Explore a comprehensive guide to Identity and Access Management (IAM) pen testing in this 58-minute conference talk from BSides Cleveland 2018. Delve into lessons learned from a decade of data breaches, attack surface analysis, and the eight-step pen testing process. Examine user lifecycle management, traditional roles, and OSINT gathering techniques. Learn about password spraying, social engineering attack scenarios, and self-service password management. Discover strategies to analyze and reduce external attack surfaces, tighten admin privileges, and implement effective detection mechanisms. Gain insights on misdirection tactics and reinforce fundamental security principles to enhance your organization's IAM defenses.