Skip to main content
Depth Analysis

Standard tools stop at hop 5.
The breach is at hop 14.

Every identity graph tool claims to trace access chains. Most return the first 5–10 hops and mark the path as reviewed. IdentityFirst follows the full chain — and finds what they miss.

See the live demo Talk to us

Why 5–10 hops is not enough

Modern identity estates have deeply nested groups, cross-cloud federation chains, and non-human identities that carry credentials into multiple clouds. The critical risk is never in the first few hops.

The 5-hop blind spot

A developer in Dev-ContractorsUK-Technology-StaffEMEA-TechnologyGlobal-Infrastructure-Access looks routine at hop 5. Standard tools stop here. IdentityFirst continues four more hops to find Domain Admins → DCSync → all 4,821 credential hashes.

Cross-cloud pivots are invisible

A CI pipeline with S3 access looks fine. But that S3 bucket contains a Terraform state file with an Azure service principal secret embedded in plaintext — 847 days old, never rotated. Six hops later: 2.1 million customer records.

Orphaned apps have no owner to revoke

An Entra application registration whose owner departed 6 months ago. The app holds application-level Microsoft Graph permissions — User.ReadWrite.All, Group.ReadWrite.All, Mail.ReadWrite — with no MFA checkpoint. No one is responsible. The secret is 847 days old.

NHI chains span three clouds

A Kubernetes service account reaches an Azure Key Vault — expected. What standard tools miss: that vault contains an AWS access key (1,247 days old) and a GCP service account JSON key. Two independent paths to PCI-scoped payment data, both invisible beyond hop 5.

Four scenarios. Same pattern. Different stack.

Each scenario starts with a path that appears safe at 5 hops. The red line shows where standard tools stop. Everything below it is what IdentityFirst finds.

D1

Shadow Admin

+9 hidden hops
Standard: 5 hops · IdentityFirst: 14 hops · 9 hidden
alex.turner (Junior Developer)
Dev-Contractors group
UK-Technology-Staff group
EMEA-Technology group
Global-Infrastructure-Access ← standard tools stop here
Standard tools stop here
Tier1-Platform-Engineering (PRIVILEGED)
Server-Administration (PRIVILEGED)
Domain Admins (PRIVILEGED — no owner on record)
Domain Admin Role
DCSync Entitlement (Replicating Directory Changes All)
Replicate Directory Changes Permission
Active Directory Domain Controller
NTDS.DIT Database
All Domain Credential Hashes — RESTRICTED (4,821 accounts)

Impact: Complete domain compromise — attacker can harvest every credential hash via DCSync.

D2

Cross-Cloud Pivot

+7 hidden hops
Standard: 5 hops · IdentityFirst: 12 hops · 7 hidden
svc-pipeline-terraform (GitHub Actions SA)
GitHub OIDC Credential
AWS STS Token
AWS IAM Session
S3 prod-terraform-state ← standard tools stop here
Standard tools stop here
terraform.tfstate (Azure SP client_secret in plaintext)
Azure SP Client Secret (847 days old)
Azure Management OAuth Token
Azure Management Session
Azure Key Vault (production-secrets)
PostgreSQL Connection String
Production PostgreSQL — RESTRICTED (2.1M customers)

Impact: Production database with 2.1M customer records reachable via a credential embedded in Terraform state.

D3

Orphaned Application

+6 hidden hops
Standard: 4 hops · IdentityFirst: 10 hops · 6 hidden
hr-integration-app (Entra App Registration)
Client Secret (847 days old)
Microsoft Graph API Token (application-level)
Graph API Session ← standard tools stop here
Standard tools stop here
All M365 Users — User.ReadWrite.All (50,000 accounts)
User Modify Permission (create/delete/reset password)
All M365 Security Groups — Group.ReadWrite.All
Group Membership Control (can grant any privilege)
All M365 Mailboxes — Mail.ReadWrite
Executive Email Archive — RESTRICTED (board comms, M&A)

Impact: No MFA checkpoint, no current owner. App can modify any user, control group membership, read all executive email.

D4

NHI Daisy Chain

+10 hidden hops
Standard: 5 hops · IdentityFirst: 15 hops · 10 hidden
prod-payment-processor (K8s Service Account)
Kubernetes SA Token
Azure Workload Identity Token
Azure Managed Identity Session
Azure Key Vault payment-secrets ← standard tools stop here
Standard tools stop here
PATH A (AWS)
AWS Access Key (1,247 days old — never rotated)
AWS IAM Session → S3 payment-backups-eu
Customer Payment Records — RESTRICTED (8.4M records, PCI DSS)
PATH B (GCP)
GCP Service Account Key JSON (892 days old)
GCP OAuth2 Token → GCP Cloud Storage payment-archive
3-Year Payment Transaction History — RESTRICTED (31M records, PCI DSS)

Impact: Two independent paths to PCI-scoped payment data from a single K8s service account. Both invisible at hop 5.

Explore all four scenarios live

How IdentityFirst traces the full chain

Three architectural choices that make depth possible.

1

Canonical identity graph

A single graph model normalises identities from 40+ sources into one traversable structure. Nested group depth, federation chains, and cross-cloud credential links are all first-class edges — not separate reports.

2

14 node types, 17 edge types

Credential, Token, Session, Device, and Network are first-class nodes with time-bound attributes (issuedAt, expiresAt, mfaSatisfied). Policies are nodes with explicit EVALUATES and RESTRICTS edges. Nothing is embedded in text.

3

Unbounded traversal with cycle detection

IdentityFirst traverses the full access chain from any identity — no artificial hop limit. Cycle detection prevents infinite loops while allowing the engine to surface paths that are 14+ hops deep.

See what your tools are missing

Book a live assessment against your estate. We trace every chain.

Request an assessment Interactive demo