In this special Halloween edition of the KuppingerCole Analyst Chat, Matthias Reinwarth is joined by Jonathan Care, Lead Analyst at KuppingerCole Analysts, to explore one of the most talked-about cybersecurity stories of the year — the F5 supply chain incident.

The discussion highlights how even well-established organizations can become targets of sophisticated, long-term attacks — and what this means for the future of software supply chain security.

Together, Matthias and Jonathan examine how incidents like this can happen, what lessons can be learned across the industry, and how companies can strengthen resilience, transparency, and response capabilities in their own environments.

Key topics covered:

✅ Understanding the dynamics of modern supply chain attacks ⚠️
✅ Why detection and dwell time remain a major industry challenge
✅ The growing importance of vendor risk and software transparency
✅ Lessons learned for CISOs and IT leaders
✅ Practical measures to improve visibility and response
✅ Why collaboration and information sharing are key to resilience

🕸️ Even trusted systems can hide a few ghosts — are you ready to uncover yours?

Is your IAM strategy focused too much on tools? In this episode of the KuppingerCole Analyst Chat, Matthias Reinwarth and Patrick Teichmann, Lead Advisor at KuppingerCole, dive into one of the most common pitfalls organizations face: starting IAM projects with the wrong priorities.

They explore how a Target Operating Model (TOM) helps define why and how your IAM should work before deciding on technology. Patrick shares insights from real projects, explaining how to align business goals, processes, and governance to achieve long-term success.

Key Topics Covered:

✅ Why IAM projects often fail due to tool-first thinking
✅ How a Target Operating Model sets the foundation for IAM success
✅ The role of governance, people, and processes in effective IAM
✅ Real-world examples of aligning strategy and technology
✅ How to evaluate tools after defining your IAM capabilities

Are AI agents the future of cybersecurity or a threat to human expertise? In this episode of the KuppingerCole Analyst Chat, Matthias Reinwarth talks with Alexei Balaganski, Lead Analyst and CTO at KuppingerCole, about the rise of AI agents and their potential to reshape the cybersecurity landscape.

They explore how autonomous AI systems could fill the cyber skills gap, automate incident response, and even act as digital coworkers in SOC environments. But how far can we trust them—and will humans still have a place in the loop?

Key topics covered:

✅ What AI agents really are—and how they differ from traditional automation
✅ The role of AI in SOCs, incident response, and threat detection
✅ Can AI agents help close the cybersecurity skills gap?
✅ Risks of rogue or “hallucinating” AI systems
✅ Why access governance and identity management are critical for AI agents
✅ The future of cybersecurity jobs in the age of automation

Are we already living in a post-data privacy world?

Breaches are everywhere, data is constantly being leaked, and GDPR fines haven’t stopped surveillance capitalism or shady data brokers. In this episode of the Analyst Chat, Matthias Reinwarth is joined by Mike Small and Jonathan Care to explore whether privacy still has meaning — or if resilience and risk management are the only ways forward.

They debate:

✅ Is privacy truly dead, or just evolving?
✅Why regulations like GDPR often miss the mark ⚖️
✅How cyber resilience is becoming more critical than “traditional” privacy
✅The personal, societal, and legal dimensions of privacy
✅What organizations (and individuals) can still do to protect data

Are KPIs and KRIs just compliance checkboxes, or can they truly prove the value of Identity and Access Management (IAM)? In this episode, Matthias Reinwarth and senior advisor Shikha Porwal explore how Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) can transform IAM from a technical function into a business enabler. They unpack the differences, the overlap, and how to make metrics relevant to both security and strategy. Expect real-world examples—from onboarding to MFA adoption—that show how measurement drives maturity and risk reduction.

Key Topics Covered:

✅ KPIs vs KRIs in IAM: what they are and how they differ
✅ Aligning IAM metrics with business goals and governance
✅ Onboarding & offboarding metrics for efficiency and risk reduction
✅ MFA adoption and help desk tickets as signals of IAM maturity
✅ Developer enablement and API adoption as success factors
✅ Mapping IAM indicators to risk frameworks and security posture
✅ Adapting KPIs/KRIs for non-human identities (NHI)

💡 If you’re working in IAM, identity governance, MFA strategy, or security architecture, this discussion will help you build meaningful metrics that prove value and strengthen your identity program.

Are IVIPs truly a new platform that organizations must adopt, or are they just old capabilities rebranded with fresh marketing spin? Today, Matthias Reinwarth and Martin Kuppinger dig into the latest acronym shaking up the IAM world: IVIP (Identity Visibility & Intelligence Platforms). We unpack the promises, the risks, and what IVIP really means for the Identity Fabric concept. Expect a critical take on buzzwords, vendor strategies, and what enterprises actually need to strengthen IAM maturity.

Key Topics Covered:

✅ What IVIP actually is and how it fits into IAM
✅ The connection between IVIP and the Identity Fabric approach
✅ Risks of marketing buzzwords in identity management
✅ When a new platform really brings value—and when it doesn’t
✅ What organizations should focus on instead of chasing hype

💡 If you’re working in identity, access governance, ITDR, IGA, or security architecture, this conversation will help you decide whether IVIP deserves a place in your roadmap—or if it’s just hype.

Identity and Access Management (IAM) is no longer a one-off project—it’s an ongoing journey. In this episode of the KuppingerCole Analyst Chat, Matthias Reinwarth is joined by Christopher (CISO & Lead Advisor) and Deniz Algin (Advisor) to explore how organizations can successfully apply the Identity Fabric concept.

How to evolve from legacy systems to a future-proof IAM strategy without breaking existing operations? Why interoperability matters? What are the most common pitfalls organizations face when trying to modernize IAM? Find the answer to these questions and more in this episode!

Key Topics Covered:

• Identity Fabric explained through a powerful “airport” analogy ✈️
• How to design IAM programs in brownfield environments (no rip & replace)
• Capability-driven approach vs. tool-driven decisions
• Risk-based prioritization: quick wins, big wins & roadmaps
• Common pitfalls to avoid when modernizing IAM

💡 Whether you’re just starting your IAM journey or looking to operationalize interoperability at scale, this episode is packed with practical strategies and lessons learned.

DDoS attacks are evolving and becoming more dangerous than ever. In this video, Osman Celik speaks with Andrey Leskin from QRator Labs about the current DDoS attack landscape and how organizations can defend themselves.

You’ll learn:

• What DDoS attacks are and how they work across layers 3, 4, and 7
• Why Layer 7 (application-layer) attacks are the fastest-growing and hardest to detect
• How attackers are building massive botnets (millions of compromised devices)
• Real-world DDoS incidents hitting FinTech, e-commerce, and media sectors
• The differences between scrubbing capacity and PoP proximity in mitigation
• How QRator Labs approaches DDoS protection with scrubbing, anti-bot, and WAF solutions

With Layer 7 attacks rising by 74% year-over-year and record-breaking volumetric attacks now lasting weeks, no industry can afford to ignore this threat.

Watch now to understand how to protect your business from DDoS, botnets, and evolving cyber threats.

In this episode of the KuppingerCole Analyst Chat, Matthias Reinwarth is joined by Martin Kuppinger and special guest Felix Gaehtgens to explore two of the hottest (and most debated) topics in identity today: Identity Threat Detection & Response (ITDR) and Non-Human / Machine Identities (NHI).

Together, they gothrough the buzzwords to reveal what’s real, what’s hype, and how organizations should approach these fast-evolving areas of IAM. From visibility vs. observability, to governance challenges and the future of machine identity management, this episode delivers sharp insights and practical recommendations from three IAM veterans.

So tell us — are ITDR and NHI just marketing buzzwords, or essential must-haves for modern identity security?

Key topics covered:

• ITDR explained: buzzword or meaningful evolution in IAM?
• Why visibility and observability are not the same
• The missing “R” in detection & response
• IAM vs. SOC responsibilities for ITDR
• Machine identities: terminology, challenges, and governance
• Ephemeral vs. static machine identities
• How IAM teams can prepare for the future of identity security

In this episode of the KuppingerCole Analyst Chat, Matthias is joined by Charlene Spasic and Kai Boschert to break down what real IAM maturity means. They explain why structured frameworks like the KuppingerCole Identity Fabric and Reference Architecture are critical, and how organizations can move beyond tools to focus on capabilities, governance, and business alignment.

So tell us, is your IAM program truly mature—or just a checklist of tools?

Key Topics Covered:

• Why IAM maturity starts with capabilities, not tools
• How to assess your current IAM status quo
• The role of identity lifecycle management & governance
• Common IAM challenges and gaps organizations face
• Why step-by-step progress beats “big bang” projects

💡 If you’re looking to strengthen your IAM foundation and align it with business priorities, this episode is for you.

In this practical episode of the KuppingerCole Analyst Chat, Patrick Teichmann joins Matthias Reinwarth to address a surprisingly common organizational issue: IAM teams being tasked with solving everything.

From HR data gaps to legacy tool cleanup and cross-department handovers — IAM teams often inherit work that isn’t truly their responsibility. This episode is a call to realign IAM strategy with clear ownership, realistic boundaries, and strong service delivery.

In this conversation:

• Why not everything is an IAM problem
• Common traps: onboarding issues, ownership gaps, tool clutter
• How to set boundaries without damaging collaboration
• Using operating models and RACI matrices to define IAM’s real scope
• Why focusing your IAM team improves service quality and security
• How to justify saying “no” — with strategy to back it up
• Preparing for IAM scalability, sustainability, and new regulations

Key takeaway: Sharpening your focus as an IAM team isn't about doing less — it’s about doing what matters most, better.

In this episode of the KuppingerCole Analyst Chat, Martin Kuppinger joins Matthias Reinwarth to dive deep into one of the most overlooked but critical areas in identity and security: non-human identities (NHI) and workload secrets. As cloud-native development and AI-driven workloads grow, so does the complexity of managing machine identities. With AWS now supporting long-lived API keys for generative AI, this episode explores why that's a risky move — and what a modern, secure, and developer-friendly alternative looks like.

In this episode, you'll learn:

• Why workload identities must be treated as privileged
• How long-lived secrets expand your attack surface
• Why “balancing convenience vs. security” is a false choice
• How to apply ephemeral secrets and ITDR signals
• The role of SPIFFE/SPIRE, policy-as-code (OPA), and automation
• Why developers shouldn’t own security — and what IAM must do instead
• How attackers use AI to hunt your leaked secrets
• What organizations must do to secure NHI at scale

Key takeaway: Security must be built around short-lived secrets, automation, and clear separation between identity, secrets, and entitlements — especially for workloads and AI agents.

In this episode of the KuppingerCole Analyst Chat, Warwick Ashford joins Matthias Reinwarth to explore a hidden but growing risk: third-party access to your systems.

Third-party contractors, suppliers, and partners often have access to internal systems — but lack the same governance, oversight, and security controls as employees. This episode explores why Third-Party Access Governance (TPAG) is now a strategic security priority, not just a technical integration.

What we cover:
✅Why third-party identities now outnumber employees in many orgs
✅The governance gap: no HR triggers, lifecycle oversight, or certifications
✅How traditional IAM systems fail to manage external access
✅The role of the Identity & Security Fabric in enabling TPAG
✅Regulatory drivers (DORA, NIS2, CMMC) making this a board-level issue
✅Core capabilities of modern TPAG solutions
✅Practical first steps for building a third-party access governance strategy

In this episode of the KuppingerCole Analyst Chat, host Matthias Reinwarth welcomes Martin Kuppinger, Founder and Principal Analyst at KuppingerCole, to discuss the evolution of the Identity Fabric. Originally introduced as a visual tool in 2017–2018, the Identity Fabric has matured into a foundational framework for modern identity and access management.

The conversation covers the motivations behind its creation, its flexibility in addressing various identity types, and its role in simplifying complex IAM architectures. Martin also explains the rationale for a leaner version of the model, aimed at executive stakeholders, and offers a glimpse into the forward-looking Identity Fabric for the 2040s.

In this episode, you’ll learn:
✅Where the Identity Fabric concept began
✅Why a leaner version is needed — and who it’s for
✅How to pitch Identity Fabric to C-level decision makers
✅What the 2040s might look like for IAM
✅How organizations and vendors alike are using this model today

Whether you're deep in IAM or just starting to align your strategy, this episode breaks down how to communicate complex identity concepts more clearly.

In this episode, Matthias Reinwarth is joined by Alejandro Leal, Senior Analyst at KuppingerCole Analysts, to discuss the strategic shift toward Identity Fabrics in modern IAM. Alejandro outlines the challenges posed by fragmented IAM architectures and the growing diversity of digital identities.

The conversation explores how the Identity Fabric model enables organizations to build cohesive, adaptive identity infrastructures that integrate existing tools while providing observability and actionable insights. They also examine the importance of integration, modularity, and policy enforcement across identity silos. The episode concludes with practical steps for building a future-proof IAM strategy.

We dive into:

• Why traditional IAM is failing
• What Identity Fabric really means (and what it’s not)
• How it supports every identity type — human or machine
• The critical role of observability & actionable insights
• How to balance legacy tools with agile innovation
• Where to start your implementation — without a big bang

Identity is now a strategic business function — and Identity Fabric is how to operationalize it.

In this must-listen episode of the KuppingerCole Analyst Chat, Matthias Reinwarth is joined by Jonathan Care to explore a groundbreaking shift in cybersecurity leadership. Discover how CISOs are transforming from traditional gatekeepers, the infamous "Dr. No", into strategic business enablers through the principles of Servant Leadership.

We dive deep into:

• Why the CISO role is evolving beyond technology and policy
• The pitfalls of autocratic security leadership and rising burnout
• How empowering teams builds trust, reduces shadow IT, and accelerates projects
• Real-world examples from global organizations proving this approach works
• Practical first steps for CISOs to start leading through influence, not fear

Key Takeaway: Security isn’t just about tech, it’s about people and culture. Servant leadership helps build stronger security and stronger businesses.

In this episode of the KuppingerCole Analyst Chat, Matthias Reinwarth sits down with cybersecurity CTO & analyst Alexei Balaganski to explore the dramatic evolution of API management and security.

They unpack:

1. Why APIs are now the backbone of AI agents and how MCP (Model Context Protocol) is driving a new decentralized ecosystem.

2. The explosion of shadow APIs & hidden interfaces from your printer to your coffee machine and why they pose serious risks.

3. How edge computing & WebAssembly are decentralizing everything, making old API gateway models obsolete.

4. The critical need for API posture management, identity & access controls for non-human identities, and full lifecycle security even before you write a line of code.

Learn why API security isn’t just a tech problem, it’s the next big business risk, how the market is consolidating, and what’s coming in the new Leadership Compass on API Management & Security.

In this episode of the KuppingerCole Analyst Chat, Matthias Reinwarth is joined by Martin Kuppinger to untangle one of the most complex—and increasingly urgent—topics in digital identity: non-human identities (NHIs).

With AI agents, workloads, service accounts, and API keys exploding in number, it’s no longer enough to rely on traditional IAM structures. But what is an NHI, exactly? And how can organizations secure them without collapsing under the weight of siloed systems and unmanaged identities?

Martin and Matthias explore:

• The blurry boundaries between identities, accounts, secrets, and credentials
• Why "non-human" is a problematic but useful term
• Agentic AI vs. API keys: where identity management really changes
• Practical starting points for managing NHIs in real-world environments

💡 Whether you're a CISO, architect, or IAM practitioner, this episode gives you a pragmatic foundation for approaching NHI—without getting lost in terminology wars.

In this essential episode of the KuppingerCole Analyst Chat, host Matthias Reinwarth welcomes cybersecurity strategist Jonathan Care to explore one of the most pressing challenges CISOs face in 2025: detecting deception in an age of AI-powered attacks.

From deepfakes and behavioral manipulation to vendor impersonation and adversarial AI, attackers are no longer relying on simple phishing emails. They're launching highly personalized, deeply technical, and psychologically crafted deceptions.

Jonathan presents a structured four-part taxonomy of deception and offers actionable insights for CISOs—from implementing callback verification protocols to deploying behavioral analytics and deception detection technologies.

Topics Covered:

1. AI-powered social engineering
2. Digital identity deception & deepfakes
3. Vendor/supply chain impersonation
4. Technical deception & adversarial machine learning
5. Practical steps CISOs can take this week

Organizational identity is no longer optional

In this episode of the KuppingerCole Analyst Chat, host Matthias Reinwarth is joined by cybersecurity research director John Tolbert to talk about the rising threats of organizational fraud, rogue merchants, and the growing need for robust identity verification at the business level.

Topics covered:

1. What are rogue merchants, and how do they operate?
2. The staggering fraud numbers behind the Paycheck Protection Program (PPP)
3. The importance of Know Your Business (KYB) vs. Know Your Customer (KYC)
4. Why legacy business verification methods are no longer enough
5. How APIs, LEIs, and verifiable digital identities can help
6. The role of CIEM and B2B CIAM in detecting and preventing organizational fraud

Whether you're in cybersecurity, compliance, finance, or e-commerce, this episode unpacks how fraud at the organizational level is growing—and what tools and frameworks can stop it.