Skip to content
Capabilities

Positioning

CIEM measures the gap between permissions granted and permissions used. SIEM measures security events over time. Permafrost is built for the first job — deepest on Microsoft Cloud today, with AWS and GCP coverage on the roadmap — and treats every signal that does not answer a permission-posture question as out of scope.

Permission posture

The two disciplines are adjacent and complementary. They are not interchangeable.

Every Permafrost signal answers a permission-posture question: who can do what they should not be able to do. A SIEM tells you what already happened. A CIEM tells you what could happen if a credential were abused. Permafrost does not try to do the SIEM job, and a SIEM does not do the CIEM job well.

Microsoft-deep, not lowest-common-denominator

The usual multi-cloud trade-off is to flatten everything into a lowest-common-denominator model that fits AWS IAM, GCP IAM, and Azure RBAC at the same time. Cloud-specific signals get discarded because they do not translate across providers, and the depth of each cloud is lost.

Permafrost takes the opposite path: it models each cloud at full depth rather than collapsing them into a shared schema, and it starts where it goes deepest. The seven capabilities below are signals Permafrost models end-to-end on Microsoft Cloud today; the same full-depth approach extends to AWS and GCP as that coverage ships.

  • PIM-aware analysis. Eligible-versus-active assignments treated as separate signals, not collapsed into one.
  • Entra directory role coverage. Directory-side admin roles modelled with the same rigor as ARM RBAC, not as a footnote.
  • Administrative unit scoping. Scope-aware queries respect AU boundaries so findings match the customer's delegation model.
  • Conditional Access context. Risk signals folded into the per-identity picture, not hidden behind a separate console.
  • ARM activity-log integration. Every permission-gap finding can point to a control-plane log row that proves an assignment is unused.
  • Agent identity discovery. AI agents and copilot identities discovered alongside users and service principals — modern Azure tenants have both.
  • Custom role generation. Least-privilege custom Azure roles exported as ARM, Bicep, or Terraform, ready for change-managed deployment.

What Permafrost does not try to be

Honest scoping is part of the product. None of the items below are future-roadmap promises.

  • Not a SIEM. For event detection, log retention, and incident-investigation log analytics, use a dedicated SIEM platform.
  • Not a CSPM. For resource-configuration drift, network exposure, and compliance benchmarks against the resource plane, use a dedicated CSPM platform.
  • Not an IGA. For joiner-mover-leaver lifecycle, attestation campaigns, and HR-system integration, use a dedicated identity-governance platform.
  • Not a PAM. For session brokering, credential vaulting, and just-in-time elevation gates, use a dedicated privileged-access management platform.

One thing that is not on this list: multi-cloud. AWS and GCP entitlement coverage is on the roadmap, modelled at the same depth as Microsoft rather than flattened to a shared schema. Microsoft Cloud is available today; AWS and GCP are coming.

Where Permafrost fits in your stack

Most Microsoft Cloud customers already run the platform's own security tooling. Permafrost is built to sit alongside it, not to rip it out. The table reads each relationship at the category level: complementary where the planes differ, partial overlap where the signals touch.

Where Permafrost wins on merit

Positioning is not a comparison scorecard. It is the set of things Permafrost does because it models each cloud at full depth, starting with the deepest possible Microsoft Cloud coverage.

  • Microsoft-Cloud-deep. Azure RBAC, Entra directory roles, and the Microsoft 365 control planes modelled with their real semantics, not flattened into a lowest-common-denominator schema. AWS and GCP join the same model at full depth as that coverage ships.
  • Evidence-first. Every permission-gap finding points to the ARM activity-log row that proves an assignment is unused, or to the measured absence of one. A finding a security team can defend to a change board.
  • PIM-aware. Eligible and active assignments treated as separate signals, so a just-in-time elevation is not mistaken for standing access.
  • NHI-inclusive. Service principals, managed identities, and the agent-identity class discovered and classified by origin alongside users.
  • Zero standing write. Permafrost holds no write-capable token to any customer tenant. Remediation runs through one of three customer-chosen modes, never a persisted credential.