SaaS Team: Identity Drift → Cloud Admin Path
SaaS / TechnologyOrg size: 50–250 employeesFocus: Identity & Cloud3-week engagement
Simulated an attacker path from a single phished account into privileged cloud actions, highlighting over-permissioned roles and weak session controls.
Challenge
A growing SaaS company wanted an attacker-informed assessment of whether identity sprawl and cloud role drift could turn a single compromised user into a high-impact incident—without disrupting production workloads.
Approach
- • Mapped identity providers, SSO enforcement, and privileged role assignments across engineering and operations.
- • Modeled realistic initial access paths (phish, OAuth consent abuse, stale accounts) and tested detection/response expectations.
- • Validated privilege escalation opportunities through mis-scoped roles, token/session persistence, and weak break-glass controls.
- • Produced an executive-readable narrative and an engineer-usable remediation plan with concrete role, policy, and monitoring changes.
Outcomes
- • Eliminated multiple high-risk privilege pathways by tightening role scopes and enforcing least-privilege defaults.
- • Improved MFA/conditional access posture with clear break-glass controls and incident-ready session revocation.
- • Upgraded logging and alerting for identity and admin actions, reducing time-to-detect for cloud privilege events.