Entry identity
acme.user.jane.doe (Okta, standard analyst, no phishing-resistant MFA)
Credential phishing or OTP intercept; Okta MFA is push-based, not phishing-resistant; no FIDO2 enrolled for analyst cohort
IdentityFirst MRI Demo
A contractor identity without MFA reaches a legacy AD group, finance content, and cloud reporting paths that should never have remained linked.
Demo system state
This demo uses a curated MRI dataset so the narrative is stable. The commercial point is still real: show unknown or ownerless identity risk, prove the blast radius, and give the next action.
Truth boundary
Connected systems
11
Systems represented in this scenario
Identities analysed
2,014
Actors represented in the assessment snapshot
Telemetry streams
27
Correlated signal streams in scope
Coverage
58%
Identity coverage represented by the scenario dataset
Confidence
73%
Assessment completeness and evidence quality
The hook
This identity looks normal.
acme.user.jane.doe (Okta, standard analyst, no phishing-resistant MFA)
This reaches AWS IAM in 3 hops.
Same facts. Different meaning. A contractor, analyst, or service identity becomes a breach path as soon as it can pivot into privileged trust.
What changes the decision
Risk
HIGH
This is an active privilege path, not a hygiene warning.
Blast radius
183
Identities exposed if the path is abused.
Fix
1 edge
Remove the inherited trust and the path collapses.
Attack path
Entry identity
acme.user.jane.doe (Okta, standard analyst, no phishing-resistant MFA)
Credential phishing or OTP intercept; Okta MFA is push-based, not phishing-resistant; no FIDO2 enrolled for analyst cohort
Okta · hop 1
Account phish
Credential phishing or OTP intercept; Okta MFA is push-based, not phishing-resistant; no FIDO2 enrolled for analyst cohort
Entra ID · hop 2
Federation token
Okta SAML assertion accepted; CA-FederatedSessions does not require step-up for Okta-sourced sessions; attacker obtains Entra access token
AWS IAM · hop 3
Role assumption
sts:AssumeRoleWithSAML to acme.role.cloud-admin (AdministratorAccess); 12-hour session; no condition keys on trust policy
Why this matters
A single phishing attack against a non-privileged analyst yields full AWS production access and extends laterally to two additional AWS accounts through existing cross-account trust relationships.
Impact
Identities exposed
183
Potentially affected through the path
Lateral depth
4 hops
Deepest reachable expansion from this entry point
Potential exposure
£900k
Representative board-level impact from top findings
Blast radius
Action
Add aws:MultiFactorAuthPresent and aws:RequestedRegion condition keys to acme.role.cloud-admin SAML trust policy; restrict session duration to 1 hour.
Cloud · low priority · 6h
Revoke all 3 GCP service-account keys committed to acme-ci-pipeline repository; rotate immediately; migrate to Workload Identity Federation for CI/CD GCP access.
Cloud · medium priority · 20h
Disable the 2 Okta API tokens owned by deprovisioned users (acme.user.former.employee1, acme.user.former.employee2); audit all API tokens against active user list.
IAM · low priority · 6h
Next screens
Once the path is visible, move straight into the board report for business impact or the technical report for evidence and ownership.
Command center
Use the dashboard after the reveal, not before it. It becomes evidence, not the opening act.
Open dashboard →Board report
Translate the same path into business consequence, ownership, and a funding or policy decision.
Open board report →Technical report
Show the same story under scrutiny: findings, evidence, control failures, and remediation detail.
Open technical report →