Funnel overlay image

Blog | 4-minute Read

Why you need to choose an identity-centric security partner

Anna Webb profile headshot

Anna Webb

Head of Global Security Operations

Published: 04 September 2025

When every missed alert feels like the one that could sink you, identity is where the pressure shows. That’s why any managed security operations centre (SOC) worth trusting must put identity at the foundation of its security operations.

Stolen identities are now driving more breaches than malware or vulnerabilities.

Microsoft blocks more than 7,000 password attacks every second, with adversary-in-the-middle (AitM) phishing up 146% in the past year.

One login is all it takes and AI is making those attacks ever harder to spot.

That makes identity the key pressure point. Cyber threats fuel anxiety across every layer of a business, but for IT teams already drowning in alerts the worry is constant: will the next one I miss be the breach that sinks us?

It’s a scenario we’ve seen time and again, and it’s why any SOC partnership worth trusting must be identity-first.

Without that focus you miss the signals that matter most. With it, you gain the visibility, speed, and assurance needed to keep hybrid, multi-cloud businesses secure.

Why we place identity at the heart of security operations

If attackers are hammering credentials thousands of times a second, it makes your people the main access point to systems and data.

That puts a target on their backs.

Phishing attacksbusiness email compromise (BEC), and social engineering remain the fastest, cheapest way in. Even well-intentioned insiders can open the door by accident.

This is why identity has become the most valuable signal in modern security operations.

But that poses a challenge.

Microsoft blocks more than 7,000 password attacks every second, with adversary-in-the-middle (AitM) phishing up 146% in the past year.

Microsoft

Identity-centric security can’t afford to ignore the user experience

Stronger identity controls are essential, but that doesn’t mean “lock everything down.” If they get in the way of work, they backfire.

And that’s a recipe for disaster.

Complex login steps and rigid access policies can get in the way of work and cause frustration. Frustrated users find workarounds.

SOCs that start from an identity-first mindset can avoid falling into this security v usability trap by embedding measures like multi-factor authentication (MFA), Conditional Access, and passwordless options (e.g. passkeys) into everyday workflows. This means building protection into the way your people work rather than creating barriers that hinder the way they work.

Users carry on working productively, while IT leaders gain the reassurance that resilience isn’t being undermined by shortcuts.

tag icon

Free Guide

The Ultimate Guide to Microsoft Security

The most comprehensive guide to Microsoft Security. Over 50 pages. Microsoft licensing and pricing simplified.

Discover technologies that:

  • Detect and disrupt advanced attacks at machine-speed
  • Tap into the world’s largest threat intelligence network
  • Protect identities, devices, and data with ease

What you should expect from an identity-focused MSSP

If we acknowledge that most breaches are identity-driven, then identity must be the starting point. But identity-first doesn’t mean identity-only.

Moreso, It’s the foundation stone of a unified SOC that connects identity to every other layer of defence.

A modern SOC joins the dots between logins, devices, emails, and cloud workloads so that attacks are seen in context, not as scattered alerts. At Kocho, for instance, we do this by working within Microsoft’s unified security stack.

For example:

  • Using Microsoft Entra as the identity control plane, we can enforce MFA, Conditional Access, and governance policies, while Entra ID Protection flags risky users and sign-ins in real time.
  • Defender XDR (extended detection and response) correlates those identity signals with activity across endpoints, email, and SaaS apps to show the full attack chain.
  • Microsoft Sentinel acts as both a SIEM (security information and event management) and SOAR (security orchestration, automation, and response) system. It ingests telemetry from Entra, Defender, and third-party tools, applies threat intelligence and automation, and retains data cost-effectively.
  • With Sentinel now woven into the Defender portal, analysts work from one unified view. No console-hopping, no missed signals, and no wasted time stitching alerts together.

Securing people and data from day one

Strong SOC partnerships are built on strong starts. That’s why onboarding must prioritise identity from the outset.

Ebony and green stopwatch and tick icon on transparent background

Rapid onboarding

Assess Entra ID, MFA, and Conditional Access immediately. High-risk users and sign-ins are contained before attackers gain traction.

Green and ebony thumbs up icon on transparent background

Seamless rollout

Use familiar tools like Microsoft Authenticator so users adapt quickly and IT avoids pushback.

Ebony and green ticklist icon on transparent background

Phased build-out

Start with essentials, then add Defender for Identity and Sentinel analytics to expand coverage as the service matures.

Day-one protection shows staff that security doesn’t have to disrupt work, reassures leaders that risks are under control, and relieves IT managers of carrying the burden alone.

Ongoing identity protection

Of course, effective onboarding is crucial, but once established, your MSSP needs to be able to maintain a vigilant long-term approach to identity security.

This might involve:

Continuous monitoring

24/7 visibility across identity, endpoints, and cloud through Sentinel and Defender XDR. IT no longer wakes up wondering what slipped through.

Adaptive controls

Conditional Access and Entra ID Protection evolve with attacker tactics, blocking risky sessions automatically.

Ebony and green lightbulb inside head on transparent background

User awareness

Regular phishing simulations and credential hygiene campaigns reduce human error without overwhelming staff.

Evidence at hand

Real-time dashboards and audit-grade reports reassure boards, auditors, and insurers that risks are controlled and investments are paying off.

Final thought

Attackers no longer need to breach your network, they just need one login. With password attacks now measured in the thousands per second, and AI making phishing harder to spot, identity has become the fault line of modern security.

That’s why we strongly advocate SOC partnership that’s identity at heart and puts your people first. That understands the nuances of the organisation, and ensures processes are in place to protect identities and digital assets from day one. Removing the shadowy spectre of constant risk anxiety, where you’re never sure what’s been missed.

Want to find out more about Kocho’s identity-centric AI-powered managed security service? Get in touch and talk to our team today.

Key takeaways

  • Identity-centric security is crucial as employees are the main access points to critical systems and data.

  • MSSPs must balance strong identity protection with a smooth user experience to prevent security workarounds.

  • Rapid identity security implementation is vital from day one to protect assets while ensuring operational continuity.

  • Continuous monitoring and adaptive security are needed to respond to evolving threats and maintain identity protection.

  • Proactive threat detection and incident response are critical to maintaining robust identity security.

  • Partnering with an identity-focused MSSP ensures secure access and asset protection across any device or location.

tag icon

Let's talk!

30-day free trials and flexible contracts

Book a free Discovery Call and learn more about our AI-powered security operations service, XDR Rapid Protect.

Get more information on:

  • 30-day free trials for new partnerships
  • Flexible, 30-day contracts (no lock-in)
  • Microsoft-funded proof of concepts
tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image
Anna Webb profile headshot

Author

Anna Webb

Head of Global Security Operations

Anna has over 20 years’ experience in operations management, major incident management, and cyber security. CISSP qualified, Anna is officially a Security Changemaker (Microsoft Security Excellence Awards).

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.