MANTIS
Identity
The ledger
Every machine identity in your cloud, accounted for. Service accounts, IAM roles, OIDC federated subjects, and SaaS-inferred third-party NHIs — discovered, owned, scored by blast radius, and remediated with runnable artifacts the pentest agent re-verifies.
Every identity accounted for
Unified Inventory
One table across AWS IAM, GCP service accounts, Azure AD app registrations, GitHub OIDC subjects, Terraform Cloud, and SaaS-inferred third-party identities. No separate CIEM console, no separate secrets inventory. Everything in one ledger.
Ownership At Capture
Every identity traced to an owner the moment it's discovered. Hints from IaC tags, CloudTrail actor, repo CODEOWNERS, and operator overrides — each stored with confidence tier + evidence. Operator tags always win on re-aggregation.
Blast Radius With Confidence
Every NHI scored by reachable assets, crown-jewel reach, and public exposure. Each chain labeled Confirmed / Likely / Theoretical so you triage on observation-backed reach first instead of wading through theoretical attack graphs.
Anomaly Detection, Explainable
Six deterministic detectors — human-shaped IP, time-of-day, velocity spike, impossible travel, failed-auth burst, ASN reputation. No ML, no opaque scoring. Every evidence field traceable. Confidence ≥75 escalates to SLA; below stays informational.
OIDC Federated Subjects
GitHub Actions, GitLab CI, Terraform Cloud, Spacelift, CircleCI trust policies parsed to their subject template — repo + branch + environment visible per identity. See which workflow runs as which role, not just which role exists.
Runnable Remediation
Every finding ships with a Terraform diff, CLI bundle, or Workload Identity migration advisor. Not narrative prose — runnable artifacts. The pentest agent re-verifies closure and flips the source finding to Resolved. Regression detection if the rule re-fires.
Three steps to accountability
Connect
Read-only credentials across AWS, GCP, Azure, and your IaC repos. First aggregation under 2 minutes per tenant.
Classify
Every identity tagged by source, ownership, lifecycle, blast radius, and risk factors. Third-party and SaaS-inferred identities detected from ASN map + CloudTrail.
Resolve
Generate a runnable remediation artifact per finding. Agent re-verifies closure. Report ROI monthly — applied, verified, regressed.
What competitors miss
The NHI space is noisy. Every vendor shows a machine-identity inventory and calls the job done. We built for the operator who has to actually close the ticket.
Confidence-tiered blast radius
Most vendors show theoretical attack graphs and call it blast radius.
Every chain labeled Confirmed / Likely / Theoretical. You triage on observation-backed reach first, not fantasy paths.
Runnable remediation, not prose
Narrative fix suggestions. A paragraph telling you what to do.
A Terraform diff, a CLI bundle, or a Workload Identity migration YAML you paste into your repo. Nothing to translate.
Agent-verified closure
Trust the operator's self-reported "fixed" toggle.
The MANTIS pentest agent re-checks the rule against live state. Rule stops firing → source finding flips to Resolved. Rule re-fires → regression alert.
Workload Identity migration advisor
Flag the long-lived key. End there.
Emit the modern cloud-native replacement — IRSA for EKS, GKE Workload Identity for GCP, Managed Identity for Azure. ServiceAccount YAML, trust policy, federated-credential commands, all templated.
Three ways to close the loop
Terraform
AWS delete · rotate · restrict-permissions snippets keyed on the SLA rule. Paste into your IaC repo, run plan, apply.
CLI
Provider-specific bash bundles for AWS, GCP, Azure. Rotation, deletion, and permission-revocation commands — copy-pasteable for incident response.
Workload Identity
IRSA (EKS), GKE Workload Identity (GCP), Managed Identity (Azure). ServiceAccount YAML + trust policy + federated-credential commands, templated to your cluster.
Every identity type
AWS IAM
Users · Roles · KeysGCP
Service Accounts · KeysAzure AD
Apps · Service PrincipalsEntra ID
Managed IdentitiesKubernetes
Service AccountsAWS IAM
Users · Roles · KeysGCP
Service Accounts · KeysAzure AD
Apps · Service PrincipalsEntra ID
Managed IdentitiesKubernetes
Service AccountsAWS IAM
Users · Roles · KeysGCP
Service Accounts · KeysAzure AD
Apps · Service PrincipalsEntra ID
Managed IdentitiesKubernetes
Service AccountsAWS IAM
Users · Roles · KeysGCP
Service Accounts · KeysAzure AD
Apps · Service PrincipalsEntra ID
Managed IdentitiesKubernetes
Service AccountsGitHub Actions
OIDC subjectGitLab CI
OIDC subjectTerraform Cloud
OIDC subjectSpacelift
OIDC subjectCircleCI
OIDC subjectGitHub Actions
OIDC subjectGitLab CI
OIDC subjectTerraform Cloud
OIDC subjectSpacelift
OIDC subjectCircleCI
OIDC subjectGitHub Actions
OIDC subjectGitLab CI
OIDC subjectTerraform Cloud
OIDC subjectSpacelift
OIDC subjectCircleCI
OIDC subjectGitHub Actions
OIDC subjectGitLab CI
OIDC subjectTerraform Cloud
OIDC subjectSpacelift
OIDC subjectCircleCI
OIDC subjectOIDC detection is cloud-side only — we parse the trust policy of every IAM role and decode the federated subject template (repo · branch · environment, or org · workspace). No GitHub App, no outbound connector, no extra permission to grant.
Plus 30+ SaaS vendors auto-inferred from the curated ASN map — Datadog, Vanta, Snyk, PagerDuty, Sentry, and more — so third-party identities show up in the same ledger without a connector.
Accountability, on a report
Monthly NHI Remediation Report — generated, applied, verified, regressed counts per tenant.
Compliance mapping: ISO 27001 A.5.16 · PCI DSS 8.2 · NIST CSF 2.0 PR.AA · SOC 2 CC6.1.
Operator tag persistence — owner overrides never clobbered on re-aggregation.
Your machine identities.
Accounted for.
Connect your first account. See the ledger in minutes.