WatchGuard Blog

Go to 

How to Protect Identity in a World Without VPNs

Anticipating credential compromise is key to protecting client identities. How can MSPs monitor the Dark Web to detect risks early?

For years, cybersecurity relied on a perimeter-based model, where the network defined the boundary between what was secure and what wasn’t. With the adoption of cloud computing, SaaS applications, and hybrid working, that control has shifted to identity, making credentials the primary target for attackers.

The consequences of this shift are already evident. According to WatchGuard’s 2026 cybersecurity predictions, at least one third of breaches will be related to failures in traditional VPN and remote access tools, driven by the use of stolen credentials and exposed vulnerabilities. This is compounded by the Verizon Data Breach Investigations Report 2025, which indicates that more than 60% of breaches involve compromised credentials or misconfigurations. In this context, identity has become the new cybersecurity perimeter, and as an MSP, you face the constant challenge of protecting your clients’ digital identities across increasingly distributed environments.

How Credential Compromise Occurs

The majority of identity-based attacks are not isolated incidents, but rather processes that unfold progressively. Understanding how credential compromise occurs means you can anticipate it and reduce the impact before it escalates into a major incident:

  1. Credential creation: Organizations use dozens of different applications, each with its own access system. Faced with this reality, many users choose to reuse passwords or apply minor variations, which weakens security from the very start.
  2. Credential compromise: From that point on, attackers obtain these credentials through phishing, brute force attacks, third-party breaches, or exposed keys. In many cases, this compromise goes unnoticed for long periods of time.
  3. Publication and monetization: Once stolen, credentials are aggregated into large databases that are circulated in underground Dark Web marketplaces, where they quickly become part of new attacks. 
  4. Purchase for new attacks: Subsequently, buyers test these credentials in an automated manner across multiple business applications, while human operators identify the most valuable targets.
  5. Active exploitation: When access is successful, the most critical phase begins. Attackers escalate privileges, move laterally, and carry out actions such as data theft or ransomware deployment.

VPNs: From Secure Remote Access to an Exposure Point

For a long time, VPNs have been the standard solution for secure remote access. However, they now face a clear paradox: as adoption increases, so do the incidents linked to their use. For you, as an MSP, this means managing constant demand in a context of increasing risk. The limitations of this model are well known:

  • Implicit trust: In many environments, some users and accounts collect more privileges than necessary. This increases the risk if their credentials are exposed; if an account is compromised, the attacker can easily move between systems (lateral movement) and amplify the impact.
  • Credential dependency: Stolen or reused passwords are still sufficient to unlock remote access.
  • Limited visibility: Encrypted traffic makes continuous monitoring and the application of more granular policies difficult.
  • Legacy infrastructure: Many environments rely on outdated hardware that lacks patches and updates, which increases the attack surface.

Anticipating Risk Beyond Access

In this scenario, protecting identity means going beyond access control since many breaches begin with credentials exposed outside the corporate environment. As a result, continuous Dark Web monitoring has become a key preventive layer within identity strategies.

Using solutions capable of monitoring these exposures means you can act before credentials are actively exploited. In this regard, monitoring exposed credentials on the Dark Web—integrated into AuthPoint Total Identity Security alongside other identity controls such as MFA—makes it possible to extend the Zero Trust model to an earlier stage of the authentication process, by proactively identifying compromised access before it can be exploited. As an MSP, this approach helps you strengthen identity protection even in scenarios in which remote access is still required, reducing reliance on VPNs as a core security pillar.

To find out more about how to protect your clients’ identities, check out the following articles on our blog: 

Filed under: Identity Security and MFA, Access & Identity Authentication, Multi-Factor Authentication, WatchGuard AuthPoint, Channel Partners