What is included in an IdentityFirst MRI assessment?

Each MRI assessment includes: read-only connector setup, identity discovery across the agreed in-scope connected sources, risk scoring, orphan account enumeration, privilege mapping, Kerberoastable SPN detection where relevant, compliance framework mapping (ISO 27001, SOC 2, NIST CSF, CIS Controls, DORA, NIS2), a board-ready PDF report, a technical dossier, and a remediation priority list. Delivered within 2–5 business days of connector authorisation.

Is this a one-time engagement or a subscription?

Both options are available. A single MRI assessment is a one-time engagement. The Annual MRI plan includes four quarterly assessments per year plus scheduled review between assessments. Core discussions may include a more continuous operating cadence once packaging, entitlement, and supportability gates are closed.

How does the money-back guarantee work?

If a scoped MRI engagement fails to meet the specific written claims we make for that engagement, we address it directly — including a 30-day remedy. We do not offer a blanket no-questions-asked refund, but we stand behind what we promise in writing.

What is the difference between MRI and the broader product stages?

MRI is the current GA product: it discovers, scores, and reports. Core is the next governed release path in the same shared product family. Enhanced and AISF are beta-only surfaces available to approved testers under written beta terms. We do not treat those beta tiers as general public offers.

Do you offer MSP or multi-tenant pricing?

Yes. MSP and partner pricing is built into the platform. Partner pricing is based on committed identity volume across your client portfolio and scales as you add clients. Reports can be white-labelled under your brand. Multi-client workflow and portal surfaces are discussed only where they are actually in scope and supportable for the engagement. There is no minimum commitment to join the programme — contact us to receive a written partner pricing schedule.

MRI GA & Partner Scope

Add identity security to every client engagement. Under your brand.

Q: Can I white-label the reports for my clients?

Yes. All client-facing outputs — the board report, technical dossier, and compliance evidence pack — are generated with your logo, your firm name, and your contact details. IdentityFirst branding does not appear in client reports unless you choose to include it.

IdentityFirst is built for MSPs and security resellers. MRI is the current GA product. Core is the next governed release path in the same shared installer, while Enhanced and AISF remain private beta surfaces available only under written beta terms.

Discuss MRI or partner scope → Review a sample assessment

MRI is the current GA offer. Core is discussed through scoped rollout conversations. Enhanced and AISF are private beta only.

Read-only by default — no automated writes Fixed-scope deliverable before you sign White-label reports under your brand UK company. Cyber Essentials certified.

Partner Programme

Built for MSPs. Priced to scale.

Resell scoped identity security assessments across your client portfolio. We handle the delivery surfaces that are actually in scope. You own the client relationship and the margin.

White-label reporting

Every board report and technical dossier carries your logo, your branding, and your contact details. Your clients see your consultancy delivering the assessment — not a third-party tool.

Multi-client workflow

Where the engagement supports it, partner-facing workflow surfaces can group assessments, findings, and reporting across multiple clients. Exact portal and operating-model scope is agreed in writing rather than assumed from the public page.

Volume pricing & margin

Partner pricing scales with volume. The more clients you run through the platform, the lower your per-identity cost — and the higher the margin you can build into your service.

Ready to discuss partner pricing?

One call. No commitment.

We’ll walk through the commercial model, confirm connector coverage for your typical client profile, and give you a written partner pricing schedule, typically in a 30-minute scoping call.

Book a partner call → Review a sample report

Tiers

Start with MRI. Expand only where the product boundary is real.

MRI is the current GA offer and the foundation of every engagement. Core is the next governed release path. Enhanced and AISF are private beta programmes, not public list-price products.

GA now

IdentityFirst MRI

Identity discovery, risk scoring, and board-ready reporting. Read-only. No agents.

£3.00 / identity / month

Per-identity pricing — all identities billed at the rate for your band:

Up to 800	£3.00 / id / mo
801 – 5,000	£2.50 / id / mo
5,001 – 25,000	£2.00 / id / mo
25,001 – 75,000	£1.75 / id / mo
75,001+	£1.50 / id / mo

Full identity discovery across agreed launch-core sources, with additional connectors only where explicitly scoped and maturity-supported
Orphan account enumeration & privilege mapping
Detection of accounts whose passwords can be cracked remotely without triggering any alerts
Overall security score with impact estimate
Compliance mapping: ISO 27001, SOC 2, NIST, DORA, NIS2
Board PDF + technical dossier

Get started →

Core release path

IdentityFirst Core

A governed operating model beyond MRI, discussed only when packaging, entitlement, and supportability gates are closed.

POA

Scoped rollout only

Everything in MRI
Governed write-capable operating model in the same shared codebase
Entitlement, lifecycle, and packaging hardening before GA
Scoped commercial discussion instead of a public fixed price list
Same installer path, licence-gated activation

Discuss Core rollout →

Private beta

IdentityFirst Enhanced

Deeper guidance, richer operator support, and qualified workflow surfaces for approved beta testers only.

POA

Invite-only beta

Everything in Core direction
Access reviews, JIT, and deeper workflow surfaces under test
Human-in-the-loop controls remain mandatory for high-impact changes
Feature set may change or be withdrawn during beta

Beta warning: no public SLA, no GA commitment, and no unsupported production reliance unless explicitly agreed in writing.

Apply for Enhanced beta →

Private beta

IdentityFirst AISF

AI-assisted reasoning and guarded workflow concepts for approved beta testers only.

POA

Written beta terms required

Everything in Enhanced direction
AI-assisted workflow and guarded response remain tightly controlled
No public fixed pricing or GA commitment
Not for unsupported production reliance or sole safety control claims

Beta legal warning: features may change, support is limited to the agreed beta programme, and no warranty or SLA is created beyond the signed terms.

Apply for AISF beta →

All prices exclude VAT. MRI is the current GA priced offer. Core is discussed through scoped rollout conversations. Enhanced and AISF are private beta only, available by invitation under written beta terms rather than a public price list.

Scoped Connector and delivery boundary agreed in writing

£0 Changes made to your systems — ever

7 years Tamper-evident audit trail retention

2-5 days Typical MRI delivery window after authorisation, depending on scope

ICO Registered: ZC031428

Capability comparison

What’s included in each tier

Every capability, clearly mapped to its tier. Beta-only tiers are shown for transparency, not as a claim of general availability.

MRI is the current GA tier. Core is the next governed release path. Enhanced and AISF rows below reflect beta direction only and remain subject to written beta terms, change without notice, and limited support.

Capability	IdentityFirst MRI	IdentityFirst Core	IdentityFirst Enhanced	IdentityFirst AISF
Assessment & Discovery
Identity source discovery	✓	✓	✓	✓
Drift & risk detection	✓	✓	✓	✓
Kerberos attack analysis	✓	✓	✓	✓
Behavioral baseline	—	✓	✓	✓
Board-ready reporting	✓	✓	✓	✓
Governance & Monitoring
Continuous reassessment cadence	—	✓	✓	✓
Scheduled reassessment	—	✓	✓	✓
Identity graph	—	✓	✓	✓
Governed orchestration direction	—	✓	✓	✓
Controls & Remediation
Human-in-the-loop approval for any access changes	—	—	✓	✓
JIT privilege elevation (beta direction)	—	—	✓	✓
Access review campaigns (beta direction)	—	—	✓	✓
SoD policy controls (beta direction)	—	—	✓	✓
Canonical control library (49 controls)	—	—	✓	✓
Compliance export	—	—	✓	✓
Intelligence & Automation
Multi-agent orchestration (beta direction)	—	—	—	✓
AI-assisted reasoning (beta direction)	—	—	—	✓
Threat modelling (MITRE ATT&CK)	—	—	—	✓
Adaptive drift mitigation	—	—	—	✓
Cross-tenant correlation	—	—	—	✓
Post-quantum roadmap item (planned, not shipped)	—	—	—	Planned

View full capability truth matrix →

The deliverable

What you receive from every MRI engagement

No ambiguity about what you’re buying. Every assessment produces these outputs.

Board Report

Executive summary, overall security posture score, top 10 findings with business impact, and a remediation roadmap your client’s CEO can read without a security background. Suitable for board presentation and senior leadership briefings.

Technical Dossier

Full finding details with evidence: affected accounts, group memberships, privilege paths, SPN lists, delegation chains, and worst-case impact per finding. Everything your security team — or your client’s — needs to action the remediation list.

Compliance Evidence Pack

Findings cross-referenced to ISO 27001, SOC 2, NIST CSF, CIS Controls, DORA, and NIS2 controls. Prepared to support audit work, with final evidence acceptance determined by your auditor, control owner, and written scope.

See what a real assessment looks like

Open a sample MRI assessment report

A sanitised example of the board-ready report delivered after an IdentityFirst MRI assessment. Real findings format, real scoring methodology, and a live walkthrough of the output surface — customer data replaced with fictional “Acme Corp”.

Open sample report

Common questions

What does an MRI assessment actually cover?

We discover every identity across your connected systems (AD, Entra ID, and any additional sources you authorise), score each for risk, and identify orphan accounts, Kerberoastable SPNs, unconstrained delegation, privilege creep, stale privileged access, and separation of duties failures. The output is a board PDF, a technical dossier, and a compliance evidence pack — all based on what we found in your actual estate.

What does read-only mean in practice?

Every connector uses read-only API access. We provide the exact minimum permission set required before you authorise anything. We never request write access, never install agents, and never modify any account, group, or policy in your environment. The assessment is observational by architecture — not just by policy.

How long does an assessment take to deliver?

Delivery timing depends on scope, connector maturity, and customer readiness. Small AD and Entra ID assessments are often delivered within 2–5 business days after authorisation, with earlier preview findings possible in some cases.

What happens to our data after the assessment?

Connector credentials are stored in an encrypted vault, scoped per engagement, and purged at the end of the assessment unless you opt in to the Annual or Platform tier. Assessment findings are retained for 7 years in a tamper-evident append-only audit store. UK engagements are usually UK-hosted by default, but final processing location depends on contract and deployment model. We are ICO registered (ZC031428) and operate under a formal data processing agreement.

How does MSP and partner pricing work?

Partner pricing is based on committed identity volume across your client portfolio. The more clients you run through the platform, the lower your per-identity cost. You receive a written partner pricing schedule before committing to anything. White-label branding is available, and any shared partner workflow surfaces are agreed case by case in written scope. There is no minimum commitment to join the programme — start with a single client and scale from there.

Can I run assessments under my own brand?

Yes. All reports — the board PDF, the technical dossier, and the compliance evidence pack — are generated with your logo, your firm name, and your contact details. IdentityFirst branding does not appear in client-facing outputs unless you choose to include it. Your clients see your consultancy delivering the work.

Do you have references in regulated sectors?

We work with regulated-sector organisations including financial services, healthcare, legal, and public sector bodies. Reference discussions are handled case by case, subject to customer permission, availability, and NDA where needed.

ICO Registered Company No. 16387720 SOC 2 In Progress Trust Centre

Ready to offer identity security as a service?

Book a partner scoping call. We’ll confirm connector coverage for your typical client profile, walk through the commercial model, and send you a written partner pricing schedule before you commit to anything.

Book a partner call Open sample report

No commitment required • Partner call is free • UK team • Response within one business day

Add identity security to every client engagement. Under your brand.

White-label reporting

Multi-client workflow

Volume pricing & margin

One call. No commitment.

IdentityFirst MRI

IdentityFirst Core

IdentityFirst Enhanced

IdentityFirst AISF

Platform trust metrics

Board Report

Technical Dossier

Compliance Evidence Pack

Open a sample MRI assessment report

Ready to offer identity security as a service?