Designed & Built by Tory Keit — Systems IT Architect Lead
An interactive tool that computes and visualizes how ordinary, individually-harmless permissions chain together into an attack path an adversary can walk from a compromised identity to sensitive data.
Live demo: https://ashy-wave-052dac30f.7.azurestaticapps.net
Over 80% of cloud breaches trace back to compromised credentials and misconfiguration — not zero-day exploits. The damage rarely comes from a single bad permission. It comes from combinations: an over-permissioned identity, a trust relationship, and a reachable resource that together form a path to impact, without exploiting any vulnerability.
Most security tooling stops at listing findings — "here are 500 things wrong." What defenders actually need is to understand reachability: which combination of permissions creates a viable path to something that matters. This is the direction the industry is moving (attack-path / reachability analysis), and it's exactly what PathFinder demonstrates.
- Renders a modeled Azure identity environment as a clear, labeled diagram (Identities → Roles / Permissions → Resources).
- Lets you pick a compromised entry point and a sensitive target, then computes the attack path between them using a real graph path-finding algorithm.
- Animates the breach path hop-by-hop and explains each step in plain language.
- Lets you edit permissions — add or remove a permission and watch a safe target become reachable, or an attack path break. This is the core lesson made interactive.
- Surfaces a plain-language verdict ("A compromised Dev User can reach customer-data in 5 steps — no vulnerability required").
- Graph model & path-finding: a real depth-first search with cycle detection over a directed permission graph, decoupled from the rendering layer. This is genuine graph theory, not a scripted animation.
- RBAC-accurate modeling: the permission chains reflect how real Azure privilege escalation works (e.g., a Contributor role that can self-assign Key Vault access, secrets that unlock storage).
- Path scoring: ranks paths by length and target sensitivity to surface the most dangerous route first.
This tool is a simulation. It runs on a sample modeled environment with example identities and resources — it is not connected to any real Azure tenant and uses no live data. What is real is the engine: the same path-finding logic shown here is how attack-path analysis works in production, where it would run continuously against live identity data from Azure Resource Graph and Microsoft Entra ID.
- Pure client-side — HTML, CSS, and vanilla JavaScript. All computation and rendering run in the browser.
- Zero backend — hosted as an Azure Static Web App on the Free tier. The heavy lifting (graph traversal) happens on the client, so it runs at zero infrastructure cost.
- Responsive — desktop and mobile layouts, since most traffic is mobile.
PathFinder is the third project in a cloud identity-exposure and security architecture portfolio:
- ShieldInbound — application-layer security (adversarial prompt guardrail engine)
- Secure Azure Landing Zone — secure infrastructure as code (Terraform)
- PathFinder — identity attack-path / reachability analysis
Modeled environment. Real path-finding engine. Runs on Azure free-tier infrastructure.