What an attacker actually reaches today.
STACK Sentry simulates realistic blast radius for every credential, role, key, and pod in your environment — daily — so you see what changed before an attacker exploits it.
Wiz runs queries. Sentry runs the attacker.
Static graph analysis tells you what's possible. Continuous adversary simulation tells you what's reachable today and what changed since yesterday.
Identity Graph
Every role, service account, K8s SA, API key, OAuth grant mapped to permissions and assumable trust paths across clouds.
Attack-Path Search
Per-asset and per-data-set: shortest path from a dev laptop to prod RDS, with privilege escalation steps explicit.
Daily Diff
Today's blast radius vs. yesterday's, with the exact IAM change, trust update, or peering that opened the new path.
Privilege-Escalation Rules
Provider-specific (iam:PassRole, GCP impersonation, K8s RBAC bind) plus your own custom rules in code.
Crown Jewel Tagging
Mark sensitive data sets and crown-jewel workloads. Track shortest path to each over time.
Ranked Remediations
Per-edge fixes ranked by total blast-radius reduction. Fix the one role that closes nine attack paths.
Questions teams ask before deploying
Straightforward answers about scope, integration, data handling, and rollout.
Does this replace Wiz or Orca?
It complements them. They do graph queries on demand. We run continuous adversary simulation and surface the drift between days.
How long until the first useful result?
One day of CloudTrail plus an IAM scan. Initial graph builds in 4 hours. First daily diff lands the next morning.
Does it modify our environment?
Read-only by default. Optional remediation hooks (revoke role, drop trust) require explicit policy grants.
How does it scale to a 50K-identity enterprise?
Graph engine handles 1M+ identities. Path search runs as a Spark job over Iceberg-backed graph snapshots.