Skip to content

Product proof

Access risk paths are not flat. They are hierarchical.

They inherit. They branch. They hide behind trusted roles, service accounts, and policies that look harmless alone. Pathros shows the path, ranks the blast radius, simulates the fix, and exports the proof.

Book a read-only audit See the proof model

Question 1

Why are current tools missing the risk?

A flat dashboard counts findings. Findings count what is misconfigured, not which path can reach the crown jewel.

A familiar pattern: thousands of findings; only a few exploitable paths.

You do not need more alerts. You need the few paths that actually compose into reach.

Flat alerts

4,000

findings per week is a familiar volume; the pattern is the point, not the number.

Example alert volume. Not a customer metric.

Ranked access paths

3

paths that compose into actual reach across systems.

Pathros begins with the path, not the row.

See how this pattern looked in a public-source example: Microsoft Midnight Blizzard

Question 2

Why does graph structure matter?

A real access path is a sequence of relationships across systems.

Identity, then Group, then Role, then Policy, then Permission, then Resource. Each edge has a source system, a relationship type, and an evidence pointer.

Pathros does not begin with a score. It begins with a canonical access graph.

  1. 1. Identity user, service account, OIDC token
  2. 2. Group membership
  3. 3. Role named privilege bundle
  4. 4. Policy the actual permissions
  5. 5. Permission effective action on a resource
  6. 6. Resource what the action reaches
Source system
Okta · Entra · AWS IAM · GitHub · Snowflake
Relationship type
membership · assumes · inherits · grants
Evidence
policy line · trust relationship · grant statement

Canonical access-graph schema. Synthetic example.

Question 3

How does Pathros know the path is real?

Pathros traverses the canonical graph deterministically. Each step is grounded in a policy line, a trust relationship, or an effective permission you can read.

You see the path. You see the source system. You see the policy line. You see the evidence for the edge.

Synthetic walk-through

  1. GitHub Actions OIDC token can assume role demo_build_role

    Source system
    AWS IAM
    Edge type
    can assume role
    Evidence / policy line
    sts:AssumeRole
    Effective permission
    assume demo_build_role

  2. demo_build_role inherits policy demo_data_policy

    Source system
    AWS IAM
    Edge type
    inherits policy
    Evidence / policy line
    policy attachment
    Effective permission
    inherit demo_data_policy

  3. demo_data_policy grants read demo_customer_warehouse

    Source system
    Snowflake
    Edge type
    grants read
    Evidence / policy line
    warehouse:read grant
    Effective permission
    read demo_customer_warehouse

Synthetic AWS-style policy snippet 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::demo_account:role/demo_build_role"
    }
  ]
}

Synthetic AWS-style example. Not a real customer policy.

Exact graph reasoning is deterministic traversal over named relationships. Machine learning ranks and discovers; the path itself does not come from a model.

Question 4

How does Pathros rank what matters?

Flat ranking treats each alert like a row in a list.

Pathros ranks paths by where they sit in the access hierarchy. The closer a path moves toward broad reach, the harder it is to ignore.

Why hyperbolic space helps

Enterprise identity branches exponentially. Two-dimensional Euclidean layouts force unrelated identities artificially close together.

Hyperbolic geometry has exponential volume growth, so it can hold hierarchical distance without distortion.

Pathros uses this property to rank paths by hierarchical importance, not just alphabetical or chronological order.

Poincaré disk illustration A unit disk with geodesic arcs branching exponentially toward the boundary, illustrating that hyperbolic space has exponential volume growth.

Geometric illustration of hyperbolic ranking. Not the production engine.

Question 5

How does Pathros avoid breaking production?

What changes before anything changes?

Pathros simulates the change. A human decides. Nothing executes from this page.

Four steps, in order

  1. Before. The path exists. demo_ci_token can reach demo_customer_warehouse through demo_build_role. (demo)
  2. Proposed change. Remove the choke point. Detach sts:AssumeRole from demo_build_role on demo_data_policy. (demo)
  3. Simulated impact. Path severed. Dependent workloads checked: 0 impacted. Expected breakage: none. (simulated)
  4. Human decision. A human decides. Export a ticket for review, or do not apply. Nothing runs from this page. (not applied)

  1. Step 1Before(demo)

    The path exists.

    demo_ci_token can reach demo_customer_warehouse through demo_build_role.

  2. Step 2Proposed change(demo)

    Remove the choke point.

    Detach sts:AssumeRole from demo_build_role on demo_data_policy.

  3. Step 3Simulated impact(simulated)

    Path severed.

    Dependent workloads checked: 0 impacted. Expected breakage: none.

  4. Step 4Human decision(not applied)

    A human decides.

    Export a ticket for review, or do not apply. Nothing runs from this page.

Simulated dry-run on synthetic data. No real change is made.

Question 6

What proof can you hand to an auditor?

Example audit receipt format. Synthetic demo data.

Every decision should leave a receipt. The receipt names the finding, the evidence path, the proposed change, the simulated impact, the approver, and the timestamp.

It exports in formats your auditors already accept.

Finding ID
demo_finding_iam_path_001
Source systems
GitHub · AWS IAM · Snowflake
Compliance mapping
change-management evidence

Example audit receipt format. Synthetic demo data.

demo_finding_iam_path_001

Finding ID
demo_finding_iam_path_001
Source systems
GitHub · AWS IAM · Snowflake
Policy line
Action: sts:AssumeRole on demo_build_role
Risk before
high — data path reachable from CI token
Risk after
none — path severed by simulation
Proposed fix
Detach sts:AssumeRole from demo_build_role on demo_data_policy.
Simulation result
Path severed. Dependent workloads checked: 0 impacted.
Approver
demo_approver_a
Timestamp
2026-05-24T03:14:15Z
Expected impact
low
Export formats
JSON · CSV · PDF
Compliance mapping
change-management evidence
Show evidence path
  1. 1.demo_ci_token
  2. 2.demo_build_role
  3. 3.demo_data_policy
  4. 4.demo_customer_warehouse

SHA-256 chain (synthetic example)

5d4a0e5f9b7c8e9d6f3a2b1c0d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e

Example audit receipt format. Synthetic demo data.

Question 7

Why trust Pathros?

Limits we name before you ask.

  • The interactive examples on this page are small synthetic demos. Production graph scale and connector coverage are disclosed during pilot scoping.
  • Pathros starts read-only. No write happens without explicit approval.
  • Exact graph reasoning explains the path. Machine learning ranks and discovers.
  • Source data remains truth. Graphs, scores, indexes, and embeddings are derived.
  • The examples here use synthetic AWS-style patterns. They are not certifications of any vendor's product, and they are not guarantees.

Take the next step

Take the next step on your terms.

No countdowns. No pressure language. Pick the path that matches where your team is.

Book a read-only audit Request an access path scan Become a Design Partner