Every breach begins with a login that should have been stopped.
10:47 p.m. A login succeeds. Twenty minutes later, a single criminal holds the keys to 134 organisations - and no one knows yet. That was Okta. It was also, in pattern, Change Healthcare, MGM, Marks & Spencer, Transport for London, Jaguar Land Rover, and the first AI-orchestrated espionage campaign of 2025. In every case the decisive failure was not exotic malware. It was an identity that logged in when it should have been challenged.
The Last Login is the board-level playbook for the identity era - the first book to name the single architectural decision that determines whether an identity attack succeeds or fails, and to turn it into an operating doctrine you can deploy on Monday morning.
By the last page you will be able to:
One doctrine runs through every chapter: VERIFY · LIMIT · DETECT · PROVE. Verify trust continuously; limit the blast radius; detect the attacker inside the boundary in seconds; and prove - to the board, the regulator, and the court - that the control held. It is the difference between an organisation that had a policy and one that can demonstrate the policy stopped the attack.
Grounded in the documented record of 2023-2026 and the regimes now placing identity failure on the balance sheet - NIS2, DORA, the UK Cyber Security and Resilience framework, and the SEC disclosure rules - this is a reference you will keep on the desk long after the first read: framework diagrams, a Conditional Access policy library, KQL detections, a KRI library, twenty-five board questions, an anti-patterns catalogue, and a fully sourced incident register.
For CISOs, CIOs, security architects, risk and audit leaders, board members, and the engineers who hold the line at 3 a.m. If you read one identity-security book this year, read the one that names the decision the others only circle.
Govern the login. Limit the blast. Detect the movement. Prove the control.