CISO / Executive
CurrentStart with the board-level risk story
Lead with the executive report, business impact, and the first funded action.
Curated demo content by default.
The /demo route group is a public demonstration surface. Its stories, report packs, and portal views are intentionally curated unless a live tenant is explicitly selected.
IdentityFirst MRI Demo
Synthetic demo dataset. No live customer systems are accessed on this route.
IdentityFirst MRI Demo
Curated MRI demo data. Six posture metrics drawn from a representative identity estate.
Failed to load posture scorecard
Platform API unreachable.
IdentityFirst MRI Demo
A contractor identity without MFA reaches a legacy AD group, finance content, and cloud reporting paths that should never have remained linked.
Curated MRI demo
This scenario stays stable on purpose. It demonstrates how MRI surfaces ownerless identity risk, proves blast radius, and points to the next action without implying live tenant access on this route.
Route disclosure
Connected systems
11
Systems represented in this scenario
Identities analysed
2,014
Actors represented in the assessment snapshot
Telemetry streams
27
Correlated signal streams in scope
Coverage
58%
Identity coverage represented by the scenario dataset
Confidence
73%
Assessment completeness and evidence quality
The hook
This identity looks normal.
acme.user.jane.doe (Okta, standard analyst, no phishing-resistant MFA)
This reaches AWS IAM in 3 hops.
Same facts. Different meaning. A contractor, analyst, or service identity becomes a breach path as soon as it can pivot into privileged trust.
What changes the decision
Risk
HIGH
This is an active privilege path, not a hygiene warning.
Blast radius
183
Identities exposed if the path is abused.
Fix
1 edge
Remove the inherited trust and the path collapses.
Decision layer
The demo becomes buyer-grade when it stops at diagnosis and starts naming the dominant action, the accountable owner, the evidence behind it, and the expected reduction in risk.
Dominant action
Add aws:MultiFactorAuthPresent and aws:RequestedRegion condition keys to acme.role.cloud-admin SAML trust policy; restrict session duration to 1 hour.
Cloud owns this · low priority · 6h
Primary finding
6 Permanent Global Administrator Assignments Without PIM
HIGH severity · Entra ID
Evidence posture
50/50
12 evidence bundle records, 0 ownerless findings remaining, confidence 73%
Expected effect
+13 pts
Posture improves from 58 to 71. 50 overdue actions remain, and board framing ties this to £900,000 at the top end of exposure.
Assessment depth
The report needs to explain what was assessed, how much of the environment is represented, which findings are evidence-linked, who owns remediation, and what action reduces exposure first. That is the difference between a compelling story and an assessment artifact that can survive technical scrutiny.
Scope
11 sources
2,014 canonical identities represented in this technical pack.
Finding depth
50 findings
11 platforms represented with severity, platform, ownership, and due-state detail.
Evidence posture
50
Findings currently shown with explicit evidence linkage in the demo pack. Confidence is 73%.
Actionability
50
18 remediation actions and ROI framing of 5.8x.
What this should prove
This needs to beat a static hygiene scan on substance. The output has to connect one risky identity, the resulting breach path, the blast radius, the missing owner or control, and the next action that measurably reduces exposure.
Breach path
3 hops
One identity reaches consequential access through a cross-system chain. Longest represented chain in this scenario is 3 hops.
Exposure
183
Affected identities represented in the scenario once this path is abused.
Ownership gaps
0
50 findings already show an explicit owner. Ownerless findings are where remediation usually stalls.
Action pressure
50
18 total actions, 50 evidence-linked findings, and 50 overdue items.
The problem is not generic identity debt. It is a named path from a real actor to consequential access.
The report is not just descriptive. It shows scope, evidence posture, ownership, and the action that reduces exposure first.
Blast radius is not a score alone. It is the business consequence of reachability, broken controls, and cross-system trust.
MRI proves the problem and the fix pack; higher tiers govern the full resolution flow once the buyer wants execution.
Buyer Path
These paths open the existing curated MRI demo surfaces already in this codebase: board, IAM, audit, technical, and the MSP motion. The representative scenario stays the same. The framing changes by buyer.
CISO / Executive
CurrentStart with the board-level risk story
Lead with the executive report, business impact, and the first funded action.
IAM / Architecture
Start with operational ownership and remediation depth
Open the IAM operations and technical views first so the buyer sees evidence, ownership, and the first fix path.
Compliance / Audit
Start with audit readiness and evidence gaps
Show audit pressure, framework gaps, and the remediation plan needed before the next review window.
MSP / Partner
Start with the managed-service commercial motion
Use the MSP narrative when the buyer needs board framing, repeatable service packaging, and partner-ready delivery language.
Buyer Benchmark
It carries a specific breach path, a stakeholder-aware first asset, and a named action for the right team. That is what turns a curated MRI demo into a credible sales conversation.
Target account shape
2,000-user company
13 connected platforms · Moderate-elevated risk, coordinated remediation required
First room to win
CISO / Executive
Open board report
Commercial proof point
HIGH
6 Permanent Global Administrator Assignments Without PIM
First 30-day motion
Cloud
Add aws:MultiFactorAuthPresent and aws:RequestedRegion condition keys to acme.role.cloud-admin SAML trust policy; restrict session duration to 1 hour. · 6h estimated effort
Why this converts
Attack path
Entry identity
acme.user.jane.doe (Okta, standard analyst, no phishing-resistant MFA)
Credential phishing or OTP intercept; Okta MFA is push-based, not phishing-resistant; no FIDO2 enrolled for analyst cohort
Okta · hop 1
Account phish
Credential phishing or OTP intercept; Okta MFA is push-based, not phishing-resistant; no FIDO2 enrolled for analyst cohort
Entra ID · hop 2
Federation token
Okta SAML assertion accepted; CA-FederatedSessions does not require step-up for Okta-sourced sessions; attacker obtains Entra access token
AWS IAM · hop 3
Role assumption
sts:AssumeRoleWithSAML to acme.role.cloud-admin (AdministratorAccess); 12-hour session; no condition keys on trust policy
Why this matters
A single phishing attack against a non-privileged analyst yields full AWS production access and extends laterally to two additional AWS accounts through existing cross-account trust relationships.
Impact
In this curated MRI scenario, the path is representative demo output tied to the current story and should not be read as live customer telemetry.
Identities exposed
183
Potentially affected through the path
Lateral depth
4 hops
Deepest reachable expansion from this entry point
Potential exposure
£900k
Representative board-level impact range from the top demo findings
Blast radius
Action
Add aws:MultiFactorAuthPresent and aws:RequestedRegion condition keys to acme.role.cloud-admin SAML trust policy; restrict session duration to 1 hour.
Cloud · low priority · 6h
Revoke all 3 GCP service-account keys committed to acme-ci-pipeline repository; rotate immediately; migrate to Workload Identity Federation for CI/CD GCP access.
Cloud · medium priority · 20h
Disable the 2 Okta API tokens owned by deprovisioned users (acme.user.former.employee1, acme.user.former.employee2); audit all API tokens against active user list.
IAM · low priority · 6h
Next screens
Once the path is visible, move straight into the board report for representative business impact or the technical report for evidence, ownership, and governed next steps.
Command center
Use the dashboard after the reveal, not before it. It becomes evidence, not the opening act.
Open dashboard →Board report
Translate the same path into business consequence, ownership, and a funding or policy decision.
Open board report →Technical report
Show the same story under scrutiny: findings, evidence, control failures, and remediation detail.
Open technical report →