CyberTwin
Program tier · Non-human identity

NHI Blast Radius — If one service account leaks, what does it reach — and what is that worth?

Your service accounts outnumber your people. If one leaks, what does it reach?

NHI Blast Radius flips every service account, OAuth app, and workload identity into a hypothetical foothold — what it reaches, in dollars, and the one cut that stops it.

Everything is labeled proven or modeled. An identity that reaches nothing shows null — not a reassuring zero.

No agent · No live scan · No secret material read · Included in the Program tier
The register

One row per identity. Four answers.

Each discovered non-human identity becomes one row, worst blast radius first — who it is, what it reaches, what that is worth, and the one cut.

THE IDENTITY

Who it is: the service account, OAuth app, workload identity, or API principal — flagged over-privileged when the ingested policy is wildcard, admin, or owner-scoped. Discovered from identity signal you already uploaded, never from anything running on your boxes.

THE REACH

What a compromise reaches: how many crown jewels, in how many hops — the same attack-path chain the rest of your review draws. Every hop is a route you can inspect, not a heuristic score.

THE DOLLARS

What it is worth: the modeled annualized exposure (FAIR p50, with a p10–p90 band) if this identity is the foothold. Shown only when the reached crown carries a dollar profile.

THE ONE CUT

What stops it: the min-cut edge that breaks every reaching path at once — the single change that shrinks this identity’s blast radius to nothing. Usually a scope to narrow or a network edge to close: a ticket, not a program.

The environment artifacts surface with the seeded Okta identity export on file — unlocking real users and groups in the attack paths.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
1
Export

Upload the identity export

Okta, AWS IAM — the export you already pull for audits. Metadata only; no secret material is read.

2
Map

Every non-human gets a radius

Service accounts, tokens, roles — the engine maps what each one reaches, across every ingested surface.

3
Price

The worst offenders, priced

The identities whose compromise reaches a crown, in dollars, labeled modeled — a null when nothing is reached, never a fake zero.

The worked example

A leaked token, priced to the crown.

The row a breach post-mortem produces at 2am — produced before, for every identity. A modeled example from the fictional Acme Capital estate.

service account: ci-deployerover-privileged$1,800,000
ci-deployer → build host → prod VPC → cardholder database (crown) · 3 hops · ALE p50 $1.8M · band $0.9M–$3.1M

Printed on the row: this is your twin’s modeled reach if the identity is compromised — not a claim that it has been. An identity that reaches no crown shows null here, never a zero.

Not a 400-line least-privilege project. One edge.

THE ONE CUT

build host → prod VPC (network.allows)

Scope the pipeline to a deploy target, not the whole segment, and all three hops to the cardholder database break. The $1.8M row drops to null on the next recompute.

Why this is defensible

The restraint is the product.

Other identity tools scan your boxes, read your secrets, or score permissions in isolation. NHI Blast Radius does none of that — and says so on the screen.

The identity is real; the reach is modeled.

We discover the identity and its edges from config you already ingested. The reach and its dollars are a conditional “if this leaks” — never a claim that it has been, or will be, compromised.

An identity that reaches nothing shows null.

No $0-implies-safe row, ever. If a service account can’t reach a crown in the modeled twin, it’s counted and set aside — not dressed up as a finding.

A crown with no dollar profile reads “not priced”.

When an identity reaches something we can’t value, the row says priced=false — never a fabricated zero that would read as “harmless.”

No secret material is read or stored.

Discovery works from resource typing and names in your ingested config. We never read, request, or retain a key, token, or credential value.

WHAT THE COVERAGE NOTE SAYS

“Discovery relies on ingested identity signal (Okta, Microsoft Entra, AWS IAM). Reach is modeled from config — an identity from an un-ingested source, or one whose target resource ARNs weren’t supplied, means missing edges, not proven safety.”

The edge of what we can see, stated on the same screen as the finding.

Questions

The same engine that draws your paths.

Do you connect to Okta or AWS live?
No agent, no live scan. NHI Blast Radius works from the identity export (Okta, AWS IAM) you already uploaded — metadata only, no secret material read. The twin re-draws when you re-upload, never behind your back.
What does an identity that reaches nothing show?
Null — never a reassuring zero. If a service account can’t reach a crown in the modeled twin, it’s counted and set aside. A reached crown we can’t value reads priced=false, never a fabricated zero that would read as “harmless.”
Is the reach a claim the identity was compromised?
No. The identity and its config-derived edges are real; the reach and its dollars are a modeled “if this leaks” — never a claim it has been, or will be, compromised.

The identity is real; the reach is modeled. An identity that reaches no crown shows null, never a reassuring zero — and a crown we can’t price reads priced=false, never a fabricated zero.

Coverage

One of your service accounts can reach a crown. Which one?

Included in the Program tier — no add-on, no separate SKU.

Cross-stitched from the 15 security tools we support · annotated against 26 distinct MITRE ATT&CK techniques · backed by 9,000 automated tests

Full coverage & honesty detail → /features#coverage

ProgramMost Popular
$36,000/yr
Annual only

The deliverables a senior consulting partner would produce — refreshable, sourced, board-ready.