Detecting Adversary Intent: Analyzing Behavioral Tells in Admin Logs with Allison Wikoff

Adversaries are already logging into your network using your own admin credentials. In this episode, Caleb Tolin sits down with Allison Wikoff to move past the identity clichés and analyze the specific behavioral signals that separate routine IT maintenance from state-sponsored sabotage. They dissect why resilience is not a flash of genius during a crisis, but a mindset that organizations can adopt to stay ahead of dynamic threat actors. The conversation explores how attackers are increasingly bypassing traditional controls like MFA and leveraging non-human identities such as service accounts, APIs, and AI agents. These identities often operate with persistent access and elevated privileges, making them highly attractive targets. As AI continues to lower the barrier to entry, adversaries are moving faster and blending more effectively into normal activity, making detection significantly more challenging. The episode also examines how ransomware, espionage, and sabotage offer different behavioral tells, with data exfiltration now central across multiple threat types. In parallel, organizations must begin preparing for long-term risks like quantum computing, where encrypted data stolen today could be exposed in the future (i.e., “harvest now, decrypt later”_. Throughout the discussion, practical strategies take center stage. From strengthening identity hygiene and segmentation to improving visibility across users, systems, and third parties, the fundamentals remain critical. The key takeaway is clear. While the threat landscape is evolving, organizations that focus on identity, preparedness, and resilience will be best positioned to reduce risk and recover effectively. What You’ll Learn How attackers bypass MFA and blend in using legitimate credentials Which non-human identities are high-risk targets How threat actors are leveraging AI to lower the barrier to entry for cybercrime The difference between ransomware, espionage, and sabotage intent signals What “harvest now, decrypt later” means for quantum risk The three hygiene practices that still stop most attacks Episode Highlights [00:00:00] The Limits of MFA Why attackers are starting to work around multi-factor authentication [00:02:00] The Explosion of Non-Human Identities Service accounts, APIs, and AI agents as new attack surfaces [00:04:00] AI and the Speed of Threats How AI is accelerating reconnaissance and malware creation [00:05:00] Ransomware vs. Espionage Why data exfiltration is now central to both [00:06:00] Healthcare Under Pressure Why critical sectors face compounded cyber risk [00:08:00] Quantum Threats Explained Understanding “harvest now, decrypt later” [00:11:00] Identity Recovery Challenges Why restoring trust is harder than restoring systems [00:14:00] The 3 Security Fundamentals Identity hygiene, segmentation, and visibility