All three breaches used valid credentials — logins that every security tool in place verified as legitimate. The credential was real. The session was real. The access was normal. The tools did exactly what they were designed to do: verify that the person presenting the credential had the right to access the system.

In every case, the failure occurred before verification: the credential was created by a human, held by a human, and could be obtained by an attacker without triggering any existing detection. M&S: a third-party contractor held a credential to M&S systems — M&S had no visibility of it and could not revoke it. Colonial Pipeline: an inactive account credential was never revoked after the employee left. SolarWinds: a vendor build credential existed that no one in the organisation knew about.

All three entry points are closed by credential control — not because a detection system would have flagged the login, but because the credential would not have existed in human hands in the first place.