Curated demo content by default.
The /demo route group is a public demonstration surface. Its stories, report packs, and portal views are intentionally curated unless a live tenant is explicitly selected.
First assessment visibility with a second run that proves movement without pretending the data is complete. This page uses the current webapp surface and report structure with a fictional UK financial-services scenario kept explicit about representative data, P1-only licensing, and what is and is not yet mature.
Blast radius framing
This view shows cross-platform privilege chains that span AD, ADFS, Entra, Azure, AWS, and SaaS. The worst path starts with a leaver account that was never disabled and reaches treasury batch processing through an unreduced ADFS trust.
78
Blast score
12
Affected identities
6
Systems
4
Applications
A former treasury analyst account creates a live privilege chain from Active Directory through ADFS federation to treasury batch processing endpoints. Combined with 28 standing privileged assignments and 1,490 users without MFA, the first-install blast radius represents material control exposure across the hybrid estate.
Score
78
Systems
6
Users
12
Apps
4
Data stores
3
Regulatory impact
Recommended action
Disable the leaver account and associated ADFS trust path, begin phased MFA rollout for the standard user estate, and reduce standing privileged assignments to named operational need.
svc-treasury-batch
Service account / AD / ADFS
admin.ops@meridiancrest.co.uk
Global administrator / Entra ID
admin.infra@meridiancrest.co.uk
Global administrator / Entra ID
j.hargreaves (leaver)
Former employee / AD / Entra ID
analytics-deploy-role
IAM role / AWS
d.watson (advisory support)
Employee / AD / MIM
r.kaur (servicing)
Employee / AD / MIM
ext-auditpartner@deloitte.com
Guest / M365
sharedadmin-weekend
Shared account / Azure
s.patel (Bristol branch)
Employee / AD / ADFS
svc-servicenow-fulfil
Service account / ServiceNow
vpn-branch-access-group
Security group / AD
A leaver account reaches treasury batch processing through an unbroken chain: AD sync preserves the identity in Entra, an unreduced ADFS trust accepts authentication, and the treasury portal has write access to batch endpoints.
Former treasury analyst account was not disabled at departure and still synchronises to Entra ID through the hybrid sync connector.
The synchronisation maintains the leaver identity in the Entra tenant, preserving cloud-side group memberships.
An unreduced ADFS relying party trust still accepts authentication for the treasury servicing portal. The leaver identity reaches the portal through this trust path.
The treasury portal has write access to batch processing endpoints. A compromised leaver account could initiate or modify payment instructions.
Begin a phased P1-based MFA rollout for priority user groups immediately.
Disable stale accounts with VPN, ADFS, and cloud access before the next run.
Reduce standing assignments and separate emergency access from routine administration.
Rationalise ADFS trusts, retire redundant claim rules and document ownership.
42% of paths backed by confirmed evidence
Source confidence
Evidence gaps
MIM attribute logic incomplete at 57% normalisation
Fix: Complete MIM rule mapping for department-change entitlement logic
ServiceNow fulfilment data not fully normalised to lifecycle events
Fix: Map joiner/mover/leaver patterns to HR-driven lifecycle triggers
AWS workload access paths still developing beyond analytics trust
Fix: Expand AWS connector coverage to include digital-services role boundaries