<- Command Center/TDR ReportDemo | 2,000 users | MRI | BETA

BoardLive route · representative CISOLive route · representative AuditLive route · synthetic GRCLive route · synthetic IAMLive route · synthetic TechnicalLive route · preview TDRLive route · preview

Current route truth

Preview-grade detection output

The public route exists now and demonstrates detection-and-response storytelling; it remains preview-grade demo output rather than a live SOC feed.

Strongest first view

Open Board

Start here when you need the strongest first commercial story: risk, consequence, funding decision, and executive ownership.

TDR demo viewSynthetic data | 2,000 usersPublic demo output

This TDR report is a synthetic public demo surface. It is intended to show representative response and detection storytelling, not to imply guaranteed detection, full verification, or identical live-portal delivery on every authenticated route.

Demo truth model

Persona switching, posture, blast radius, and remediation delta are anchored to real platform/runtime contracts.

9 engine-backed3 illustrated

Threat Detection & ResponsePrepared by IdentityFirst LtdPrepared for Acme CorpBetaSample / Synthetic

Threat Detection & Response Report

Identity-led threat narrative, time-to-impact, AI confidence, and automation-vs-manual response framing.

Prepared by: IdentityFirst Ltd
Prepared for: Acme Corp
Issue date: 13 March 2026
Classification: Confidential - Demonstration Use Only
Document reference: IF-TDR-RUN-MRI-
Version: 1.0
Assessment scope: 2,000-user company
Report run: RUN-MRI-
Product tier: MRI
Profile: 2,000 users

Report credibility

Scope, methodology, ownership, evidence

Every field is shown explicitly. Items not yet provided are labelled (Roadmap, Unavailable, Not applicable, Missing) rather than hidden.

Classification: Confidential - Demonstration Use Only
Scope of estate: 2,000-user company
Reporting period: Representative MRI assessment window
Version: 1.0
Change reference: Not applicable
Methodology: Incident framing aligned to NIST SP 800-61 Rev. 3 phases (Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident). Incident timelines on the public demo are deterministic illustrations, not live SOC telemetry.
Limitations: No live SIEM feed, alert pipeline, or detection-rule version tracking in the public demo. Time-to-detect / time-to-contain figures shown are illustrative; production figures require a connected tenant.
Owner: Roadmap
Preparer: IdentityFirst MRI Engine (deterministic demo profile)
Approver: Roadmap
Regulatory relevance: Supports NIS2 Article 23 incident-reporting flows and DORA ICT-related incident classification for in-scope financial entities. Customer-specific reporting obligations remain customer-owned.
Evidence status: Evidence chain unavailable in public demo

Threat Narrative

This is not a loose collection of anomalies. It is a linked identity threat story with a likely time-to-impact of 6 hours and 69% confidence based on correlated path and telemetry evidence.

Initial access begins at acme.user.jane.doe (Okta, standard analyst, no phishing-resistant MFA), then pivots through Okta, Entra ID, AWS IAM.

The path remains realistic because the supporting control weaknesses already exist: Okta: push-based MFA (not FIDO2) for analyst cohort is susceptible to MFA fatigue attacks; Entra CA: CA-FederatedSessions lacks step-up requirement for Okta-sourced tokens.

The decision point is whether to contain automatically now or accept a shorter analyst reaction window while the path remains live.

Identity Threat Activity Summary

1,247

Suspicious Logins

Confirmed Incidents

High-Risk Anomalies

Detected Threat Patterns

CriticalImpossible Travel

User logged in from UK and Singapore within 3 minutes

HighPrivilege Escalation Attempt

Service account attempted role elevation outside baseline

HighToken Abuse

OAuth token reused across multiple IP addresses

Attack Path Correlation

Linked Incidents

Systems Affected

Resources Accessible

Time to Impact

69%

AI Confidence

Blast radius: Attack path linked to 3 confirmed incident(s), affecting 14 systems and 62 accessible resources.

Automation Comparison

Automated containment

Disable exposed identity, revoke active sessions, and apply conditional access lock within minutes.

Analyst-led fallback

Validate the path manually, coordinate owners, and sequence account, token, and policy changes across several handoffs.

Preferred mode

Automate first, then review exceptions.

Response Actions Taken

Password reset + session revocation

Forced password reset · 15/03/2026, 14:32:00

Disabled affected service account

Account disabled · 15/03/2026, 14:35:00

Triggered conditional access lockdown

CA lockdown · 15/03/2026, 14:40:00

Detection Gaps

No alerting on lateral movement via trusted federation

High Priority

Limited visibility into SaaS-to-SaaS identity flows

Medium Priority

TDR Report · Prepared by IdentityFirst Ltd · Prepared for Acme Corp · Ref IF-TDR-RUN-MRI- · v1.0 · Confidential - Demonstration Use Only · SAMPLE - SYNTHETIC DATA - NOT FOR DISTRIBUTION