Exposure score
58/100
Current decision-grade posture
Command Center
IdentityFirst should give leadership a reason to act, not just another screen of findings. This command center is the operating view of exposure, confidence, commercial consequence, and the next move.
Demo truth boundary
Use this page to prove how IdentityFirst surfaces exposure, confidence, consequence, and next action. Do not treat it as a tenant-live runtime console. The route shape is real; the scenario data is deliberately curated.
Data mode
Curated MRI dataset
Stable scenario framing for commercial consistency, not a tenant-live assessment run.
Route status
Live demo route
Real product surface and navigation flow, backed by current demo/report contracts.
Execution boundary
Governed separately
Write-back, kill switch, and runtime enforcement remain tier, connector, and tenant dependent.
Current represented health
2 connector gaps visible
The command center now shows connector quality pressure instead of implying universal coverage.
Demo truth model
Persona switching, posture, blast radius, and remediation delta are anchored to real platform/runtime contracts.
Quick stats
Executive snapshot
Exposure score
58/100
Current decision-grade posture
Time to impact
6h
Shortest route to privileged effect
Evidence confidence
73%
Assessment completeness and signal quality
Loss avoidance
£283,272
Modeled from £48,840 remediation investment
Why this matters now
Top driver is Okta: push-based MFA (not FIDO2) for analyst cohort is susceptible to MFA fatigue attacks. The current path reaches AWS IAM in 3 hops, with likely impact in 6 hours. Evidence confidence is 73%, which is high enough to support an executive decision rather than another round of interpretation.
Posture trend
Improving
Based on recent MRI runs
Time to impact
6h
Shortest modeled attack path
Time to value
7-14 days
Visible operational improvement
Decision required
Fund + enforce
Budget and policy action
Commercial case
Customers do not buy a dashboard to admire it. They buy it to shorten decision time, justify funding, and remove the attack path before the cost of delay overtakes the cost of action.
Guided executive narrative
The dashboard gives you the decision signal. These report views turn that signal into the right language for funding, ownership, remediation, and assurance.
Executive decision
Use when the next question is funding, risk acceptance, or whether the exposure is severe enough to change course now.
Shows posture, commercial consequence, and the decision required.
Open board reportOperational leadership
Use when leadership needs owner accountability, risk concentration, and a cleaner view of what should be prioritised first.
Turns the same evidence into an action-led leadership brief.
Open CISO reportRemediation detail
Use when the decision is already made and engineers, IAM, or platform owners need the actual attack path and remediation sequence.
Reframes the same story as a fix list with evidence context.
Open technical reportStakeholder variants
Use the report catalogue when the same identity story needs to be re-expressed for audit, GRC, IAM, or detection stakeholders.
Lets you switch stakeholder language without changing the underlying truth.
Open report catalogueTop attack path
acme.user.jane.doe (Okta, standard analyst, no phishing-resistant MFA)
This reaches AWS IAM in 3 hops.
A single phishing attack against a non-privileged analyst yields full AWS production access and extends laterally to two additional AWS accounts through existing cross-account trust relationships. This is a realistic route, not a theoretical checklist issue, because the same control weaknesses already exist across the connected estate.
Blast radius
183
Identities exposed
Lateral depth
4
Maximum reach
Critical alerts
2
Need immediate attention
Confidence
73%
Evidence completeness
Entry
acme.user.jane.doe (Okta, standard analyst, no phishing-resistant MFA)
Looks ordinary at first glance.
Okta · hop 1
Account phish
Credential phishing or OTP intercept; Okta MFA is push-based, not phishing-resistant; no FIDO2 enrolled for analyst cohort
Entra ID · hop 2
Federation token
Okta SAML assertion accepted; CA-FederatedSessions does not require step-up for Okta-sourced sessions; attacker obtains Entra access token
AWS IAM · hop 3
Role assumption
sts:AssumeRoleWithSAML to acme.role.cloud-admin (AdministratorAccess); 12-hour session; no condition keys on trust policy
Attack path driver
Okta: push-based MFA (not FIDO2) for analyst cohort is susceptible to MFA fatigue attacks
Attack path driver
Entra CA: CA-FederatedSessions lacks step-up requirement for Okta-sourced tokens
Attack path driver
AWS IAM: acme.role.cloud-admin trust policy has no aws:MultiFactorAuthPresent or sts:SourceIdentity condition
Posture
Posture score (0-100)
Derived from live risk, coverage, and connector signals
Projected after remediation
71
90-day trend
Breakdown
IdentityFirst should show which lever changes the score fastest. Here, the first gain comes from collapsing the shortest privilege path, then reducing standing privilege and lifecycle drift behind it.
Decision queue
Add aws:MultiFactorAuthPresent and aws:RequestedRegion condition keys to acme.role.cloud-admin SAML trust policy; restrict session duration to 1 hour.
Step 1Cloud · low priority · 6h
Removes the shortest path to privileged impact and gives leadership the fastest visible risk reduction.
Revoke all 3 GCP service-account keys committed to acme-ci-pipeline repository; rotate immediately; migrate to Workload Identity Federation for CI/CD GCP access.
Step 2Cloud · medium priority · 20h
Reduces the chance that the same path reappears through stale privilege or machine identity drift.
Disable the 2 Okta API tokens owned by deprovisioned users (acme.user.former.employee1, acme.user.former.employee2); audit all API tokens against active user list.
Step 3IAM · low priority · 6h
Improves evidence quality and makes the next reporting cycle easier to defend to customers, auditors, and leadership.
Evidence freshness
Last completed run
32 days ago
Latest MRI assessment
Connector health
7/9
2 degraded or failed
Evidence confidence
73%
Signal quality across the current run
Estate coverage
2,014
Identities assessed in this evidence set
Connector health
9 registeredMicrosoft Entra ID
43d ago
Okta
43d ago
AWS IAM
43d ago
Google Cloud IAM
44d ago
GitHub
45d ago
SailPoint
43d ago
Active Directory
43d ago
ServiceNow
47d ago
+1 more connectors not shown
Findings in focus
6 Permanent Global Administrator Assignments Without PIM
highEntra ID
Six independent paths to tenant-level control; each represents a persistent elevated attack surface.
Why a customer should care
This finding contributes roughly £420,000 of modeled exposure if the path remains open.
CA-FederatedSessions: No Step-Up for Okta Token
mediumEntra ID
Okta session compromise propagates to Entra without additional authentication challenge.
Why a customer should care
This finding is part of the shortest route from hidden identity debt to operational impact.
156 Users Without Phishing-Resistant MFA Registration
mediumEntra ID
Large cohort vulnerable to SIM-swap and MFA-fatigue attacks.
Why a customer should care
This finding is part of the shortest route from hidden identity debt to operational impact.
Trend