Loading...
Customer case study
A UK fintech with 1,200 employees, three inherited Active Directory domains, and a SOC 2 Type II audit six weeks away deployed IdentityFirst in 4 hours — and walked into their audit with a clean bill of identity health.
Industry
Fintech
Employees
~1,200
Location
London, UK
Connectors
WEF ×3, Entra ID, AWS CloudTrail
Time to first assessment
4 hours
Results at a glance
34%
Reduction in privileged identity surface
within 30 days
147
Stale accounts identified and remediated
before the SOC 2 audit
< 1 day
To generate a board-ready Audit Committee report
from first assessment
18 min
Full assessment across 1,200 identities
3 connectors in parallel
Identity Coverage Ratio (ICR)
Improved from 41% to 78% in 60 days
The challenge
The company had grown through two acquisitions over four years — and inherited a domain controller from each one. By the time the SOC 2 Type II audit was scheduled, the security team of two was managing three separate Active Directory domains, an Entra ID tenant, and an AWS footprint, with no unified view across any of them.
Privileged access had never been audited systematically. Stale accounts from employees who had left during the acquisitions were still present in AD but never confirmed as disabled. The CISO had escalated the risk to the board, but without evidence, it was impossible to scope the problem — let alone fix it before the audit window closed.
Manual sampling would have taken weeks. A full IGA deployment was out of the question on the timeline and with a two-person team. They needed something they could stand up fast and trust immediately.
The solution
IdentityFirst was deployed on a single Windows Server instance in the company's Azure environment. Windows Event Forwarding was configured on each of the three domain controllers — a process that took under 30 minutes per domain — and began streaming Security Event log data immediately. Entra ID was connected via read-only Microsoft Graph API credentials, and AWS CloudTrail via a read-only IAM role.
No agents were required on endpoints. No changes were made to existing IAM configuration. The first assessment run completed in 18 minutes across all five connectors, surfacing findings from all three AD domains simultaneously.
The initial assessment identified 147 stale accounts, 12 Tier-0 identities with no MFA enrolled, and 9 accounts with Global Administrator rights that had not logged in for more than 90 days. Each finding was mapped automatically to SOC 2 CC6.1 and CC6.3 controls.
Deployment timeline
IdentityFirst deployed; WEF configured on domain controller 1
WEF extended to domain controllers 2 and 3
Entra ID and AWS CloudTrail connectors connected
First full assessment complete; findings reviewed
Board-ready Audit Committee report generated and circulated
Privileged identity surface reduced by 34%; 147 stale accounts remediated
ICR improved from 41% to 78%; SOC 2 audit passed
“We had a SOC 2 audit in 6 weeks and no idea what our privileged access looked like. IdentityFirst gave us the answer in an afternoon. The board report practically wrote itself.”
Head of Security
UK Fintech, ~1,200 employees
First assessment findings
147
HighStale accounts
User accounts active in AD but with last logon > 90 days; 62 were from pre-acquisition employees
SOC 2 CC6.1
12
CriticalTier-0 identities without MFA
Domain Admins and Global Admins with no MFA method enrolled across Entra ID or on-prem
SOC 2 CC6.3
9
HighDormant privileged accounts
Global Administrator accounts with no sign-in activity in over 90 days, still fully active
SOC 2 CC6.3
Get your first assessment in under 4 hours. No agents, no changes to your environment, no long procurement cycle.