A Candid Conversation with Enzoic’s CTO
The digital landscape is evolving, and with it comes a wave of sophisticated attacks targeting weak user credentials. From credential stuffing to account takeover (ATO) fraud, organizations face mounting pressure to secure their authentication systems without compromising user experience. To tackle these challenges, we sat down with Mike Wilson, Founder and CTO of Enzoic, to explore the business impact of identity threat intelligence, its ROI, and actionable steps organizations can take to modernize credential security.
Whether you’re a CISO grappling with budget justification or a security professional seeking quick wins, this conversation is packed with insights you can implement today.
Mike (CTO): It’s a valid concern, and I get it—identity threat intelligence has traditionally been viewed as a cost center. But that’s often because the solutions being used didn’t address the root problem. What we’re seeing, especially with modern approaches, is a clear positive ROI.
Here’s the situation: most organizations with public-facing logins are experiencing a sharp uptick in attacks targeting weak credentials, like credential stuffing. When those attacks succeed, you’re looking at account takeovers that lead to fraud, data theft, financial losses, and reputational damage.
The key is moving away from traditional “threat intelligence” data dumps—raw, unstructured data that requires costly parsing on the customer side—and toward applied threat intelligence. At Enzoic, we focus on actionable intelligence. For example, we extract stolen credential data and make it immediately usable through APIs and integrations into authentication systems.
A simple but powerful use case is screening a user’s username and password at login. If the credentials match our database of compromised ones, we push them into a password reset flow. It’s seamless, effective, and—most importantly—prevents those credentials from being used in attacks.
The results speak for themselves. We’ve found that for consumer-facing applications, this approach not only reduces fraud but can actually improve customer satisfaction. When you remove the need for cumbersome security measures like MFA or CAPTCHAs, you’re offering a smoother user experience.
Mike: Of course. Let me give you one example: a B2C SaaS company using our credential screening detected that about 1.5% of monthly logins involved compromised credentials. That’s consistent with what the Google/Stanford study found, by the way.
Now, 1.5% might not sound like much, but for a high-traffic site, that’s thousands of vulnerable accounts each month. They implemented a flow where users with exposed credentials are prompted to reset their passwords. Despite doing this for over six years, they’re still seeing consistent numbers of exposed credentials—because the problem evolves. Credentials that were secure yesterday may not be secure today.
This ongoing protection has saved them significantly in fraud prevention and support costs. They’ve calculated a clear ROI and continue to see value year after year.
Mike: Employee accounts are just as critical—if not more so—because they often have greater access privileges. In 2023 alone, our Active Directory product scanned about 8 million accounts and found that 15% of them had weak or compromised passwords.
Threat actors target employees differently. They’ll look for personal email accounts in breach data, identify reused or similar passwords, and test variations to break into corporate accounts.
This is why we emphasize not just detecting compromised passwords but also addressing password reuse patterns. With our Active Directory integration, organizations can enforce strong password hygiene without adding friction to employees’ login workflows.
Mike: Take a hard look at how you’re handling credential security—for both customer and employee accounts. If passwords are in use anywhere, ask yourself: How are we ensuring these aren’t compromised?
For a quick start, use tools like our free Active Directory audit known as Enzoic for AD Lite. In minutes, you can scan your environment for compromised passwords and get a clear picture of your vulnerabilities. It’s often an eye-opener for most organizations.
Mike: The first step is access to a service that detects and remediates compromised credentials. At Enzoic, we make it easy to get started with free trials and comprehensive documentation.
Then, identify the systems you need to protect and plan your integrations. For Active Directory, we offer an out-of-the-box integration. For customer-facing systems, our APIs and SDKs make implementation straightforward.
Mike: Immediately. Most customers initially uncover a backlog of compromised credentials, but as they address these, it levels out to a manageable flow, like the aforementioned customer seeing credentials become compromised at a rate of 1.5% each month. Right away, you’re strengthening your security posture and reducing risk.
Mike: It’s all about metrics. With Enzoic, you can track how many compromised credentials are being detected and remediated. Pair this with your existing fraud or support cost metrics, and you’ll have a clear ROI story to share.
The stakes in credential security have never been higher, but as Wilson shared, modern tools and strategies can make a tangible difference—both in terms of reducing risk and delivering measurable ROI. By leveraging applied threat intelligence, organizations can protect both customer and employee accounts, while streamlining the user experience.
“If passwords are part of your authentication strategy, you need a plan to address compromised credentials—it’s not optional anymore.”
Start by assessing your current vulnerabilities, take advantage of free tools like Enzoic’s Active Directory audit, and make small but impactful changes to your security posture.
The threat landscape will continue to evolve, but with the right approach, organizations can stay ahead and build stronger, safer systems. Ready to get started? Visit Enzoic today to explore how you can secure your identity systems with ease.