Identrail follows how AWS roles, Kubernetes service accounts, GitHub OIDC and trust policies can reach your data — and shows the smallest, safest fix for the people who own each step of the path.
Connect read-only to AWS, Kubernetes, GitHub Actions and your OIDC providers. Identrail builds a single trust graph that links every machine identity to every resource it can reach — including the hops in between.
Findings are scored on the data they can reach, not on signature counts. A trust path to your billing database is not the same as a path to a feature flag — and Identrail tells you which is which.
Every recommendation is run through a policy simulator before you see it. Identrail shows the smallest IAM or RBAC change that closes the path without breaking the workloads that legitimately depended on it.
Cloud roles, workload identities, CI tokens and service accounts now sit across every delivery path. Identrail focuses on what those identities can actually reach.
CyberArk Identity Security Threat Landscape 2024Service accounts, workload federation and automation tokens can inherit broad privileges. Identrail ties each risk to the source identity and the target resource.
Identity Defined Security Alliance, 2024 Trends in Securing Digital IdentitiesOverbroad trust policies, stale roles and permissive claims are hard to reason about in isolation. Identrail resolves them as reachable paths.
Verizon DBIR 2024The platform is Apache 2.0 on GitHub: connectors, graph engine, policy simulator and deployment assets. Buyers can inspect the control plane instead of trusting a black box.
Most identity tools tell you a service account is risky. Almost none tell you what it can actually reach, or how to take that reach away without breaking production. That gap is where breaches happen. That gap is what Identrail closes.
| Capability | Identrail | Typical closed alternative |
|---|---|---|
| Trust-path explainability | Full chain: identity → privilege → workload → resource, with evidence. | Risk score on a finding; chain is not surfaced. |
| Rollout safety | Read-only ingest; simulated remediation; staged enforcement built in. | Hardening is a write op handed to a separate tool, with no simulator. |
| Open-core architecture | Apache 2.0. Full source on GitHub. Self-host the same binary we run. | Closed source. Black-box detection logic. Audit-by-vendor-promise. |
| Who owns the fix | Identrail names the resource owner and routes the playbook to them. | Findings dropped into a security queue with no automatic owner mapping. |
| Cost shape | Free self-host. Hosted plan starts at $19/user/mo. No enterprise floor for SAML. | Sales-led pricing. SSO and core controls behind enterprise tier. |
