Each engagement leaves behind something operational: a logging pipeline, a remediation portal, a dashboard, a runbook. Strategy without artifacts is decoration.
A two-to-six-week engagement that maps your current identity controls against PCI DSS, SOX ITGC, and SOC 2 trust criteria — and produces a remediation roadmap your steering committee can actually fund.
We start with the data you already have (Splunk, AD, ServiceNow CMDB, BigID, Wiz) so you don't have to instrument anything new just to understand your gaps.
| Control Area | Status | Risk |
|---|---|---|
| Logging completeness | Partial | High |
| Privileged access review | Compliant | Low |
| Account dormancy | Gap | Critical |
| Segregation of duties | Partial | Medium |
| Joiner-mover-leaver | Compliant | Low |
Joiner-mover-leaver workflows, certification campaigns, and segregation-of-duties controls that are auditor-defensible — not just policy-compliant on paper.
We design around the actual humans doing reviews. If a manager can't certify 80 entitlements in five minutes, the control will fail. Our workflows are calibrated to attention spans and audit cycles.
| Reviewer | Population | Status |
|---|---|---|
| m.alvarez | 62 entitlements | Complete |
| j.patel | 104 entitlements | Complete |
| r.okafor | 48 entitlements | In progress |
| k.tanaka | 21 entitlements | Complete |
| a.brown | 78 entitlements | Overdue |
A Splunk-native practice. We onboard PCI/SOX applications, normalize to CIM, build eventtypes and tags, write enrichment lookups, and ship the dashboards that pass audit on day one.
In Splunk Cloud you don't have backend access to props/transforms — so success depends on how clean the producer side is, plus disciplined tag/eventtype hygiene. That's the work we specialize in.
| Eventtype | Tag | App | State |
|---|---|---|---|
| iam_login_success | authentication | okta | CIM ✓ |
| iam_priv_use | change | splunk | CIM ✓ |
| iam_role_assign | change | azure-ad | CIM ✓ |
| iam_secret_rotate | change | vault | Drift |
| iam_local_logon | authentication | tanium | CIM ✓ |
High-Privilege Access (HPA) monitoring in Splunk, secret rotation portals built in APEX, vault-backed credential workflows, and break-glass auditing that ties activity to the actual humans behind it.
A lot of HPA programs collapse into "we have a vault, therefore we're compliant." We bridge the gap between vault telemetry and behavioral monitoring — and surface the cases where someone's still working around the system.
| Secret | Owner | Last Rotated | State |
|---|---|---|---|
| db_prod_admin | dba-team | 14 days | OK |
| api_payments | fin-eng | 62 days | Aging |
| svc_etl_writer | data-platform | 112 days | Overdue |
| break_glass_root | iam-ops | 3 days | OK |
Oracle APEX portals that turn IAM findings into closed tickets. Windows local non-admin remediation, directory compliance, segregation-of-duties workflows, and a unified Identity Control Center across all of them.
Most "remediation programs" are spreadsheets in a SharePoint folder. Ours are real applications: PL/SQL packages, role-aware UIs, ServiceNow integration, and metrics that prove the work happened.
| Account | Host | Disposition | Confidence |
|---|---|---|---|
| svc_backup_l1 | WIN-DB-014 | Vault | High |
| tmpadmin | WIN-FIN-203 | Remove | High |
| vendor_smith | WIN-PRD-091 | Investigate | Med |
| local_helpdesk | WIN-HR-440 | Disable | High |
| dba_old | WIN-DB-003 | Remove | High |
LLMs and ML applied where they earn their keep — account dispositioning, anomaly classification on Splunk events, natural-language audit Q&A, and copilots that turn 40-hour reviews into 4-hour ones.
We're skeptical of "AI for everything." The wins in IAM are narrow but real: classifying the long tail of accounts, summarizing certification populations, and giving auditors a chat surface over data they'd otherwise wait two weeks for.
Most engagements begin with a two-week assessment. We'll come back with a one-page plan, a defensible scope, and the names of the artifacts you'll have on day 90.
