What an attacker actually reaches today.
STACK Sentry simulates realistic blast radius for every credential, role, key, and pod in your environment — daily — so you see what changed before an attacker exploits it.
Wiz runs queries. Sentry runs the attacker.
Static graph analysis tells you what's possible. Continuous adversary simulation tells you what's reachable today and what changed since yesterday.
Identity Graph
Every role, service account, K8s SA, API key, OAuth grant mapped to permissions and assumable trust paths across clouds.
Attack-Path Search
Per-asset and per-data-set: shortest path from a dev laptop to prod RDS, with privilege escalation steps explicit.
Daily Diff
Today's blast radius vs. yesterday's, with the exact IAM change, trust update, or peering that opened the new path.
Privilege-Escalation Rules
Provider-specific (iam:PassRole, GCP impersonation, K8s RBAC bind) plus your own custom rules in code.
Crown Jewel Tagging
Mark sensitive data sets and crown-jewel workloads. Track shortest path to each over time.
Ranked Remediations
Per-edge fixes ranked by total blast-radius reduction. Fix the one role that closes nine attack paths.
→ Identity: arn:aws:iam::*:role/jenkins-ci OVER-PRIVILEGED
→ Hop 1: sts:AssumeRole → deploy-role (trust policy allows) LATERAL
→ Hop 2: deploy-role → rds:Connect prod-primary.cluster CROWN JEWEL
→ Path: 2 hops to production database — no approval gate
→ Compared: yesterday's simulation — path is NEW (deploy-role trust widened 14h ago)
→ Fix: remove sts:AssumeRole on deploy-role — closes 9 attack paths
→ REPORT blast-radius-diff.json emitted — auditor-signable
From IAM scan to daily adversary simulation, in two weeks
Sentry is read-only by default. It builds the graph from your existing audit logs and IAM configs — no agents, no sidecars, no inline interception.
1. Map
Read-only IAM scan plus cloud audit subscription. Identity graph built from every role, service account, key, and trust path.
Week 12. Simulate
First blast-radius simulation run. Crown-jewel tagging workshop. Yesterday-vs-today diff delivered to the security team.
Week 1–23. Harden
Ranked remediations deployed. Daily simulation cadence established. Fix the one role that closes nine attack paths.
Week 2Questions teams ask before deploying
Straightforward answers about scope, integration, data handling, and rollout.
Does this replace Wiz or Orca?
It complements them. They do graph queries on demand. We run continuous adversary simulation and surface the drift between days.
How long until the first useful result?
One day of CloudTrail plus an IAM scan. Initial graph builds in 4 hours. First daily diff lands the next morning.
Does it modify our environment?
Read-only by default. Optional remediation hooks (revoke role, drop trust) require explicit policy grants.
How does it scale to a 50K-identity enterprise?
Graph engine handles 1M+ identities. Path search runs as a Spark job over Iceberg-backed graph snapshots.