Positioning
CIEM measures the gap between permissions granted and permissions used. SIEM measures security events over time. Permafrost is built for the first job — deepest on Microsoft Cloud today, with AWS and GCP coverage on the roadmap — and treats every signal that does not answer a permission-posture question as out of scope.
Permission posture
The two disciplines are adjacent and complementary. They are not interchangeable.
Every Permafrost signal answers a permission-posture question: who can do what they should not be able to do. A SIEM tells you what already happened. A CIEM tells you what could happen if a credential were abused. Permafrost does not try to do the SIEM job, and a SIEM does not do the CIEM job well.
Microsoft-deep, not lowest-common-denominator
The usual multi-cloud trade-off is to flatten everything into a lowest-common-denominator model that fits AWS IAM, GCP IAM, and Azure RBAC at the same time. Cloud-specific signals get discarded because they do not translate across providers, and the depth of each cloud is lost.
Permafrost takes the opposite path: it models each cloud at full depth rather than collapsing them into a shared schema, and it starts where it goes deepest. The seven capabilities below are signals Permafrost models end-to-end on Microsoft Cloud today; the same full-depth approach extends to AWS and GCP as that coverage ships.
- PIM-aware analysis. Eligible-versus-active assignments treated as separate signals, not collapsed into one.
- Entra directory role coverage. Directory-side admin roles modelled with the same rigor as ARM RBAC, not as a footnote.
- Administrative unit scoping. Scope-aware queries respect AU boundaries so findings match the customer's delegation model.
- Conditional Access context. Risk signals folded into the per-identity picture, not hidden behind a separate console.
- ARM activity-log integration. Every permission-gap finding can point to a control-plane log row that proves an assignment is unused.
- Agent identity discovery. AI agents and copilot identities discovered alongside users and service principals — modern Azure tenants have both.
- Custom role generation. Least-privilege custom Azure roles exported as ARM, Bicep, or Terraform, ready for change-managed deployment.
What Permafrost does not try to be
Honest scoping is part of the product. None of the items below are future-roadmap promises.
- Not a SIEM. For event detection, log retention, and incident-investigation log analytics, use a dedicated SIEM platform.
- Not a CSPM. For resource-configuration drift, network exposure, and compliance benchmarks against the resource plane, use a dedicated CSPM platform.
- Not an IGA. For joiner-mover-leaver lifecycle, attestation campaigns, and HR-system integration, use a dedicated identity-governance platform.
- Not a PAM. For session brokering, credential vaulting, and just-in-time elevation gates, use a dedicated privileged-access management platform.
One thing that is not on this list: multi-cloud. AWS and GCP entitlement coverage is on the roadmap, modelled at the same depth as Microsoft rather than flattened to a shared schema. Microsoft Cloud is available today; AWS and GCP are coming.
Where Permafrost fits in your stack
Most Microsoft Cloud customers already run the platform's own security tooling. Permafrost is built to sit alongside it, not to rip it out. The table reads each relationship at the category level: complementary where the planes differ, partial overlap where the signals touch.
| Tool you own | Relationship | What Permafrost adds |
|---|---|---|
| Microsoft Defender for CloudCSPMResource-configuration posture: misconfig, exposure, and compliance benchmarks across the resource plane. | Complementary | The identity plane Defender does not score: granted-versus-exercised permission risk per principal, evidenced by the ARM activity log. |
| Microsoft Entra ID GovernanceIdentity governanceAccess reviews, entitlement management, and joiner-mover-leaver lifecycle across Entra ID. | Overlap | Used-versus-granted evidence for every review decision, plus Azure RBAC depth and non-human identities a review campaign rarely reaches. |
| Microsoft PIMPrivileged accessJust-in-time elevation and approval gates for eligible privileged roles. | Complementary | PIM-aware scoring that reads eligible and active assignments as separate signals, so a JIT elevation is never mistaken for standing access. |
- Microsoft Defender for CloudCSPMComplementary
Resource-configuration posture: misconfig, exposure, and compliance benchmarks across the resource plane.
Permafrost adds The identity plane Defender does not score: granted-versus-exercised permission risk per principal, evidenced by the ARM activity log.
- Microsoft Entra ID GovernanceIdentity governanceOverlap
Access reviews, entitlement management, and joiner-mover-leaver lifecycle across Entra ID.
Permafrost adds Used-versus-granted evidence for every review decision, plus Azure RBAC depth and non-human identities a review campaign rarely reaches.
- Microsoft PIMPrivileged accessComplementary
Just-in-time elevation and approval gates for eligible privileged roles.
Permafrost adds PIM-aware scoring that reads eligible and active assignments as separate signals, so a JIT elevation is never mistaken for standing access.
Where Permafrost wins on merit
Positioning is not a comparison scorecard. It is the set of things Permafrost does because it models each cloud at full depth, starting with the deepest possible Microsoft Cloud coverage.
- Microsoft-Cloud-deep. Azure RBAC, Entra directory roles, and the Microsoft 365 control planes modelled with their real semantics, not flattened into a lowest-common-denominator schema. AWS and GCP join the same model at full depth as that coverage ships.
- Evidence-first. Every permission-gap finding points to the ARM activity-log row that proves an assignment is unused, or to the measured absence of one. A finding a security team can defend to a change board.
- PIM-aware. Eligible and active assignments treated as separate signals, so a just-in-time elevation is not mistaken for standing access.
- NHI-inclusive. Service principals, managed identities, and the agent-identity class discovered and classified by origin alongside users.
- Zero standing write. Permafrost holds no write-capable token to any customer tenant. Remediation runs through one of three customer-chosen modes, never a persisted credential.
Next stop
The principal risk score (UPR)
How UPR scores each security principal across eight factors, including the unused-permission gap evidenced by the ARM activity log.
Next stop
Three-mode remediation
The differentiator: manual playbook, downloadable script, or session-scoped OAuth. Zero standing write access.
