Initial Access Broker (IAB)
Also known as: IAB, Access broker
An initial access broker (IAB) is a cybercriminal who sells access to compromised networks and accounts to other attackers, such as ransomware groups. IABs frequently source their access from infostealer logs, making stolen credentials a direct pipeline into enterprise intrusions.
What is an initial access broker?
Initial access brokers specialise in obtaining and reselling access to victim environments. Rather than carrying out the final attack themselves, they acquire footholds — valid VPN, RDP, or SSO credentials, web shells, or compromised accounts — and sell them to other criminals who monetise the access.
The link to infostealers
Infostealer logs are a prime supply source for IABs. Corporate credentials harvested by a stealer — particularly for remote access and SSO — can be packaged and sold as ready-made access. This is a key mechanism by which a single employee's infostealer infection escalates into a full network breach or ransomware event.
VantaPrism helps organisations intercept this pipeline by detecting their corporate credentials in infostealer logs before an initial access broker can package and sell them.
Check Your Exposure arrow_forwardFrequently Asked Questions
How do initial access brokers get access?
Why are IABs linked to ransomware?
Related Terms
Infostealer malware is a category of malicious software designed to silently harvest sensitive data — passwords, sess…
A stealer log is the package of data exfiltrated from a single device by infostealer malware. It typically contains s…
Compromised credentials are usernames and passwords that have been exposed to unauthorized parties — frequently throu…
Account takeover (ATO) is when an attacker gains unauthorized control of a legitimate user account, typically using s…