Aegis Ops Console — AriaCyber Shield

System Overview

Aggregated state across all seven shields. Pulls GET /aegis/overview and GET /aegis/health.

Click "Refresh" to load live state…

SOC · Ingest Alert POST

/aegis/soc/ingest — submit a custom security alert to the SOC shield.

Output appears here…

SOC · Wazuh Webhook POST

/aegis/soc/ingest/wazuh — endpoint Wazuh posts to when an alert fires.

…

SOC · Decide on Action POST

/aegis/soc/actions/{id}/decide — approve or reject a proposed containment.

…

Mail · Analyze Message POST

/aegis/mail/analyze — BEC + phishing + link-scan + sender-reputation in one call.

…

Mail · Raw RFC-822 Ingest POST

/aegis/mail/ingest/raw — paste a full email (with headers) for analysis.

…

Mail · Webhook Status GET

Check Gmail Pub/Sub + Microsoft Graph webhook health.

…

Recon · Add Target POST

/aegis/recon/targets — register a domain/IP/CIDR for continuous monitoring.

…

Recon · Scan + DNS Audit POST

Surface scan + subdomain-takeover detection + SPF/DMARC check.

…

Recon · Exploit-Chain Planner POST

Defensive only — proposes attack path + remediation steps.

…

Recon · Scheduler POST

Run weekly scans automatically across all registered targets.

…

Recon · Ticket Generator POST

/aegis/recon/tickets/generate — export finding as Jira / Linear / GitHub / Markdown.

…

Comply · Evidence Locker GET

/aegis/comply/evidence — auto-collected compliance evidence (SOC2 / ISO / DPDP).

…

Underwrite · Grant Consent POST

Customer opts in to share posture data with their cyber-insurance carrier.

…

Underwrite · Posture & Premium Delta GET

…

Synthetic Shield · Overview NEW · 7th SHIELD

Deepfake & synthetic-media defense for Indian BFSI. Three modules: V-CIP injection detection, Synthetic Red-Team-as-a-Service, Synthetic Exposure Score (Underwrite extension). Founding-customer pilots open Q3 2026 — see /synthetic for full spec or /red-team for the service offering.

Click "Module health" to query the synthetic-shield backend stub…

Module 01 · V-CIP Injection Detection POST

/aegis/synthetic/vcip/scan — frame-level synthetic-media gate that sits in front of HyperVerge / IDfy / Signzy / in-house V-CIP. Catches injection attacks (virtual cam, replay, frame-stitch) and generated faces in <60 ms p95.

Stub returns: { verdict, confidence, vector, latency_ms } …

Module 02 · Synthetic Red Team Engagement GET

/aegis/synthetic/red-team/engagements — quarterly Hinglish deepfake red-team drills. List active engagements, view kill-chain progress, fetch CERT-In drill log.

…

Module 03 · Synthetic Exposure Score GET

/aegis/synthetic/exposure — bolt-on for the Underwrite shield. Computes synthetic-exposure sub-score (public exec footage volume, voiceprint availability, V-CIP coverage, regional voice-clone risk) and ships HMAC-signed monthly delta to your insurer.

…

Identity · Register Brand POST

/aegis/identity/brands — tell Aria which apex domain, social handles, developer accounts, and ad pages are legitimately yours. Every other match becomes a candidate impersonation.

Registered brands appear here.

Identity · Lookalike Hunt POST

/aegis/identity/lookalike/hunt — dnstwist-style permutations + live DNS + Certificate Transparency logs. Returns only domains that actually resolve or have been logged.

Hit "Run Hunt" to scan for lookalikes…

Identity · Social Search POST

/aegis/identity/social/search — Twitter/X + GitHub + LinkedIn (partner API).

…

Identity · App Stores POST

/aegis/identity/apps/search — Apple App Store + Google Play.

…

Identity · Ad Libraries POST

/aegis/identity/ads/search — Meta Ad Library Graph API + Google Ads Transparency Center. Needs META_ACCESS_TOKEN env var on the server for Meta.

…

Identity · Takedown Queue GET

/aegis/identity/takedown/cases — open cases, RDAP-resolved abuse contacts, pre-filled notices.

…

Identity · Open Takedown Manually POST

/aegis/identity/takedown/open — file a case when you spot something outside Aria's automated hunts.

…

🔐 Passkey / FIDO2 Enrollment Rollout LAYER 1

Phishing-resistant MFA is the single largest-leverage identity control. Target: 95% enrollment in 90 days. Every unenrolled user is a password-phishable account. This panel is the board-metric source of truth.

Enrolled (FIDO2)

—

of — users

Coverage %

—

target 95% · gap —

Phishable-MFA users

—

SMS / TOTP only

No-MFA users

—

password only · P0

Admins enrolled

—

tier-0 target 100%

90-day velocity

—

users/week

Org-wide enrollment progress ETA —

—

0%Target 95%100%

Coverage by department

Any department below 80% is the next target for the rollout team.

Unenrolled users — ship the nudges

Worst-first. Admins at the top. Bulk actions drive the 90-day curve.

	User	Department	Role	Current MFA	Last login	Risk

🎯 Conditional Access Posture LAYER 1

Device posture × risk × location × user × app. Every cell should be covered by at least one block-on-noncompliant policy. The grid below is a coverage map — red cells are gaps an attacker will find.

Policies

—

— enforced · — report-only

Coverage score

—

target ≥ 85%

Critical gaps

—

cells with no block policy

Overrides (7d)

—

manual bypass / break-glass

Risky sign-ins (24h)

—

blocked / MFA-challenged

Legacy-auth attempts

—

should be 0

Coverage matrix — user-risk × sign-in-risk × device-state

Each cell: which enforcement fires. Green = block or require FIDO2. Amber = MFA only. Red = no policy.

Conditional Access policies

Git-backed policy-as-code. Report-only mode is for staging; nothing persists there forever.

Policy	Scope	Conditions	Control	State	Users	Last-fired

Override / break-glass log (last 7 days)

Every bypass is a human promise — documented, timeboxed, reviewed.

When	User	Policy bypassed	Reason	Approver	Expires

🕵 ITDR — AiTM / Session-Cookie Replay LAYER 1 · CRIT

Evilginx / Tycoon / Caffeine steal the post-MFA session cookie. Password + MFA are already done — the attacker replays the cookie from a different browser and inherits your session. We correlate user-agent, IP-ASN, cookie-age, concurrent session, MFA-to-use delta and kill in < 90 s.

Sessions monitored

—

last 24h

Flagged (24h)

—

score ≥ 50

Auto-killed

—

score ≥ 80 · no human

Avg time-to-kill

—

detection → session revoked

Open investigations

—

analyst touch required

False-positive rate

—

rolling 7d · target < 3%

Detection signals — weighted scoring

Score ≥ 80 = auto-kill + revoke refresh token. 50-79 = challenge re-auth. 30-49 = monitor + enrich.

Suspicious sessions — live queue

Sorted by score. Green = auto-killed. Amber = awaiting decision. Click Kill to revoke + force re-auth.

Score	User	Signal summary	Origin	Cookie age	State	Action

💥 MFA-Fatigue / Push-Bombing Detector T023

Attacker has the password. Sprays push notifications until the tired user taps "Approve". Threshold: > 5 push-denies in 60s = auto-lock + force FIDO2 re-enroll. No more push once FIDO2 is enrolled.

Burst attempts (24h)

—

≥3 denies in 60s

Auto-locked accounts

—

≥5 denies / 60s

Number-matching on

—

of push-MFA tenants

Approve-after-deny rate

—

highest-risk signal

User	Window	Denies	Source ASNs	Outcome	Action

✈ Impossible-Travel Detector T024

Same user authenticates from two cities faster than a commercial flight. Haversine-distance / min-flight-time check. Session-kill + analyst notify + alert in SOAR queue.

Events (24h)

—

scored

Auto-killed

—

velocity > 900 km/h

VPN / proxy excluded

—

enterprise-VPN allow-list

Avg distance flagged

—

km between cities

User	From	To	Δt	Distance	Velocity	Action

🧹 Identity Hygiene LAYER 1

The unglamorous controls. Legacy-auth blocked. Long-lived tokens rotated. OAuth consents reviewed. This is where most breaches actually start.

🔒 Legacy-Auth Kill-Switch T025 · CRIT

Basic-auth / IMAP / POP3 / SMTP-AUTH / older EAS = MFA bypass. Must be disabled. Exceptions get a ticket, an owner, and an expiry.

Legacy-auth users

—

still active last 30d

Protocols in use

—

IMAP / POP / SMTP-AUTH / EWS

Open exceptions

—

with expiry

Denied attempts (24h)

—

block rule working

User	Protocol	Client	Last-seen	Exception	Action

🔑 Long-Lived Token Inventory T026

OAuth refresh tokens, PATs, service-account keys, CI secrets. Anything older than 90 days is a time-bomb. Rotate to short-lived OIDC wherever possible.

Long-lived tokens

—

> 90 days old

Critical

—

> 1 year · admin scope

Rotated (30d)

—

moved to OIDC / short-lived

Orphan (no owner)

—

revoke candidate

	Token	Kind	Owner	Scope	Age	Risk

🤝 OAuth Consent Review (SSPM base) T027

Third-party apps users granted to their workspace — ranked by scope + last-used. Unused for 30d → auto-expire. New high-scope consent → review workflow.

Granted apps

—

across M365 + Google

High-scope

—

mail-read · drive-full

Unused 30d+

—

auto-expire candidate

New last 7d

—

awaiting review

App	Publisher	Scopes	Users	Last used	Risk	Action

📜 Identity Action Log AUDIT TRAIL

Durable record of every workflow action fired from the Identity tabs — passkey nudges, policy promotions, session kills, token rotations, dormant sweeps. Persisted server-side; survives Cloud Run restarts. Filter by type to triage what just happened.

When	Action	Status	Affected	Action ID	Reason

💾 Immutable Backup & Recovery LAYER 5 · CRIT

Before ransomware encrypts, it deletes your backups. If production identity can delete the backup, you don't have a backup. You have a snapshot. Fix this first — nothing else matters if we can't restore.

🔐 Object-Lock (WORM) Coverage T170

Every backup bucket must have Object-Lock / GCS-retention / Azure-immutability enabled with MFA-delete. Stored in a separate cloud account from production.

Backup targets

—

across all clouds

Immutable

—

Object-Lock on

MFA-delete

—

required for deletion

Gaps

—

mutable / no-MFA

Isolated account

—

separate billing

Air-gapped (tier-0)

—

offline weekly

Target	Cloud	Size	Object-Lock	MFA-delete	Isolated acct	Retention	Status

🧪 Restore-Test Tracker T173

A backup you have never restored is fiction. Monthly random-sample restore test per tier; measure wall-clock time-to-restore. Board metric.

Tests this month

—

completed

Success rate

—

rolling 90 days

Avg restore time

—

tier-0 + tier-1

Overdue

—

no test in 30d

When	Target	Tier	Bytes	Duration	Integrity	Verdict

🗝 IAM Ops LAYER 1

PAM, IGA, access reviews, dormant sweep, admin segregation, and honey-accounts — the unsexy identity plumbing that moves breach probability the most.

🧑‍✈️ PAM / JIT Admin Workflow T028

Time-boxed elevation with ticket + approver. Full keystroke recording. Auto-revoke on expiry. Tier-0 only.

Active JIT sessions

—

avg TTL 47m

Pending approvals

—

SLA 15m

Recorded today

—

sessions w/ keystroke log

Standing admins

—

to be eliminated

User	Scope	Ticket	Approver	Granted	Expires	Record

🎣 Honey-Account Tripwires T036

Plausible admin accounts, never used. Any auth attempt = P0 incident. Zero false-positive detect.

Deployed

—

canary identities

Tripped (30d)

—

P0 incidents

False positives

0

by design

Last rotation

—

stay fresh

Canary account	Tenant	Privilege lure	Last trip	State

🔄 IGA — Joiner / Mover / Leaver T029

HRIS-driven lifecycle. Birthright roles. On-move entitlement diff. Termination SLA < 15 min.

Events (7d)

—

J · M · L

Termination p95

—

HR signal → revoked

Stuck in queue

—

> 15m

Access diff on move

—

over-permissioned

When	Event	User	Change	Latency	State

📋 Quarterly Access Review Campaigns T030

Managers attest entitlements per quarter. Auto-revoke non-attested. Evidence to compliance.

Campaign Q2-26

—

attested

Revocations

—

stale entitlement removed

Overdue managers

—

SLA 14d

Evidence bundle

—

auto-packaged

Manager	Reports	Entitlements	Attested	Revoked	Due

💤 Dormant / Orphan Account Sweep T031

No login > 30d or no owner. Disable → delete after grace. Includes service accounts.

Dormant (>30d)

—

no login

Orphan (no owner)

—

service accts

Scheduled-disable

—

in next 7d

Reactivations (30d)

—

FP control

Account	Kind	Owner	Last login	Action

🧯 Break-Glass Vault + 2-Person Rule T037

Offline-printed creds in a sealed envelope. Every retrieval alerts CEO + board SMS. Quarterly test-retrieval proves the process still works.

BG accounts

2

Entra GA · AWS root

Sealed in safe

✓

dual-custody · tamper-evident

Last test-retrieval

62d ago

quarterly drill

Unauthorised opens

0

all-time

Account	Tenant	Dual custody	Envelope seal	Alert on use
breakglass-global-admin	Entra ID	CISO + CFO	intact · serial 042	✓ CEO + board SMS
breakglass-aws-root	AWS Org root	CISO + CTO	intact · serial 043	✓ CEO + board SMS

🤖 Non-Human Identity (NHI) Inventory T038

Service accounts · workload identities · bot accounts · CI runners · LLM agents. Every NHI has an owner + rotation SLA + scope cap.

NHIs in inventory

842

all tenants

With owner tag

98%

14 orphan · triage

Workload-identity (OIDC)

78%

short-lived preferred

Over-scoped (wildcard)

12

tightening

NHI	Kind	Owner	Scope	Rotation	State
`svc-ci-deploy`	GitHub Actions · OIDC	platform	deploy:prod · scoped	ephemeral	OK
`workload-api-role`	AWS workload-identity	api-eng	s3:GetObject · one bucket	ephemeral	OK
`sa-billing-bq`	GCP service-account	data-eng	bigquery.dataOwner (wildcard)	180d	SCOPE TIGHTEN
`bot-slack-ops`	Slack bot	sre	channels:read · chat:write	OAuth	OK
`agent-aria-triage`	LLM agent	ai-platform	data_lake.read (ephemeral)	per-task · 10m	OK
`svc-legacy-etl`	SA-key · AWS	orphan	s3:* (wildcard)	842d	ORPHAN · REVOKE

⚡ Session-Hijack Revocation — One-Click Kill T039

Analyst picks user → sees active sessions → revokes + rotates refresh + forces re-auth with FIDO2. Primary response action for AiTM / session-theft / MFA-fatigue outcomes.

Kills (30d)

47

analyst + auto

Mean time-to-kill

38s

click → revoked

Reversed (false-pos)

3

user re-auth restored

IdPs covered

4 / 4

Okta · Entra · Google · AWS

Step	Action	System	Rollback
1	Find user → list active sessions	identity graph	n/a (read-only)
2	Kill selected session · invalidate access token	Okta · Entra · Google	user re-auth restores access
3	Rotate refresh token · revoke OAuth grants	IdP	re-grant via new session
4	Force FIDO2 on next login (CAP flag)	Conditional Access	flag clears when attested
5	Log to audit (T436) + attach to incident	secops graph	—

🪜 Admin-Tier Segregation T032

Tier-0 / 1 / 2 separate accounts. admin- prefix. No tier-0 login from non-PAW.

Tier-0 accts

—

target < 10

Prefix compliance

—

admin-* naming

PAW login share

—

of tier-0 sessions

Cross-tier violations

—

same-acct daily + admin

Tier	Accounts	Prefix OK	PAW-only	Violations 7d

🏰 Active Directory / Entra ID Posture LAYER 1

Where attackers build their campaign. Kerberoast, ADCS misconfigs, and attack-path graph. Shrink the graph monthly or lose ground.

🎟 Kerberoast / AS-REP-roast Detector T033

TGS-REQ to odd SPNs + AS-REP with no pre-auth. Honey-SPN seeded for zero-FP alerting.

Roastable SPNs

—

with weak RC4

AS-REP-roastable

—

DONT_REQ_PREAUTH

TGS bursts (24h)

—

anomaly

Honey-SPN hits

—

P0 if non-zero

When	Detector	Target SPN / Principal	Source	Severity

📜 ADCS Misconfig Scanner (ESC1-15) T034

Certipy-style weekly scan. Flag templates allowing subject supply + client-auth EKU.

Templates scanned

—

all CAs

Exploitable

—

ESC1/4/6/9

Mitigated (30d)

—

closed

Signed forward

—

owner + deadline

Template	CA	Finding	ESC class	Enrollees	Status

🗺 Attack-Path Graph (BloodHound-style) T035

Shortest paths to Domain Admin / Global Admin. Shrink count + avg length month-over-month.

Paths to DA/GA

—

from any user

Shortest

—

hops

Avg length

—

↓ from last month

Top chokepoint

—

remove = kill N paths

Start node	End node	Hops	Path	Action

🖥 Endpoint Posture LAYER 2

EDR coverage, ASR enforcement, LSASS/Credential Guard. These three controls kill 80% of commodity malware.

🛰 EDR Coverage & Drift T070

Target >99.5% coverage across Win / Mac / Linux. Alert on >4h offline. Reconcile to CMDB + DHCP.

Coverage

—

target > 99.5%

Offline > 4h

—

hosts stale

CMDB drift

—

in CMDB, no agent

Unknown hosts

—

agent, no CMDB

OS	Total	With EDR	Coverage	Offline > 4h	Status

🛡 ASR Rules Enforcement T071

Block Office child-process · LSASS cred-steal · webmail macro · obfuscated scripts · USB exec. Audit-then-enforce.

Rules enforced

—

of 17

Audit-mode

—

ready to promote

Blocks (7d)

—

rule-hit events

Exceptions

—

with expiry

Rule	ID	Mode	Blocks 7d	Exceptions	Action

📄 Macro-from-Internet Hard-Block T072

Office macros from MoTW-tagged files are blocked by GPO/Intune. Named exceptions carry an owner + expiry. Monthly review.

Policy status

ENFORCED

all tenants

Open exceptions

—

with expiry

Blocks (7d)

—

macro exec denied

Expired exceptions

—

must be closed

Exception	Owner	Reason	Scope	Expires	State

👑 Local-Admin Removal Progress T074

LAPS / Intune-driven. Elevation on-demand via ticket. Target: 95%+ users without permanent local admin.

Users w/o local admin

—

target ≥ 95%

LAPS-managed hosts

—

unique random pw

Legacy admins

—

standing elevation

JIT elevations (7d)

—

time-boxed

OS	Hosts	Standing-admin	LAPS	JIT-only	Status

🧱 WDAC / AppLocker Rollout T075

Start audit-mode, weekly diff, move tier-0 hosts to enforce first. Block everything not signed or published.

In enforce

—

of target fleet

In audit

—

ready to promote

Unsigned events (7d)

—

blocked or audited

Policies signed

—

tamper-resistant

Cohort	Policy version	Hosts	Mode	Violations 7d	Next

🔌 USB Device-Control Allow-List T076

Mass-storage default-block. Ticketed exceptions by VID/PID. Alert on BadUSB HID typing-speed patterns.

Allow-list entries

—

VID:PID pairs

Mass-storage blocks

—

this week

BadUSB HID alerts

—

rapid-type pattern

Pending exceptions

—

ticketed

When	Host	User	Device	VID:PID	Verdict

🧨 BYOVD — Vulnerable-Driver Block-List T078

Microsoft vulnerable-driver blocklist enforced. Any unsigned kernel-load + known-bad hash alerts loudly.

Blocklist version

—

auto-updated

Load attempts blocked

—

last 30d

Unsigned load alerts

—

P0 triage

Allow-list drivers

—

business-critical

When	Host	Driver	SHA-256	Classification	Verdict

🍏 macOS Fleet Hardening T081

TCC · SIP · Gatekeeper · FileVault · XProtect. Jamf/MDM profile diff. 100% FileVault key escrow.

FileVault on

—

of fleet

Key escrow

—

MDM-recoverable

SIP enabled

—

system integrity

Profile drift

—

from MDM baseline

macOS	Hosts	FileVault	SIP	Gatekeeper	Drift

🐧 Linux Server Coverage (osquery + auditd) T082

Wazuh/Falco runtime. Cron/systemd-timer enumeration diff. SUID/SUID-over-time drift detect.

osquery agents

—

of linux fleet

auditd baseline

—

loaded rules

SUID drift (30d)

—

new SUID binaries

Cron/timer diff

—

unsigned added

Distro	Hosts	osquery	auditd	SUID drift	State

🧩 Browser Extension Allow-List T083

Chrome Enterprise / Edge policy. Block install from unmanaged stores. Monthly review of installed extensions.

Allow-listed exts

—

approved

Blocked installs (7d)

—

attempts denied

High-risk perms

—

tab-read · all-URLs

Review due

—

this cycle

Extension	Publisher	Install base	Permissions	Risk	State

🔏 LSASS-Protection & Credential Guard T073

RunAsPPL + VBS + HVCI. Mimikatz becomes a doorstop. Reconcile incompatibilities (USB tokens, VPN drivers).

RunAsPPL

—

of Win hosts

VBS + HVCI

—

virtualization-based

Credential Guard

—

full deployed

Incompatible

—

remediation backlog

Build	Hosts	RunAsPPL	VBS	HVCI	Cred Guard	Blocker

🛰 SSPM — SaaS Security Posture LAYER 1

Our real perimeter lives in 30 vendor consoles. CIS / Secure Score equivalent pulled nightly from every critical SaaS. Drift alerts. Evidence auto-packaged to compliance.

Tenants monitored

4

M365 · Google · GitHub · Okta

Critical findings

—

open

Score trend (7d)

↑ 4.2

avg across tenants

Auto-remediated (30d)

—

drift corrected

🪟 Microsoft 365 Posture (T050)

CIS Microsoft 365 benchmark + Secure Score. Daily pull. Diff. Alert on regression. Evidence bundled to compliance.html.

Secure Score

—

of max

CIS pass-rate

—

L1 + L2

Regressions (7d)

—

blocked drift

Super-admins

—

target ≤ 5

Control	Status	Score	Drift (7d)	Action

🔍 Google Workspace Posture (T051)

2SV/FIDO coverage · less-secure-app · external-share defaults · super-admin count · Chrome policy sync.

2SV coverage

—

enforced

FIDO required

—

org-wide

External-share default

off

warn-on-share

Less-secure-app

blocked

enforced

Control	Status	Coverage	Drift	Action

🐙 GitHub Org Posture (T052)

SSO required · branch protection · signed commits · secret-scan push-protection · Dependabot. Every repo reconciled nightly.

Repos enforced

—

branch-protection

Signed commits

—

of repos

Push-protection

ON

org-wide

Outside collabs

—

review quarterly

Repo	SSO	Branch prot	Signed	Push-prot	Outside	State

🔑 Okta / Entra ID Tenant Hardening (T053)

Legacy-auth blocked · conditional-access coverage · break-glass guardrails · social-login exposure.

Legacy auth

blocked

org-wide

CAP coverage

—

of apps

Break-glass

2

accounts · monitored

Social login

off

not allowed

Check	Status	Detail	Last verified

💬 Slack / Teams / Zoom Posture (T054)

Guest-account audit · external-file-share · retention · unmanaged-app install · E2EE availability.

Guest accounts

—

needs quarterly review

External shares (7d)

—

auto-logged

Unmanaged apps

—

approve-list pending

E2EE available

Zoom

enabled for exec calls

Platform	Guests	Ext-share	Retention	Apps	Status

🎯 Salesforce / HubSpot / CRM Posture (T055)

API-user scopes · session timeout · IP allow-list · export rate-limit · profile-clone alerts.

API users

—

with scoped roles

Session timeout

2h

auto-lock

Mass-export alerts

—

rate-limit triggered

Profile changes

—

privileged-change log

CRM	API users	IP allow-list	Session	Mass-export	Status

🔀 OAuth App Marketplace Drift (T056)

Any new high-scope app consented in last 24 h triggers a review workflow. Paired with the Hygiene pane's consent review.

New grants (24h)

—

queued for review

High-scope blocked

—

auto-deny policy

Pending approval

—

owner waiting

Revoked on review

—

last 30d

App	Tenant	Scopes	Granted by	When	State

👻 Shadow-SaaS Discovery (T057)

Derived from SSO + DNS + expense data. Identifies unsanctioned apps + owners. Classifies + gates to approved-vendor list.

Shadow apps (30d)

—

discovered

Onboarded

—

moved to approved

Blocked

—

DLP + DNS

Signal sources

3

SSO · DNS · expense

App	Source	Users	Data class	Verdict

🕸 SaaS-to-SaaS Integration Map (T058)

Graph of Zapier / Make / webhooks / API-keys between apps. Flags transitive-admin chains (e.g. low-priv Zapier with high-priv creds).

Integrations mapped

—

live connections

Transitive-admin

—

privilege chains

Stale bots

—

no run 30d

Long-lived creds

—

for integrations

Source	Destination	Via	Scope	Risk

👥 Admin-Count Baseline + Drift (T059)

Target < 5 super-admins per SaaS. Alert on add. Quarterly certify.

SaaS monitored

—

critical tenants

Over baseline

—

admin-count drift

Added (30d)

—

new admins

Certified

—

this quarter

Tenant	Current admins	Target	Added 30d	Status

🌐 Network Detection & Response LAYER 3

East-west & egress visibility. Every block, every beacon, every DNS-tunnel bucket.

Default-deny egress

—

of subnets

Block-hits (24h)

—

net-new dests

Beacon candidates

—

score > 60

Auto-isolated

—

confirmed

🚪 Egress Allow-List (T100)

Default-deny outbound from workload subnets. Explicit FQDN list. Alert on block-hits to new destinations.

Subnets enforced

—

workload VPCs

Allow-listed FQDNs

—

global catalog

Blocks (24h)

—

denied

New destinations

—

triage

When	Source	Destination	Protocol	Verdict

🧭 DNS Security — NRD · DGA · DoH bypass (T101)

Umbrella / Quad9 / internal RPZ with block-log. Newly-registered-domain block. DGA scoring. DoH-bypass detect + block.

Queries (24h)

—

observed

NRD blocked

—

newly-registered

DGA detections

—

high-entropy

DoH-bypass blocks

—

1.1.1.1 · 8.8.8.8 by-IP

Query	Type	Source	Classification	Verdict

📡 Beaconing Detector (T102)

Per-source entropy on inter-request timing. Flags Cobalt / Sliver / Havoc jitter profiles. Filters out CDN + health-checks.

Conversations scored

—

24h rolling

Flagged beacons

—

score > 60

Confirmed C2

—

auto-isolated

FP rate

2.1%

target < 5%

Source	Destination	Interval	Jitter	Score	Verdict

🪤 DNS Tunneling Detector (T103)

Per-subdomain volume + label entropy + TXT-size + NULL-query anomaly. Per-host baseline.

Suspect zones

—

above baseline

Confirmed tunnels

—

blocked

TXT record spikes

—

investigate

NULL-query volume

—

baseline 0

Host	Zone	Volume	Entropy	Classification

🕋 ZTNA / SASE Rollout (T104)

App-level access + device-posture gate + per-app policy. Removing network-level VPN where possible.

Apps on ZTNA

—

of internal apps

Users migrated

—

off flat VPN

Device-posture gate

ON

compliance required

Legacy VPN users

—

remaining

App	Mode	Posture gate	Policy	Users

🔓 SSL/TLS Inspection on Corp Egress (T105)

Managed CA + pinned-app exception list. Inline DLP on inspected traffic.

Inspected

—

of corp egress

Pinned bypasses

—

allowed by policy

DLP hits (7d)

—

content-redacted

Cert errors

—

pre-deploy check

App / domain	Inspection	Reason	DLP (7d)

↔️ East-West Traffic Baseline (T106)

Zeek / Suricata + per-subnet service-pair baseline. Alert on net-new conversation patterns.

Service pairs

—

baselined

New talk (24h)

—

investigate

Policy violations

—

flow to DMZ

Lateral candidates

—

admin-svc hops

Source subnet	Dest subnet	Service	State	Action

🛡 WAF + Bot-Management Signals (T107)

Top blocked ASNs · rule-hit heatmap · FP queue · ML bot-score.

Blocked (24h)

—

requests

Top ASN blocked

AS45090

HK datacenter

Rule-hit heat

SQLi

most-triggered

Bot score > 80

—

auto-challenge

Rule	Hits (24h)	Top ASN	Country	Action

💥 DDoS Mitigation Health + Runbook (T108)

Anycast + volumetric + L7. Origin rate-limit. Table-top twice a year.

Provider tier

Enterprise

always-on

Volumetric cap

10 Tbps

network

L7 cap

20 M rps

application

Last table-top

54d ago

due in 128d

Event	Vector	Peak	Mitigated in	Impact

🎭 Domain-Fronting / CDN-Abuse Detector (T109)

SNI vs Host-header divergence. Classic C2 hiding behind trusted CDNs (Cloudfront/Fastly/Akamai).

SNI mismatches (24h)

—

scored

Confirmed abuse

—

blocked

CDN vendors

6

CloudFront · Fastly · Azure · Akamai · Cloudflare · GCDN

False positives

1.6%

rolling 7d

Source	SNI	Host header	CDN	Verdict

📣 Responder / LLMNR / NTLM-Relay Detect (T110)

mDNS/LLMNR poisoning + WPAD abuse signatures on the LAN. SMB-signing coverage tracked.

LLMNR off

—

of Win hosts

SMB-signing required

—

DC policy

WPAD fake-proxy

blocked

static-none entry

Responder signatures

—

24h · alert

When	Detection	Source host	Target	Verdict

🚨 Exposed Admin-Port Sweep (T111)

Nightly internet-scan from external vantage for RDP / SSH / WinRM / K8s-API / Docker sockets. Instant Slack + ticket.

Prefixes scanned

18

all announced

Admin ports exposed

—

P0 if any

Auto-closed (30d)

—

SG revert

Scan source

external

third-party vantage

When	IP	Port	Service	Verdict

🌥 CNAPP — CSPM + CWPP + CIEM LAYER 5

Unified cloud posture: config + workload runtime + identity entitlement. One view, one attack-path engine.

Cloud accounts

—

AWS + GCP + Azure

Critical findings

—

open

Auto-remediated (30d)

—

drift corrected

Attack paths to crown jewels

—

shrink monthly

📋 Multi-Cloud Account Inventory (T150)

Daily reconcile. Orphan-project alert. Billing-anomaly hook. Tags enforced via SCP / Org-policy.

AWS accounts

—

under org

GCP projects

—

active

Azure subs

—

active

Orphan / untagged

—

needs owner

Cloud	Account / Project	Owner tag	Cost MTD	State

📏 CSPM — CIS / NIST / PCI Benchmarks (T151)

Per-account score. Delta alert. Auto-remediation library for top-20 findings.

CIS score (org avg)

—

of max

NIST 800-53 pass

—

controls

PCI-DSS pass

—

in-scope accounts

Regressions (7d)

—

alert + revert

Account	CIS	NIST	PCI	Top finding	State

🌍 Public Bucket / DB / IP Scanner (T152)

Drift-to-public auto-revert in < 30s. Slack + ticket with owner. Zero tolerance on buckets holding PII.

Public buckets allowed

—

tagged intentional

Drift events (30d)

—

auto-reverted

Public DBs

0

target 0

Unexpected public IPs

—

on workload subnets

When	Resource	Change	Owner	Response

🔐 IMDSv2 Enforcement (T153)

SCP + Org policy block v1. Flag any EC2 allowing v1. Remediate via ASG rollout.

EC2 total

—

running

IMDSv2 required

—

enforced

Still allows v1

—

remediate

Hop-limit = 1

—

SSRF-chain break

Account	EC2	v2 required	v1 allowed	Hop=1	Action

🕸 CIEM — passRole / AssumeRole Graph (T154)

Transitive permission graph. Find role-to-admin paths. Tighten trust policies.

Roles indexed

—

across accounts

Paths to admin

—

from low-priv

Shortest path

—

hops

PassRole on *

—

danger

Start role	End role	Hops	Via	Action

📦 CWPP — Container Runtime (Falco / Tetragon) (T155)

Privileged-pod · hostPath · exec-into-pod · secret-read events streamed in real time.

Clusters covered

—

with runtime agent

Privileged pods

—

must trend to 0

exec-into-pod (24h)

—

logged

Secret-read events

—

baselined

When	Cluster	Event	Actor	Verdict

⎈ Kubernetes Hardening (T156)

Pod-Security-Admission restricted · OPA/Kyverno policies · network-policy default-deny · image-admission signed-only.

Namespaces restricted

—

PSA-restricted

NetworkPolicy default-deny

—

of clusters

Image signing required

—

cosign verify

OPA / Kyverno policies

—

enforced

Cluster	PSA	Net-policy	Img-sign	Kyverno	Status

🔑 KMS / Envelope-Encryption Audit (T157)

All data stores envelope-encrypted at rest with customer-managed keys. Per-key usage + rotation policy tracked.

Stores encrypted (CMK)

—

of data stores

Keys with rotation

—

≤ 365d

HSM-backed

—

tier-0 data

Keys stale

—

> 1y

Key alias	Cloud	HSM	Rotation	Usage 30d	State

🗺 Attack-Path Engine (T158)

Public-to-crown-jewel paths. Ranked by reachability × impact × exploit-probability. Monthly shrinkage metric.

Paths open

—

to crown jewels

Closed this month

—

shrinkage

Avg length

—

hops

Top chokepoint

—

fix = kill N paths

Start	Crown jewel	Hops	Chain	Action

💎 DSPM — Crown-Jewel Data (T159)

Classify PII / PHI / secrets in stores. Alert on large export or cross-region copy.

Stores classified

—

PII / PHI / secrets

Anomaly exports (24h)

—

under review

Cross-region copies

—

policy-aware

Crown-jewel stores

—

high-value

Store	Classes	Size	Last scan	Movement alerts (30d)

💸 Billing-Anomaly / Cryptomining Early-Signal (T160)

Per-project $/hr baseline. Spike alert. Auto-freeze path to SOAR.

Spike alerts (30d)

—

investigated

Confirmed mining

—

auto-frozen

$ saved (30d)

—

early-detect

Baseline coverage

—

of accounts

When	Project	Spike	Classification	Action

🔄 Terraform Drift Detector (T161)

Nightly plan. Out-of-band changes flagged. Owner notification + revert option.

Workspaces

—

under drift-watch

Drifted (24h)

—

manual changes

Auto-reverted

—

policy-allowed

Tickets opened

—

owner-acknowledged

Workspace	Resource	Drift	Actor	Action

🏭 OT / IoT / Mobile FORGOTTEN PLANE

Printers, HVAC, PLCs, cameras, phones — every chip is an un-monitored computer. This is where state-level actors live quietly.

Devices discovered

—

passive fingerprint

Unknown on corp LAN

—

triage · isolate

Default-pw hits

—

last sweep

Mobile MTD-enrolled

—

of corp devices

🔍 IoT / OT Device Inventory — Passive Discovery (T330)

NDR + NAC fingerprinting. Owner + firmware version + default-pw flag per device.

Kind	Count	Firmware avg age	Default-pw	Owner tag
IP cameras	218	14 mo	0	facilities
Network printers	312	22 mo	4	IT-ops
Badge readers	84	18 mo	0	facilities
HVAC / BMS controllers	42	4 yr ⚠	2	facilities
Conference-room AV	38	12 mo	0	IT-ops
PLCs (plant floor)	68	6 yr ⚠	0	OT-eng
Unknown · un-tagged	14	—	—	—

🧱 IoT / OT VLAN Segmentation + Egress-Deny (T331)

Cameras / printers / badge readers can't reach corp servers or the internet. Each device class on its own VLAN with strict allow-list.

VLAN	Class	Allowed egress	Corp reachable	Internet
VLAN-400 · cameras	cameras	NVR only	✗	✗
VLAN-410 · printers	MFPs	print-server only	✗	✗
VLAN-420 · badge	access-control	ACS controller	✗	✗
VLAN-430 · HVAC	BMS controllers	BMS head-end	✗	✗ (vendor tunnel via jump)
VLAN-500 · OT plant	PLCs · HMIs	engineering WS only · diode to data-lake	✗	✗
VLAN-900 · guest-wifi	visitor devices	Internet only	✗	✓

🔓 Default-Password Scanner (T332)

Nightly auth-attempt with vendor-default credentials across IoT fleet. Force change + track in CMDB. Findings feed owner via ticket.

When	Device	Model	Default creds	State
2h ago	printer-floor4-hp	HP LaserJet M452	admin / (blank)	OPEN · ticket
2h ago	printer-floor2-xerox	Xerox Phaser 6510	admin / 1111	OPEN
yday	hvac-ctrl-03	Honeywell WEB-8000	admin / admin	OPEN · facilities
yday	hvac-ctrl-07	Trane Tracer SC	admin / admin	OPEN · facilities
3d ago	printer-old-canon	Canon iR-ADV	7654321	FIXED
5d ago	av-room-204	Crestron DM-MD	admin / admin	FIXED

🪜 OT Jump-Host PAM + Session Recording (T333)

The IT-to-OT bridge is the holy grail — treat it as tier-0. Every session brokered, recorded, keystroke-logged.

Jump host	Tier	MFA	Recording	Last session
ot-jump-plant-01	Tier-0	FIDO2 + PAM	keystroke + video	2h ago · ot-eng-3
ot-jump-plant-02	Tier-0	FIDO2 + PAM	keystroke + video	6h ago · ot-eng-7
ot-jump-hmi	Tier-0	FIDO2 + PAM	keystroke + video	yday · vendor-esc (escorted)
ot-jump-scada	Tier-0	FIDO2 + PAM	keystroke + video	3d ago

🧠 OT-Aware NDR — Modbus · DNP3 · BACnet (T334)

Alert on unauthorised write · unusual function-code · new talker on the OT segment.

When	Protocol	Source	Target	Function	Verdict
12m ago	Modbus/TCP	eng-ws-03	PLC-14	read (FC3)	baseline
1h ago	DNP3	scada-hmi-01	RTU-06	direct-operate	investigate · unusual hour
yday	Modbus/TCP	unknown · 10.50.4.42	PLC-22	write (FC6)	BLOCKED · new talker
2d ago	BACnet	bms-head-end	HVAC-12	set-point	baseline

🏗 Purdue-Model Segmentation Visualiser (T335)

Levels 0-5 with allowed flows. Diff actual vs policy. Any cross-level flow not in policy is a violation.

Level	Zone	Allowed up	Allowed down
L0 physical	sensors / actuators	to L1 only	—
L1 basic-control	PLCs · RTUs	to L2 engineering	to L0
L2 area supervisory	HMIs · SCADA	to L3 via broker	to L1
L3 site ops	historian · MES	to L3.5 DMZ · one-way diode	to L2 via broker
L3.5 DMZ (ICS-DMZ)	data-diode + proxies	to L4 via proxy	one-way only
L4 / L5 enterprise	corp IT	internet	to L3.5 DMZ

📱 MDM + Mobile-Threat-Defense (T336)

Intune / Jamf + Lookout / Zimperium. Attestation required. Smishing-block on corp mail app.

Fleet	Count	MDM-enrolled	MTD-active	Last threat (30d)
iOS (corp-owned)	1,842	100%	100%	12 smishing · 2 side-load (blocked)
Android (corp-owned)	312	100%	100%	14 smishing · 4 rooted (blocked)
iOS (BYOD)	884	98%	92%	18 smishing · 0 jailbroken accepted
Android (BYOD)	412	94%	88%	22 smishing · 2 rooted (blocked)

✅ Device Attestation — Play Integrity / DeviceCheck Gate (T337)

Conditional-access rejects jailbroken / rooted. Warns on older-OS. Attestation freshness checked per login.

Control	Status	Scope	Failures (7d)
Play Integrity verdict (Android)	ENFORCED	all Android	6 blocked
DeviceCheck / App Attest (iOS)	ENFORCED	all iOS	0
Min OS version (iOS 16 / Android 12)	ENFORCED	all corp	18 warned · 4 blocked
Attestation freshness < 24 h	ENFORCED	all corp	—
Jailbreak / root detect	HARD BLOCK	all	8 blocked

🎯 CTEM — Continuous Threat Exposure Management LAYER 7

A CVE list is not a risk report. An attack-path is. CTEM unifies CVE + config + identity + exploit-probability into the paths attackers actually walk.

Attack paths

—

to crown-jewel

KEV in edge

—

exploit-in-wild CVEs

Edge patch SLA

18h

p95 · target < 24h

Paths shrunk (30d)

↓ 14%

month over month

🔥 Vuln Feed — EPSS · KEV · Exploit-in-Wild (T350)

Rank by exploited-in-wild first, CVSS last. KEV matches are automatic P0.

CVE	Product	CVSS	EPSS	KEV	Affected	State
CVE-2026-1841	libxml2 2.9.14	9.8	0.94	YES	platform · 12 hosts	P0 · patched
CVE-2025-52812	golang 1.21.4	8.2	0.71	YES	infra · 8 hosts	PATCHING
CVE-2026-2018	axios 0.21.4	7.5	0.18	no	api · 6 repos	auto-PR
CVE-2024-47178	cups-filters	9.9	0.08	no	0 hosts (not installed)	N/A
CVE-2024-6387 (regreSSHion)	OpenSSH	8.1	0.89	YES	0 (already patched)	CLEAN

⏱ Edge Patch SLA 24 h with Virtual-Patch Fallback (T351)

Internet-facing critical CVE → patched or WAF virtual-patched in 24 h. Exceptions require an owner + expiry.

CVE	Asset	Disclosed	Patched / virtual-patched	SLA	Status
CVE-2026-1841	edge LB · nginx	today 04:20	today 07:38	3 h 18 m	MET
CVE-2025-52812	api-gateway	yday	WAF virt-patch · 42 min	—	MET · virt
CVE-2026-2018	marketing site	2d ago	dependency PR	18 h	MET
CVE-2024-legacy	old-vpn (scheduled decom)	weeks ago	virt-patch + maintenance win	open · exception	EXCEPTION · expires 30 Apr

🗺 Unified Attack-Path Engine (T352)

CVE + config + identity + exposure combined. Path rank = reachability × impact × exploit-probability. Monthly shrinkage is the KPI.

Start	Crown jewel	Hops	Chain	Rank	Action
Internet	PII store	4	ELB → app (CVE-1841) → role → passRole → s3:pii	98	patch + scope passRole
Internet	Crown DB	5	ELB → api → lambda → sts → db-admin → rds	86	scope lambda
Phish	Source repo	4	user → GH-app → CI → deploy → write-all	82	scope GH-app
Internet	Secrets manager	3	ELB → app → SecretsMgr wildcard	78	ARN-pin
Internet	K8s admin	3	Jira bot → CI → cluster-admin	74	rotate bot token

📉 Exposure Diff Week-Over-Week (T353)

Path count, avg length, % Internet-to-crown-jewel. Board-metric: "are we getting better?"

Measure	12 wks ago	8 wks ago	4 wks ago	Now	Trend
Path count to crown-jewel	42	34	28	24	↓ 43%
Avg path length (↑ is better)	3.2	3.6	3.9	4.2	↑ longer
% internet-to-crown-jewel	38%	30%	24%	18%	↓ 20pp
Top chokepoint fixes (cumulative)	4	7	11	14	compounding

💎 Crown-Jewel Classification (T354)

Per-data-class + per-system tag drives attack-path weighting. "What must never be lost" is a short list, reviewed quarterly.

Crown jewel	Class	Owner	Blast-radius cap	Recovery RTO
Customer PII DB	Tier-0 · PII	CPO	1 incident / 5y	< 4 h
KYC document store	Tier-0 · PII + docs	CPO	1 / 5y	< 4 h
Payment processing keys	Tier-0 · crypto	CTO	0 compromise	< 15 min
Source-code + CI keys	Tier-0 · IP	CTO	0 exfil	< 1 h (restore)
Finance data (board-reporting)	Tier-0 · financial	CFO	1 / 5y	< 8 h
Brand credentials (domain · SSL · GitHub · SaaS super-admin)	Tier-0	CISO	0 compromise	immediate

🤺 Continuous External Pentest / Autonomous Red-Team (T355)

Weekly safe-run against external surface. Findings diffed; promoted to CTEM + detection-as-code.

Run	Scope	Findings	New detections created	Delta
This week	public IP ranges + SaaS	2 medium · 0 high	1	stable
Last week	public + auth-replay	1 high (BOLA · fixed 24h)	1	closed
2 wks ago	external attack surface	1 medium (subdomain takeover)	0	closed
3 wks ago	OAuth / consent surface	0	0	clean
Quarterly human red-team	full scope · 5d engagement	3 medium + report	4	all closed

🟣 Internal Purple-Team Cadence — Quarterly (T356)

Named ATT&CK scenario · pre-agreed window · findings → detection-as-code PRs. Each quarter rotates tactic focus.

Quarter	Scenario	ATT&CK focus	Detections improved	Outcome
Q2-26 (planned)	Cloud-first ransomware kill-chain	Cred Access + Impact	in-planning	—
Q1-26	AiTM + session-replay + graph-API exfil	Initial Access + Collection	+ 6 rules	dwell 32m → 8m
Q4-25	Supply-chain implant via CI runner	Persistence + Exfil	+ 4 rules	detect < 60s
Q3-25	Kerberoast + ADCS ESC1 chain	PrivEsc	+ 5 rules · honey-SPN	zero-FP detect
Q2-25	BEC + wire-fraud end-to-end	Initial Access + Impact	+ 3 rules + policy	dual-control adopted

The Fleet — Aria Search · Classify · Respond GET

/aegis/fleet — public catalog of the agent roles that power every shield. Each agent delegates to one or more internal Claude-powered agents.

…

Demo Seed POST

/aegis/demo/seed — populate all six shields with realistic sample data so every endpoint shows output.

Click to populate 6 Wazuh alerts, 4 email samples, 2 recon targets, Underwrite consent.