An initial access broker, often shortened to IAB, is a criminal actor who specializes in obtaining footholds inside organizations and then selling that access to other attackers. Instead of carrying out the full intrusion themselves, the broker monetizes the entry point..
What is an Initial Access Broker?
An initial access broker, often shortened to IAB, is a criminal actor who specializes in obtaining footholds inside organizations and then selling that access to other attackers. Instead of carrying out the full intrusion themselves, the broker monetizes the entry point.
How Initial Access Brokers Operate
Initial access brokers obtain footholds through phishing, vishing, credential theft, infostealer malware, exposed remote services, or abused identity workflows. They then package the access by privilege level, target type, or revenue potential and sell it through criminal forums or private channels.
Why Initial Access Brokers Matter
The broker model separates compromise from exploitation. The person who steals access may not be the same person who deploys ransomware, steals data, or extorts the victim. That specialization lowers the barrier to entry across the broader criminal ecosystem and turns a single successful help desk or identity compromise into a marketable asset.
Initial Access Brokers and Identity Workflows
Identity-driven compromise is especially valuable to brokers because it can yield durable access to VPNs, admin panels, cloud platforms, and support workflows. Access obtained through a help desk reset or weak recovery flow can be sold even if the original attacker never logs in again.
How Defenders Should Respond
- Treat initial access as a product attackers can resell, not just a one-off event
- Harden help desk, recovery, and MFA enrollment workflows
- Reduce the value of stolen access through least privilege and segmentation
- Monitor for unusual persistence after resets or recovery events
- Use threat intelligence to understand which access types are being traded
Frequently Asked Questions
What does an initial access broker sell?
An initial access broker sells entry into an organization. That can include VPN access, cloud admin access, help desk-derived credentials, remote desktop access, or other footholds that another attacker can use.
Do initial access brokers deploy ransomware themselves?
Sometimes, but often they do not. Many brokers focus on obtaining and selling access, while separate actors handle data theft, ransomware deployment, or extortion.
Why are help desk compromises valuable to brokers?
Help desk compromises can produce fresh credentials, MFA resets, and access to high-trust identity workflows. That makes the resulting foothold valuable even before any follow-on activity occurs.
How should defenders think about broker-driven risk?
Defenders should assume that any usable foothold may be sold onward. That means the goal is not just to stop obvious exploitation, but to prevent weak identity workflows from producing marketable access in the first place.