The cybersecurity community has been closely following the events at Stryker, the medtech giant with 56,000 employees across 61 countries. On March 11, 2026, Stryker disclosed a significant cyberattack that caused widespread disruption to its global Microsoft environment, wiping managed devices, halting manufacturing operations and forcing the company to file an SEC disclosure. No ransomware. No exotic zero-day. Reportedly, the attackers leveraged Microsoft Intune, an enterprise device management tool trusted by IT teams worldwide, to issue remote wipe commands at scale.
The incident is still under investigation, and we don't yet have the full picture. But the pattern it represents is worth discussing openly — not to sensationalize, but because the security community learns from moments like this. That learning is ultimately what helps organizations protect themselves.
The Shift: From Malware to Management
For years, the dominant mental model of a cyberattack involved malware detonating on endpoints, triggering alerts, and prompting incident response. The Stryker incident — if the reported Intune vector holds — reflects something different: attackers using the tools you already trust to do the damage for you.
Intune is designed to be powerful. It can remotely wipe devices, enforce policies, and reach across every managed endpoint in an enterprise. Those capabilities exist for legitimate, critical reasons. But they also mean that anyone who gains privileged access to that management layer inherits all of that capability — instantly and at scale.
This is the control plane problem. Modern enterprise environments run on deeply interconnected administrative tooling: identity providers, MDM platforms, cloud consoles and these platforms don't operate as islands. They are woven together through trust relationships: a user account in Entra ID that holds a role in Intune that has authority over every enrolled device in the organization. That chain of relationships is what makes modern IT efficient. It's also what makes a single privileged account compromise so potentially catastrophic.
As many security professionals have noted in the wake of this incident: identity is the new perimeter. But more precisely, the privilege layer on top of identity, who has admin rights, what those rights can touch and whether anyone is watching, is where modern attacks increasingly land.
The Visibility Problem: You Can't Defend a Graph You Can't See
Here's the uncomfortable truth about environments like the one Stryker was running: the attack surface isn't a list of assets. It's a web of relationships. An Intune admin role isn't dangerous in isolation — it's dangerous because of what it connects to. Understanding that danger requires understanding the full chain: which identity holds the role, what trust relationships that identity has elsewhere in the environment, what devices fall within its blast radius and what the recovery path looks like if that role is abused.
Traditional security tools were built for a world of lists: inventories of endpoints, spreadsheets of accounts, tables of policy violations. They're not designed to answer relationship questions. And relationship questions are exactly what modern attacks exploit.
This is where a knowledge graph architecture fundamentally changes what's possible. JupiterOne models your entire environment: identities, devices, cloud resources, applications, policies and the relationships between all of them — as a connected graph. That means every asset exists in context. A privileged account isn't just a row in a table; it's a node with edges showing what roles it holds, what resources it can reach, what devices it can manage and what the downstream impact of its compromise would be.
Seeing the Blast Radius Before the Attacker Does
When an incident like Stryker's unfolds, one of the hardest early questions is: how bad is this? In a wiper-style attack enabled by a management platform, the answer depends entirely on the scope of what that platform touches. How many devices were enrolled? Which business units? Which geographies? Are there segmentation controls in place, or is it a flat management domain?
With JupiterOne, that question becomes answerable in seconds — not days. Because the graph already knows which accounts hold Intune admin roles, which device groups fall under those roles and what organizational context surrounds each device, you can visualize the potential blast radius before an incident occurs. More importantly, you can identify and close the gaps before an attacker maps the same path.
Security teams can ask JupiterOne questions in plain English — no query language required — using JupiterOne AI. Ask "which users have Intune admin roles and no conditional access policy enforced?" or "show me all devices enrolled in Intune that haven't checked in within the last 7 days" and get an immediate answer with full relationship context. For teams that prefer to go deeper, J1QL provides a precise query layer to explore any relationship chain across your environment.
The result isn't just a list. It's a visual map — a graph you can navigate — that shows the actual attack path from a compromised credential to its furthest point of impact across your identity, device and infrastructure layers. That's the difference between knowing you have a problem and understanding the shape of it.
Questions Worth Raising With Your Team This Week
Most organizations are running similar environments to Stryker's. Microsoft Intune, Entra ID, Okta — these platforms are core to how IT and security teams operate at scale. That's not a vulnerability in itself; it's the right architecture for modern work. The question is whether the controls and visibility around those platforms match the level of trust we've placed in them.
A few questions worth raising with your team this week:
- When did you last test a restore of your identity configurations? If your Entra or Okta tenant were wiped or corrupted tonight, could you restore it? From what backup? How recent?
- If your Entra or Okta tenant was wiped tonight, how long would recovery take? Hours? Days? Do you have a documented runbook, or would you be starting from scratch?
- Do you have a documented rollback point from before a breach? Many organizations can restore data, but restoring identity state — group memberships, role assignments, conditional access policies, device trust relationships — is a different and harder challenge.
These aren't gotcha questions. They're the kind of operational readiness checks that separate organizations that navigate an incident from those that spend weeks in full reconstruction.
Building for Resilience, Not Just Response
Resilience in modern environments requires more than strong perimeter defenses. It requires treating your management infrastructure — the identity layer, the MDM plane, the cloud consoles — as a target, because attackers increasingly do. Global admin and Intune admin roles should be treated like production-critical assets: protected with strict least privilege, phishing-resistant MFA, PAM controls and continuous monitoring. And organizations need the ability to visualize, in real time, what the full impact of a compromise at any node in that graph would look like.
We don't know all the details of what happened at Stryker and the investigation is ongoing. What we do know is that the pattern — control-plane compromise, legitimate tools turned into weapons, destructive over extortive intent — is one the security community has been anticipating. The organizations best positioned to respond to this pattern are the ones that have already mapped their administrative relationships, identified the highest-risk paths and built the visibility to detect when something in that graph changes unexpectedly.
That's the work. And the good news is it doesn't require starting over — it requires seeing what's already there.
If you want to see how JupiterOne maps your identity and device management assets, visualizes your blast radius and helps you ask the right questions before an incident forces them, we're happy to walk you through it.
