Idenity graph
Know who’s really in your production environment
Traditional methods focus on technical indicators - ClearVector's identity engine reveals the actual human, non-human, or third-party behind the activity
The challenge
Visibility without identity attribution is not enough
Scanners and logs surface activity, but they don’t show who performed it. In production environments filled with CI/CD roles, service accounts, and temporary credentials, identity attribution is lost — slowing investigations and delaying response.
Identity attribution blindness
Security teams can't quickly answer "who did it?" when attacks involve CI/CD roles, service accounts, or federated access. Manual correlation across AWS CloudTrail, GitHub audit logs, endpoint, and IdP logs takes hours - and often leads to challenging situations when identities are deleted or roles are ephemeral.
Alert-to-containment lag
Even when suspicious activity is detected, security teams face a "jump into a SIEM" scenario requiring hours of queries and manual correlation. By the time the responsible identity is found, the adversary has already achieved their mission.
Highly privileged “invisible” ephemeral identities
Organizations grant powerful, temporary access to thousands of ephemeral identities - Lambda execution roles that exist for minutes, third-party vendor sessions that span hours or months, CI/CD tokens that rotate daily, and auto-scaling service accounts that appear and vanish with workload demands. These identities often have production-write permissions, cross-account access, or the ability to steal data if compromised.
The solution
A unified identity graph that shows who’s in your environment
ClearVector’s identity graph ties every action to a specific identity—human, machine, or third-party—for fast investigation and response.
Complete identity provenance and attribution
Every action traces back to its origin - see that the "AWSReservedSSO_Developer" role was actually assumed by "[email protected]" who authenticated via Okta at 3:47 PM from a new IP address, then approved a GitHub PR that triggered the suspicious activity.
Unified identity timeline
View all activity for any identity on a single timeline. See what "bob-admin" did across your entire production environment, such as cloud service providers, GitHub, containers, and VM’s without writing complex queries.
Identity discovery at runtime, available for investigation
The engine automatically discovers and classifies new identities as they appear - humans, non-humans, third-parties. ClearVector builds a complete, searchable history of every human, machine, and third-party identity from the moment they first touch your environment.
When investigating an incident, you can instantly query any identity - even ones that no longer exist - and see their complete activity history, permission changes, and relationship chains. Search for that deleted service account from last Tuesday, trace back through a decommissioned Lambda role, or investigate a third-party vendor whose access was revoked months ago. Every identity that ever operated in your environment remains fully investigable with all their activity preserved and connected in the graph.
Identity-driven graph maps all relationships
The identity engine maintains a constantly-updated graph of all relationships and activities across your environment.
Without up to date and historical relationships, you’re left to manually correlate.
Identity-driven models
The identity engine maintains identity-driven models based on the graph - the model for your “prod-deploy-role” is different than your “dev-test-user”.
The ClearVector detection engine uses the identity-driven graph and models to tailor notifications - without this, you are left triaging FP’s or writing long lists of exceptions that need to be constantly maintained.
Automatic GitHub to AWS attribution
The engine connects GitHub identities > PR approvals > Actions workflows > OIDC role assumptions > identity activity (such as AWS API calls), solving the "which identity caused the CI/CD pipeline to make a change?" problem that is challenging when using a traditional SIEM.
In most environments, all changes to production flow through a CI/CD pipeline - without this attribution, you're left to manually correlate.
Get started