Skip to content
CIEM · Cloud identity entitlement management

Identity attacksurface managementfor Microsoft, AWS,and GCP clouds.

Shrink your identity attack surface. Permafrost finds every human and non-human identity, scores the gap between the access it holds and the access it actually uses, then walks the risky grants back.

Built for security engineers and cloud architects running Microsoft 365 and Entra ID, with AWS and GCP estates on the same pane.

Microsoft Entra ID and Azure — available now · AWS and GCP — in preview

Demo is read-only · synthetic data · no sign-in

How scoring works

Read-only OAuth · Zero stored credentials · Zero standing write access

Why it matters — The board's questions

Six questions your leadership will ask.

Permafrost answers each one with an outcome, then shows the evidence behind it. The mechanism — the score, the inventory, the findings, the walk-back — is proof below, not the pitch.

By the numbers — A representative tenant

The board-level view in four numbers.

What a sponsor checks at a glance: how many identities are under management, how much of the estate is non-human, how many findings are ranked, and where the attack-surface score sits. Each opens the view it was counted from.

Representative demo tenant — illustrative, not an audited customer metric.

The business case — Before and after

Less standing access. Smaller blast radius.

The unused half of every identity’s access is risk you carry for no return. Permafrost turns that gap into a shorter, evidence-backed path to least privilege.

Before — Access drifts

  • Permissions granted at project start and never revisited.
  • Quarterly access reviews run from spreadsheets, taking weeks.
  • Service principals, managed identities, and agents multiply unscored.
  • An auditor's request to prove least privilege lands as a fire drill.

After — Access is earned

  • Every identity scored on the gap between access held and access used.
  • Reviews become a filter-and-confirm pass over usage evidence.
  • Non-human identities ranked alongside users, classified by origin.
  • Least-privilege evidence is a query result, ready for the audit.
New class — Agent identities

AI agents are accelerating the standing-access epidemic.

Agents act under their own credentials, collect broad grants to get a job done, and almost never get reviewed afterward. Permafrost discovers every agent identity, classifies it by origin, and scores it on the same granted-versus-exercised axis as your users — so a new class does not become a new blind spot.

Where we fit — Your existing stack

Built to sit alongside your Microsoft security stack.

Permafrost reduces identity attack surface on the plane your CSPM, identity-governance, and privileged-access tools do not score. It complements what you run — it does not replace it.

Trust — Verifiable, not asserted

Every claim here is checkable in the consent grant or the Trust Center. We show what is true today and name what is still on the roadmap.

Under the hood — How it works

The proof beneath the outcomes.

The score, the inventory, the evidence, and the walk-back — the same surfaces a connected tenant lands on. This is the mechanism the outcomes above are built from.

Watch it — Two-minute tour

See the gap close, end to end.

A short walkthrough: connect a tenant, read the score, drill a finding to its evidence, and walk a risky grant back. No sign-in to press play.

Product demo

A short product walkthrough is in production.

Until it lands, take the same surfaces for a spin in the live demo — read-only, synthetic data, no sign-in.

Try the live demo
CORE 01 — The gap

One score to add meaning to all.

UPR is the Unified Principal Risk: 0 to 100 per identity, the ratio of permissions granted to permissions exercised over a 90-day window, with additional factors.

  • WindowEvery score reads from a rolling 90-day evidence window.
  • EvidenceARM activity-log evidence behind every score. No black-box numbers.
  • ScopeRBAC-only by design. The score measures what role assignments actually grant.
  • TenantTenant-level UPR is the weighted average across every identity.
38.2Tenant UPR · lower is better
CORE 03 — Evidence

Severity you can defend.

Every finding drills to the rows behind it: the role assignment, the scope, and the activity-log evidence that proves what was exercised and what never was. When the board asks why an identity is critical, the answer is a query result, not a vendor adjective.

  • DrillEach severity chip opens the filtered list it was counted from.
  • ProofFindings cite ARM activity-log entries, not heuristics.
CORE 04 — Remediate

Three modes. Zero credentials.

Every recommendation ships with a walk-back path. You choose how much of the work Permafrost does, and none of the modes require it to hold a secret.

Mode 01 — Manual

Guided steps

A precise, scoped runbook for the change: the exact role assignment, the exact scope, the portal path. You stay on the keyboard the whole time.

Nothing leaves your tenant

Mode 02 — Script with preview

Download, review, run

A generated script with a full preview of every action it will take. Review it, diff it, run it from your own shell under your own account.

You sign, you execute

Mode 03 — Session-only OAuth

Apply in one session

Consent once, apply the change, done. The OAuth access token lives in memory for one hour at most, then it is gone. Permafrost stores zero customer credentials.

In-memory token · ≤1 hour · then gone

Isolation

Tenant isolation by design. Every query, every row, every export is scoped to one customer.

Scope

CIEM, not a SIEM. Permafrost reads entitlements and the evidence that proves their use. It is not a log lake.

Cadence

Minimum 60-minute sync cadence per tenant. No surprise scans, no unannounced load.

Connect in minutes

Take a core sample.

The first sync is read-only. No card required.

Demo is read-only · synthetic data · no sign-in