Real engagements, anonymised
These are presented as anonymised customer summaries. Names, identifying details, and some environment specifics are withheld.
Case Studies
Anonymised
What Customers Actually
Found and Fixed
We share these outcomes because we believe in honest marketing. These are real assessments with real findings — anonymised at the customer's request. Results vary; we document what actually happened.
- All case studies are anonymised at customer request
- We report outcomes honestly — including caveats
- Timelines and staffing counts are real
- We note where improvements were partial
- No cherry-picked metrics
How to read these case studies
These pages are designed to be useful, not theatrical.
Checkpoint snapshots
Each outcome block is a dated checkpoint at 60 days, 90 days, or 6 months. It is not a promise that every customer moves at the same speed.
Partial remediation stays visible
Where something remained open, delayed, or accepted as residual risk, we leave that visible instead of rounding it into a success story.
Not independent attestation
These are customer outcome narratives, not third-party audit opinions or guarantees of similar results elsewhere.
Financial Services
150 Staff
Resolved
UK Financial Services Firm: Shadow Admins and Stale Accounts
A 150-person FCA-regulated investment management firm ran their first structured identity assessment after a near-miss during a third-party security audit. Their IT team of three had no tooling beyond manual PowerShell scripts.
The Situation
The firm had migrated from an on-premises Exchange environment two years earlier but never fully cleaned up their Active Directory. A third-party penetration test had flagged "excessive privileged accounts" as a finding, but the IT team lacked visibility into exactly what was wrong or how to prioritise remediation.
What IdentityFirst Found
- 11 accounts with effective Domain Admin rights not in the Domain Admins group (shadow admins via nested group membership)
- 43 user accounts not logged in for over 90 days, 19 of which still had active licences
- 7 service accounts with passwords that had never been changed and no MFA requirement
- Kerberoastable SPN on a shared service account used by three applications
- AdminSDHolder propagation issues leaving ACL anomalies on 12 standard user objects
Outcomes After 90 Days
- Shadow admin accounts resolved
- 11 of 11
- Stale accounts disabled
- 38 of 43
- 5 required sign-off from a departing employee's manager — delayed, not abandoned
- Service account passwords rotated
- 7 of 7
- Pen test retest result
- Finding closed
- Approximate licence saving from stale account cleanup
- ~£3,800/yr
- Based on Microsoft 365 Business Premium licences removed
Evidence frame: 90-day remediation snapshot from an anonymised customer engagement. Open and delayed items remain shown.
"We knew there was a problem but had no idea it was eleven shadow admin accounts. The report gave us a clear prioritised list — we addressed the top items before our next board meeting and were able to close the pen test finding cleanly."
IT Manager, FCA-regulated investment firm (anonymised)
Quoted by role only to preserve customer anonymity.
Legal
80 Staff
Partially Resolved
Law Firm: Entra ID MFA Gaps and Offboarding Failures
An 80-person London-based law firm prompted by their professional indemnity insurer's new cyber security requirements. The insurer's questionnaire asked about MFA coverage — the firm was not confident they could answer accurately.
The Situation
The firm operated primarily on Microsoft 365 with Entra ID. They had enabled MFA for all staff "a while ago" but had no centralised view of actual MFA registration status, and their HR-to-IT offboarding process was informal — handled by email between the office manager and IT.
What IdentityFirst Found
- 14 licensed accounts with no MFA method registered — 9 were active fee earners
- 6 accounts for staff who had left in the previous 12 months — still enabled, still licensed
- 3 Global Administrator accounts in Entra ID — only 1 was intentional; the other 2 were from a legacy migration
- Conditional access policies excluded 11 "legacy" devices that had no other compensating control
- MFA registered but using SMS for 22 accounts — weaker than authenticator app
Note: SMS MFA was flagged as an advisory, not a critical finding. The firm chose to leave SMS MFA in place for now — a pragmatic decision we respected and documented.
Outcomes After 60 Days
- MFA gaps resolved
- 14 of 14
- Former employee accounts disabled
- 6 of 6
- Unintended Global Admin accounts removed
- 2 of 2
- Conditional access legacy device exclusions
- 5 of 11 resolved
- 6 devices could not be updated due to application compatibility constraints — documented and accepted as residual risk
- Insurer questionnaire completed
- Yes — with evidence
Evidence frame: 60-day remediation snapshot. Residual risks and unresolved constraints remain visible where they still existed at the checkpoint.
"The insurer questionnaire was the trigger, but what we found was more important than satisfying the form. Six former employees with active accounts — that was the one that genuinely concerned us. We fixed everything critical within the first two weeks."
Practice Manager, London law firm (anonymised)
Quoted by role only to preserve customer anonymity.
NHS Trust
600 Staff
Ongoing
NHS Community Trust: Hybrid Identity Visibility Across On-Prem and Entra ID
A 600-staff NHS community trust undertaking a hybrid cloud migration. IT and IG (information governance) teams needed a single view of identity risk across their on-premises Active Directory and Entra ID hybrid environment before accelerating the migration.
The Situation
The trust had run an Entra ID Connect sync for 18 months but had not fully rationalised their on-premises AD as part of the migration. The IG team needed evidence for their upcoming DSPT (Data Security and Protection Toolkit) submission, specifically around access control. The IT team had no automated tooling for either environment.
What IdentityFirst Found
- 31 accounts with Domain Admin rights in AD — only 4 were intentionally privileged; the rest were migration artefacts or service accounts
- 89 accounts not logged in for 180+ days, including 14 that still had active Entra ID licences
- Entra ID Connect sync loop causing duplicate identity records for 12 staff members who had changed email address
- Conditional access gap: 67 clinical devices using legacy authentication protocols excluded from MFA enforcement
- PIM not configured — all privileged role assignments were permanent, not time-bound
The clinical device legacy authentication issue (67 devices) is the most common constraint we encounter in NHS environments. Clinical applications often cannot be updated on the same timeline as infrastructure. We documented the risk and recommended compensating controls.
Outcomes at 6 Months (Ongoing)
- Domain Admin count reduced from 31
- Down to 6
- 4 intentional + 2 service accounts pending application owner sign-off
- Stale accounts disabled
- 72 of 89
- 17 pending clinical manager confirmation — NHS change process requires additional sign-off
- Duplicate identity records resolved
- 12 of 12
- DSPT access control evidence submitted
- Yes
- Clinical legacy auth devices
- In progress
- Compensating network segmentation controls implemented while application upgrades are scheduled
Evidence frame: 6-month checkpoint on an ongoing programme. “In progress” means the issue was still open at the time of writing.
"The DSPT deadline was the immediate driver, but having a single cross-environment view was genuinely transformative for us. We'd been managing AD and Entra in separate teams with no common picture. We now have a shared baseline we can both work from."
Head of ICT, NHS community trust (anonymised)
Quoted by role only to preserve customer anonymity.
An Honest Note on Outcomes
We publish these case studies because we think honesty is more useful than polished marketing claims.
Findings Vary Significantly
Some environments are well-maintained and return fewer findings. Some return more. What we find depends on your environment, not on our tool's sensitivity settings.
Remediation Takes Time
In all three cases above, some items remained unresolved at the time of writing. That is normal. Organisational change processes, application compatibility, and change approval boards all affect timelines.
We Document What We Can't Fix Too
Where remediation is blocked by technical or organisational constraints, we document the residual risk clearly so it can be formally accepted or tracked. Finding and accepting a known risk is better than not knowing it exists.
Ready to Run Your Assessment?
Book a 30-minute call to confirm your environment is in scope and agree on read-only access requirements. Assessments typically start within five working days.
Read-only by default. No agents. No write access. No changes to your environment.