Teleport Identity Security Gets a Real Time Twist

Security3Shield

By: Craig Matsumoto
July 17, 2025


Teleport's overall mission has been to modernize the concepts of identity and access—strengthening the idea of machine-based identities, for example. This week, Teleport (a Futuriom 50 company) launched a significant update to Teleport Identity Security, tracing a user's activity across multiple systems real-time.

The issue is that a person's identity can be fragmented, with separate credentials in places like Okta and GitHub. This makes it difficult to follow the "chain of custody" for a given action, as Ben Arent, Teleport's director of product, puts it. Often, the best option is to painstakingly cross-correlate logs across those different platforms.

The New Perimeter

That matters because "identity is the new perimeter," Arent said, meaning attacks tend to come from compromised credentials more so than hacking. Teleport says it's seen a 71% year-over-year increase in attacks that used stolen or compromised credentials.

Teleport has championed that issue, noting that enterprises often have overprivileged user accounts floating around unnoticed. Long-forgotten standing privileges for certain employees might be lingering in the system somewhere. Employees who changed roles might retain previous access privileges. Teleport cites one Fortune 500 customer that discovered, within 15 minutes of installing Teleport Identity Security, that two engineers who were supposed to have read-only access had amassed maintainer rights across 1,800 code repositories. Part of the company's identity crusade involves clamping down on these situations.

Follow the Chain

The updates to Teleport Identity Security trace the real-time chain of a user's activity, including logins and actions on different platforms. The new Identity Activity Center presents that chain in the form of a timeline. AI-built session summaries can deliver the results in natural language and generate compliance reports as well.

Importantly, all this information is delivered in real time. Teleport says the alternative would be to grab snapshots from disparate systems' logs, then assembling a story of what happened—a story that would likely be incomplete.

The real-time nature of Teleport's new features is crucial, because a compromised host can lead to damage quickly. According to Crowdstrike, it took an average of just 48 minutes for a bad actor to move from one compromised host to another system in 2024, down from 62 minutes the previous year. The record speed for one of these lateral moves is 51 seconds, in Crowdstrike's experience.

Note that Teleport's identity tracing can also help cover the blind spots that exist between teams. Infrastructure, IT, and security might be handled by different groups within an enterprise. Identity Activity Center would provide a story that overlaps all those functions.

Neither CNAPP Nor SIEM

Teleport's broader goal is to rethink identity, veering away from system-by-system credentials to root an "identity" in real-world attributes. That sets its work apart from the approach of a cloud-native application protection platform (CNAPP) like Wiz (now being acquired by Google) or a security information and event management (SIEM) platform like Cisco's Splunk.

The new enhancements to Identity Security differentiate Teleport even further. They go beyond a CNAPP's work by providing observability across multiple environments, and they outdo a SIEM by marrying log information with identity, Arent said. The strongest differentiator, though, might be the near real-time response that the Identity Activity Center allows for security and infrastructure personnel.

Red Team

Teleport tested out its new features by running a red team exercise with the Nemesis Breach and Attack Simulation team at Persistent Security in Lisbon, Portugal. One straightforward test involved using compromised credentials to try to move laterally across systems, as a normal employee would. Teleport managed to catch that, even though the attacker used evasive techniques such as reverse tunnels.

A more sophisticated attack involved a single sign-on token stolen from an identity provider. The attacker used this token to try to access multiple clouds and cloud-based services, using different user names and IP addresses per attack. This test was designed to show that Teleport could recognize these otherwise unrelated actions as coming from one actor; Identity Security flagged this attack with an "impossible travel" alert.

The Identity Security updates are available now with the Teleport 18 release. Identity Activity Center launched with integrations for AWS, GitHub, and Okta, with further integrations planned soon—and of course it integrates with Teleport's own platform, including its zero-trust access solution.



Trending Articles