Most people get into cybersecurity because they like solving problems. Alex Weinert got into it by accidentally hacking Microsoft.
Back in college, running out of time on a project, Weinert found a web server running under someone’s desk at Microsoft and planted his resume. Instead of getting arrested, he got hired. That improbable start eventually led him to lead
Microsoft’s identity protection team, responsible for securing billions of users across Outlook, Xbox, Azure, and enterprise platforms.
At
Identiverse 2025, Weinert, now chief product officer at Semperis, stepped on stage to share what 15 years of
defending one of the largest identity platforms in the world had taught him. The result was five clear, deeply personal lessons that went beyond technology to include process, mindset, and personal cost.
1. Data will set you free
When Weinert joined the identity team, there was almost no telemetry. The team operated mostly on gut instinct and anecdotes. That changed in 2012, when they embedded telemetry throughout Microsoft’s login systems, identity flows, and APIs. Suddenly, they could see exactly how users behaved, how attackers exploited gaps, and what interventions worked.
“We didn’t have time for security theater,” he said. “Data grounded us in what was real.”
For example, passive nudges to turn on MFA barely moved the needle. But hard prompts triggered during login converted 70 percent of users. The data also helped make the case to executives.
“Moralizing doesn’t move roadmaps,” Weinert said. “But showing how MFA saves millions in support calls? That gets prioritized.”
2. It’s worse than you think
Weinert’s motto at Microsoft was short and bleak: it’s worse than you think. And most days, it was.
Nation-state groups like
Midnight Blizzard and Storm-0558 exploited federated
identity flaws, forgotten app secrets, and overly broad permissions to gain extensive access. Microsoft eventually purged hundreds of thousands of stale tenants and applications, even when compromise wasn’t confirmed.
“They don’t need perfect,” Weinert said. “They just need one thing left open. And they have the time and budget to find it.”
His takeaway: security teams must shift left, build preventative controls, and move beyond posters and policy docs. He advocated for deterministic protections like passkeys that don’t rely on user willpower or education.
3. Build the machine
Weinert described a chaotic cycle of non-stop incidents, beginning with
SolarWinds and extending through major breaches that followed. The team was burning out.
So they changed the frame. The question became not “how did this happen” but “why did our systems allow it to happen?”
The shift led to a more mature response model. Root cause tracking, trend analysis, and feedback loops were formalized. Incident response was no longer just reactive—it became a structured machine for improving readiness.
“The goal isn’t incident response,” Weinert said. “It’s incident readiness.”
4. Design a pit of success
Even when Microsoft made MFA free, only a small fraction of users adopted it. The reason, Weinert said, was friction. Turning on MFA was like installing your own seatbelt in a car that wasn’t designed to have one. It took effort, and the burden was on users.
What changed? Microsoft, Salesforce, and AWS began requiring MFA. CISA got involved. Security defaults became the standard.
“Security has to be the easiest path, not the heroic one,” he said. “You can’t expect users to beat the odds like it’s Vegas.”
The lesson: design secure defaults that users fall into, not ones they must fight to reach.
5. If the mission depends on you, it will eventually fail
In the most personal part of his talk, Weinert shared the story of his son’s leukemia diagnosis in 2010. He moved into the hospital and tried to do everything himself, until he realized that burning out would remove him from the fight entirely.
The parallel to cybersecurity was clear. “We treat it like a mission, like we’re the last line of defense,” he said. “But if you fall apart, the mission does too,” he said.
Weinert gave his team four years’ notice that he would eventually step away. When he left in January, the system didn’t break. The team didn’t panic. The identity machine kept running.
“It proved I wasn’t essential,” he said. “Which meant I’d done my job.”
