OgunDesigns LLC logo
OgunDesigns LLC Identity · Compliance · Engineering
Get in Touch
Home/Case Studies
Selected engagements

Outcomes from real IAM programs.

Four representative engagements, anonymized for confidentiality. The structures and metrics are real; client names, hostnames, and identifiers are not.

SOX · Splunk · 50+ apps

SOX IAM Logging Enablement for 50+ Applications

Industry: Financial services · Duration: 6 months · Auditor: Big Four

The Challenge

The client had 50+ in-scope SOX applications, mixed on-prem and cloud, with inconsistent IAM logging. The previous audit cycle produced 14 findings tied to incomplete authentication and authorization evidence. The next cycle was nine months out. Logging was sometimes present, sometimes routed but unparseable, and rarely normalized to anything the auditors could trust.

What We Built

An end-to-end IAM logging program in Splunk Cloud. App-by-app log standard. Source-side requirements documented. Cribl pipelines to shape the noisier producers. CIM-aligned eventtypes and tags. Lookups that resolve actor → SSO → manager. Audit dashboards saved as PDF-on-demand for evidence packages.

Outcome

The client closed the next audit cycle with zero IAM findings — first time in four years. Splunk logging coverage grew from ~38% to 98.4% of in-scope apps. Cycle-time for audit evidence requests dropped from 9 days to 2 hours.

50+PCI/SOX apps onboarded
98.4%CIM compliance
0Audit findings (cycle 1)
2 hrsAvg. evidence response
14 → 0Findings cycle-over-cycle
Windows · APEX · Tanium

Automated Remediation of 10K+ Windows Local Accounts

Industry: Healthcare · Duration: 4 months · Scope: 8,400 hosts

The Challenge

Audit findings flagged 10,000+ local accounts on Windows hosts with no clear ownership, no consistent disposition policy, and an annual review process consisting of a spreadsheet emailed to system owners. Most owners didn't know which accounts were theirs, and the spreadsheet method had a 41% completion rate.

What We Built

An APEX-based remediation engine that pulls Tanium endpoint data, cross-references AD and the CMDB, evaluates each account against a policy library (password age, last logon, group membership, ownership), and recommends one of: Keep, Disable, Vault, Remove, Investigate. Each recommendation includes a confidence score and a reason. Owners review in a portal; auto-actionable accounts proceed without manual review.

Outcome

82% of accounts were classified as auto-actionable on first run. The remaining 18% landed in a focused review queue with clear context. Average review time per cert cycle dropped from ~80 hours of system-owner work to under 4. Audit took the engine itself as the control evidence.

10,217Accounts dispositioned
82%Auto-actionable on day 1
40+ hrsSaved per review cycle
8,402Hosts in scope
96%SLA on review queue
HPA · Splunk · PCI

HPA Monitoring Dashboard Suite for PCI Environment

Industry: Retail / payments · Duration: 3 months · Scope: CDE + adjacent

The Challenge

The client's high-privilege access program had a vault, sessions were brokered, but actual monitoring was ad-hoc. PCI DSS Requirement 10 was being met on paper through log retention — but the controls around using the logs to detect anomalous privileged behavior were thin. The QSA had flagged "compensating control" status as a watch item.

What We Built

A Splunk dashboard suite covering: HPA session volume, off-hours and new-asset escalations, MTTR on flagged sessions, vault-vs-session reconciliation (i.e., who used a credential without going through the vault). Anomaly detection on session duration, command frequency, and asset-pair novelty. Tied to an investigation runbook and a quarterly attestation.

Outcome

The QSA upgraded the control from "compensating" to "effective" at the next assessment. Mean-time-to-review on flagged HPA sessions dropped from days to under 5 minutes. The client identified two cases of credential reuse outside the vault that the previous program had missed.

3,418HPA sessions / 24h baseline
4.1 minMTTR on flagged sessions
2Out-of-vault uses caught
EffectiveQSA control rating
AI · Certifications · IGA

AI-Accelerated Quarterly Access Certification

Industry: Insurance · Duration: 5 months · Scope: 8K+ entitlements

The Challenge

Quarterly certifications had become a 4-week organizational drag. Reviewers were rubber-stamping. The CISO wanted to keep the policy quarterly but cut effort. Auditors wanted higher review quality. We needed to deliver both.

What We Built

An LLM-driven cert-cycle accelerator. Entitlements clustered by similarity. Outliers surfaced first. Each entitlement comes with a generated context blurb (peer comparison, usage frequency, previous certifier, change since last cycle). Reviewers see the highest-signal items first and bulk-action the rest. Source-cited reasoning behind every suggestion. Approvals still require human action.

Outcome

Average reviewer time fell from 6.4 hours to 1.7 hours per cycle. Revoke rate (proxy for quality) went up 3.1x — reviewers were actually catching things instead of skimming. Auditors accepted the AI summaries as supplemental evidence after a guardrails walkthrough.

8,402Entitlements / cycle
73%Reviewer time saved
3.1×Revoke rate increase
99.1%Cycle completion
0 PCI/SOX apps onboarded
0 Local accounts dispositioned
0 Audit findings post-engagement
0 Avg. saved per cert cycle
Engagement

Have a similar problem?

Most engagements look familiar — messy environment in, audit-defensible operating system out. Tell us yours, and we'll come back with a path.

Start a Conversation View Services