An initial access broker, or IAB, is a cybercriminal actor who gains or obtains access to victim environments and then sells that access to other threat actors. It matters because this specialization helps ransomware groups and other attackers buy a foothold instead of performing every part of the intrusion themselves.
What is an Initial Access Broker (IAB)?
IABs may obtain access through phishing, stolen credentials, exposed remote access, infostealer logs, vulnerability exploitation, or third-party compromise. Once they have a foothold, they may sell access based on the victim’s size, geography, industry, privilege level, or environment type.
This division of labor makes the criminal ecosystem more efficient by separating access acquisition from later stages such as ransomware deployment or data theft.
What IAB Access Commonly Includes
Access may include VPN credentials, RDP entry, cloud admin accounts, valid sessions, web-shell access, or domain-level footholds depending on what the broker obtained.
IAB vs. Full-Scope Intrusion Group
An IAB specializes in obtaining and selling access. A full-scope intrusion group usually handles later actions such as privilege escalation, lateral movement, exfiltration, and extortion.
Frequently Asked Questions
Why do IABs matter defensively?
Because stolen access can be resold multiple times, which means an initial compromise may create continuing risk even if one attacker is removed.
What helps reduce IAB-related risk?
Strong MFA, hardened remote access, credential monitoring, rapid response to infostealer exposure, and aggressive cleanup of compromised identities all help.
