Permafrost
About

The people behind your permission posture

Permafrost is the CIEM platform for Microsoft Cloud. Before you connect a tenant, you should know who built it and why. No faceless vendor, no standing access to your directory.

Permafrost founder

Founder

Founder bio pending publication

Twenty-one years in security incident response taught one lesson the hard way: most breaches do not start with novel malware. They start with an identity that quietly held more access than anyone remembered granting.

Permafrost is the tool that experience kept asking for. A way to see granted-versus-used access across Microsoft Cloud, score the risk on every principal, and close the gap without ever handing a vendor standing write access to the tenant.

Connect on LinkedIn

Why we built Permafrost

Incident response is mostly archaeology. You arrive after the breach and trace it back to an account, a service principal, or a managed identity that carried far more access than the work in front of it ever needed. The access was granted years earlier, for a project that ended, and nobody walked it back.

The tools meant to catch this drowned the signal. Logs measured activity, not entitlement. Identity governance proved who approved access, not whether it was still warranted. The question that matters in a breach, what could this principal actually do, went unanswered until it was too late to ask.

Permafrost answers it continuously. It models granted-versus-used access across Azure RBAC, Entra directory roles, and the Microsoft 365 control planes, scores the risk on every principal, and turns each finding into a guided next step. It does this without storing a single customer credential, because the lesson of two decades in response is that the security tool should never become the next breach path.

What we hold to

These are not aspirations. Each one is a posture guarantee that ships in the product today.

Zero stored credentialsPermafrost reads through Workload Identity Federation and writes through session-only delegated consent that lives in memory for at most an hour. There is no vault of customer secrets to breach.
Read-only by defaultAnalysis never needs write access. Every change is opt-in, previewed, and scoped — manual playbook, downloadable script, or an in-product OAuth session you authorize and revoke.
Tenant isolation as a hard wallEvery query is scoped to a single customer's connected clouds. Cross-customer isolation is enforced in code and guarded by tests, not by policy promises.

Want the proof behind the posture? Visit the Trust Center for live certification status, or read the security posture.