engineering With Free Tools," from Matthew Gracie, Senior Engineer at Security Onion Solutions and Founder of BSides Buffalo, explored how defenders can build effective detection strategies without spending enterprise-sized budgets. The session centered on maximizing open-source solutions, such as Security Onion, to turn raw telemetry into actionable insights. He laid out a pragmatic approach to cyber threat intelligence, explaining that the real power lies not in vendor dashboards but in understanding what adversaries actually do once they’re in your network.

Matthew emphasized that threat intelligence should extend beyond simply hunting for indicators, such as IP addresses or hashes. Using frameworks like MITRE ATT&CK and real-world reports from ISACs, defenders can identify tools, tactics, and procedures that tell a deeper story about attacker behavior. Detection engineering, he argued, is not about chasing yesterday’s indicators but building systems to recognize today’s methods in context.

Security Onion is more than just a free toolkit. It is a full suite for network and host visibility, integrated with tools like Zeek and Suricata to surface meaningful events. It combines detection rules from YARA or Sigma and a workflow for tuning alerts. Detection doesn’t need to be expensive to be effective, but it does need to be intentional. For teams willing to invest time rather than dollars, the tooling is out there, and it is ready to scale.

Security For AI vs Automation

Ryan Rosado, Manager RSM and Teaching Assistant with Harvard Extension School, led "Your AI-Cybersecurity Crash Course," where she explored how rapidly evolving artificial intelligence is creating both opportunities and existential challenges for security teams. From the origins of AI in the 1950s to today's GPT-driven tools, Ryan walked through a landscape that has shifted from rule-based automation to decision-making systems capable of generating entirely new content. Ryan told us, "AI will not replace you, but refusing to engage with it might." Security professionals who fail to adopt and understand AI risk being left behind as the pace of innovation outstrips traditional defenses.

Automation follows strict rules, like routing a form based on its metadata. AI, on the other hand, learns patterns and makes predictions based on massive datasets. The difference may seem academic, but in practice, it is the difference between detecting a threat and responding to one in real time. Understanding neural networks, deep learning, and the transformers that power large language models is not just a matter of curiosity. It is a requirement for defending against adversarial AI, model poisoning, and hallucinated outputs that can create operational risk in subtle but significant ways.

The cybersecurity community must begin treating AI not just as a new tool, but as a new environment. The attack surface now includes training pipelines, inference APIs, and even the energy-hungry hardware that powers them. Ryan pointed to frameworks like MITRE ATLAS as critical starting points for modeling AI threats and understanding how generative systems can be manipulated or misused. At the same time, defenders must adapt their skills to work alongside domain experts and mathematicians who design these systems. Securing AI is not just about hardening endpoints or scanning for vulnerabilities. It is about learning the landscape of the models themselves.

The Periodic Table of Identity: Organizing IAM Without Losing Your Mind

In "Identity and Access Management (IAM) – How It All Fits Together," Pete Babcock, IAM Architect at USSA, walked us through what a fully realized Identity and Access Management program actually looks like in practice. He explained the model he has seen successful teams use to align their policies, risks, and processes into something sustainable. He said to think of it like the periodic table, but for identity. Each element represents a core function from onboarding and authentication to access review and metadata cleanup. The real value came from seeing how all these components interconnect, not as isolated tools, but as an integrated system that defines how digital identities live and operate across an enterprise.

Pete reminded the audience that it starts with the basics: understanding your legal obligations, partnering with legal and HR, and setting clear policies. You can’t manage access if you don’t know who your identities are, what systems they touch, and what those accounts are actually allowed to do. She stressed the importance of differentiating between identities and accounts, as well as managing each lifecycle with purpose. When someone joins, moves, or leaves, access must adapt accordingly. That means putting people in the right roles, limiting toxic combinations of entitlements, and ensuring no one can both request and approve their own privileges. In short, IAM is not just about granting access. It is about continuously verifying that access remains appropriate.

The session closed with a deep dive into authentication strategies, from good old-fashioned passwords to federated login and just-in-time access controls. Pete walked through the mechanics of session management, authenticator lifecycles, and privileged session monitoring. She reinforced that authentication is not a one-time checkpoint, but part of a broader policy engine that must be context-aware and resilient. Whether through SSO, MFA, or runtime authorization policies, the goal is to ensure that the right person receives the right access at the right time, and that someone is monitoring when they do. As enterprises evolve, the IAM model must evolve too. Pete’s framework gives teams a foundation to build on without getting lost in the complexity.

Defense Is a Process, Not a Perimeter

Across BSides SATX 2025, a striking realization echoed through every track: the idea of “initial access” is a dangerous simplification. Whether you’re dealing with infostealers, adversarial AI, or sprawling IAM frameworks, the real threat isn’t just the breach; it’s what happens after the breach. Today’s adversaries operate in loops, not lines. They don’t just get in once; they persist, escalate, monetize, and return. And yet, many of our defenses are still architected like moats, built to prevent, not to endure. Modern security must think less like a firewall and more like an immune system.

False Positives of Protection

There is a mismatch between what teams think they’ve secured and how attackers actually operate. Even when you have MFA, secure browsers, or endpoint detection in place, infostealers don’t care. They sidestep controls, exfiltrate quietly, and bypass traditional detections through encrypted channels and reused session tokens. Organizations often believe they've closed the loop on access control, but in reality, credentials live far longer, and more dangerously, than expected. The false sense of completion after a single containment action creates a dangerous vulnerability window.

A Shifting Cybercrime Supply Chain

Zooming out, it’s not just the tools that have evolved. The threat landscape itself has become industrialized. Adversaries now operate with scalable infrastructure, modular payloads, and AI-assisted triage capabilities. Infostealer kits and detection evasion tools are sold like software products, with slick GUIs and ongoing support. Meanwhile, AI introduces new surfaces, from poisoned models to hallucinated outputs, that defenders must now validate and secure. The scale, automation, and specialization seen across attacker ecosystems demand a complete rethink of what visibility, detection, and response should look like.

A Call for Integrated, Identity-Centric Defense

But there’s hope. IAM, when done right, is a living framework, not a checklist. From identity lifecycle management to privileged session oversight, it offers a roadmap for minimizing risk not just at login, but throughout an identity’s life. Similarly, properly tuned and maintained open-source detection ecosystems allow teams to evolve beyond static rules and move toward behavior-based visibility. The future isn’t about one perfect tool; it’s about layering practices that reinforce each other.

Shift from Event-Driven to Exposure-Driven Thinking

We need to stop defining success as “no breach.” Instead, we should ask: How long did it take us to detect? How fast did we remediate? Are we resilient if they come back tomorrow? The frontier is no longer at the login page. It’s in our telemetry pipelines, our identity graphs, and our ability to validate context continuously. Security, like biology, favors systems that can learn, adapt, and recover, not just resist.

The Frontier Isn’t Static

San Antonio’s 300‑year history reminds us that frontiers evolve, with every innovation comes new exploit, every crossing invites friction, and every line of defense challenges opportunity. Today’s frontier is credential sets abused through malware, accelerated by AI, defended through identity. We must understand how we got to where we are now and where we are going next.

Fitting in with that theme of looking back as we explore further, your author was proudly able to give two talks this year. One talk explored what the future of non-human identities will look like and how to secure it. The other was more reflective, sharing the lessons learned from building an exercise for AppSecVillage at DEF CON. 

As defenders, the frontier challenge is to automate credential‑theft detection pipelines, integrate AI for faster triage, embed JIT access and continuous authentication to contain compromise. Build it this quarter. And if you need help along the way, GitGuardian is here to help with secrets security and non‑human identity tools to support your journey from exposure to mastery.