Validating Thousands of Credentials at Scale: Lessons from Six Months of Identity Exposure Management

By Mark MacDonald, Director of Product Marketing

Six months ago, we launched Identity Exposure Management (IEM), a solution that pairs Flare’s world-class database of stealer logs, leaked credentials, and related identity exposures with automated validation and remediation through integration with the customer’s Microsoft Entra ID environment.

Since then, over 100 organizations have deployed it in production. We’ve processed more than 10,000 identity validations, and the data paints a picture worth sharing.

There are More Valid Identity Exposures Than We Realized

Across all customers, just over 1% of validated credential events turned out to be true positives, meaning the exposed account and related credentials were still active in the customer’s environment. It surprised us, but for the opposite reason you might expect. 1% is an extremely high number.

You might be thinking, “Wait, 1% is supposed to be high?”

Think again. It’s 1 in 100. 10 in 1,000. 100 in 10,000. At scale, those numbers add up quickly, and they represent highly concentrated risk, not background noise.

To put this in perspective, the median IEM customer saw roughly 360 credential events over a six-month period, or about 60 per month. Even at a 1% true positive rate, that means a typical customer can reasonably expect to uncover multiple valid identity exposures each year. These are real compromises that would have otherwise required time-consuming manual investigation to surface, or gone unnoticed entirely. After all, at 1%, the signal-to-noise challenge is very real. Most of what surfaces will be exactly what security teams expect to see when they think about exposed credential data:

• Old credentials  
• Former employees from years ago 
• Same accounts showing up over and over 

All of this underscores the need for a solution that consistently surfaces the 1% of exposed credentials that actually matter and puts you in a position to fix them quickly.

Where There’s One Valid Credential, There are Usually More

The 1% figure is the global average across every customer. The picture shifts when you isolate environments where at least one valid account was confirmed exposed.

In those environments, the true positive rate climbs to 4.38% for MSSPs and 2.26% for organizations. The takeaway is intuitive but worth stating: organizations that have one compromised credential tend to have more. This tracks when you consider that infostealer infections typically harvest credentials in bulk from a single endpoint, and that the underlying hygiene issues (password reuse, lack of MFA, stale accounts, etc.) are systemic rather than isolated.

For security teams, it means that a confirmed exposure should trigger a broader review (after the exposed account has been remediated, of course).

Identity Investigation Costs Add Up

Set aside the worst-case scenario of an actual account takeover for a moment. Focus on the operational reality most security teams live with every day: investigating credential alerts.

At an average of 20 minutes per manual investigation and a blended analyst rate of $75/hour, the median customer’s 360 events over six months translates to roughly $15,000 in labor. (Curious about these numbers? You can play around with some of these assumptions yourself with our IEM ROI calculator.)

Automated validation eliminates this triage burden. Every credential event is tested against your live directory in the background, and only confirmed exposures surface as actionable items. For a security team that’s already stretched thin, this isn’t a marginal efficiency gain. It’s an entire category of very noisy work that disappears from the queue.

Other Trends that Affect Identity Investigation Costs

A few noteworthy patterns emerged in our data: 

• MSSP environments run hotter: The 4.38% true positive rate among MSSPs with confirmed exposures was nearly double the rate for organizations. We believe that this reflects the security maturity of a typical MSSP end-customer. They’re usually an SMB with limited IT and security resources. At these volumes, automation becomes even more of an imperative for an MSSP.
• The median volume is manageable but relentless, and attackers move fast: 60 credential events per month per customer probably won’t overwhelm a modestly resourced security team, but remember that you have to work at an attacker’s speed. The 2025 Verizon DBIR found just a two-day gap between an exposed credential’s availability on dark web markets and a successful ransomware attack. Responding faster to a valid exposure dramatically reduces the likelihood it gets leveraged by an attacker. Automating this process end to end shrinks response times typically measured in days down to minutes.

What’s Next for Identity Exposure Management? 

Six months of production data has validated the core IEM value: automated credential validation and remediation is a reliable and highly impactful security workflow that reduces operational costs and lowers breach risk. 

In 2026, we’re expanding identity provider integrations, improving on remediation workflows that align with customer requirements, and are looking at ways to expand the number of identity-related signals IEM can take. 

We recently added a more robust “lookback validation” capability, which allows customers to automatically and safely check all historical identity exposures that exist within Flare’s database. This gives security teams a practical way to get to an “inbox zero” state for their entire identity exposure attack surface. 

Instead of intuitively dismissing old and potentially duplicate exposures as noise, security leaders can know with absolute certainty that all exposures have been validated, which is a massive and elusive operational win. 

If your analysts are currently spending time triaging credential exposure alerts, or if you suspect those alerts are being quietly deprioritized because nobody has bandwidth to investigate them, that’s the exact problem IEM solves.