The classic kill chain has not changed: phish a user, land on a workstation, find a path to Domain Admin. What changed is where the path ends. A helpdesk account today is often the same identity that fronts an Entra ID role, which assumes an AWS role, which can read the bucket that holds the next set of secrets. The escalation does not respect the on-prem / cloud line. The tooling usually does.
The seam attackers love
Run a BloodHound-style collection and you get a beautiful on-prem graph that stops at the federation edge. Run a cloud IAM mapper and you get policies with no idea which human actually controls them. The interesting path lives exactly in the gap between those two outputs — and reconstructing it by hand, across two tools, is where most assessments quietly give up.
The high-value finding is rarely a single misconfiguration. It is a chain that crosses a trust boundary your tools treat as the edge of the map.
One object model
Zypheron Desktop ingests on-prem AD, Entra ID, and AWS/Azure/GCP into one object model. A user, its synced cloud identity, the roles it can assume, and the resources those roles touch are all nodes in the same graph with the same path semantics. Selecting a Domain Users group and asking for paths to a cloud KMS key is a single query, not a manual join across two exports.
# conceptual: paths that cross the federation edge
FROM principal:"Domain Users"
TO resource:"arn:aws:kms:*"
VIA delegation, federation, role-assumption
Read-only, explained
- Discovery is read-only — no writes into AD or cloud control planes.
- Every edge carries a why: the delegation, ACL, or trust that makes it traversable.
- The AI copilot narrates the path in plain English so it survives the report, not just the screenshot.
Next in the series: reverse engineering, where the same shared-context idea pulls a local-LLM copilot into a headless Ghidra run.