Permiso

What is it?

Permiso is a cloud identity security platform that analyses identity configuration (who exists, what access they have provisioned, how that access is configured) and identity activity (what those identities are actually doing at runtime across cloud and SaaS environments). Permiso plugs into the control plane of IDPs, SaaS, IaaS and PaaS environments via read-only access, then builds two complementary data structures. The first is an entity graph that maps every identity in the environment and how it is configured to access resources. The second is an activity graph that captures what those identities are actually doing operationally. Permiso links these graphs through shared attributes to enable detection and posture analysis and alerting.

Why did they build it?

Identity-based attacks look like legitimate activity at the individual event level. An attacker using stolen credentials generates the same CloudTrail entries as a real user. Traditional SIEM-based detection fires on atomic indicators (new source IP, unusual API call, MFA reset) and produces high volumes of low-fidelity alerts. Cloud security posture management (CSPM) tools assess infrastructure configuration but do not track identity behavior at runtime. CIEM tools manage entitlements but do not detect active compromise.

Permiso sits in the gap between these categories, combining static posture assessment (which identities are overprivileged, stale, or orphaned) with runtime behavioral detection (which identities are actively being misused). The company’s research arm, P0 Labs, staffed by former Mandiant advanced practices leads, develops detection rules from real incident response engagements rather than theoretical attack models. They have over 1,500 detection signals already in place.

How does the Universal Identity Graph work?

The graph ingests identity records and activity logs from multiple sources and links them through shared attributes: authentication tokens, session IDs, source IPs, user-agent strings, and API call patterns.

When a single human identity, for example, authenticates through Okta, assumes an AWS IAM role, and then accesses Salesforce, those actions appear as one correlated entity rather than three separate accounts. The same approach applies to non-human identities. Service accounts and API keys that are shared across multiple systems or used by multiple humans are tracked through behavioral fingerprinting, using patterns like time-of-day, resource access sequences, and operational cadence to attribute activity even when the underlying credential is shared. The graph also inventories AI-service identities, tracking which users and service accounts interact with AI services and what those AI agents are authorized to do.

What does posture management cover?

Permiso Protect continuously evaluates identity risk posture by analyzing entitlements, usage patterns, and exposure. It surfaces identities that are overprivileged relative to their actual usage, stale accounts that have not authenticated in defined periods, orphaned service accounts with no clear owner, and toxic permission combinations where a single identity holds both read and write access to sensitive resources in ways that violate least-privilege principles. Risk scoring is dynamic, incorporating both the static configuration (what the identity can do) and runtime signals (what the identity actually does and from where).

What environments does it cover?

Permiso integrates with AWS, Azure, and GCP for cloud infrastructure telemetry. It ingests from identity providers including Okta and Microsoft Entra ID. SaaS coverage spans applications that expose audit logs or activity APIs. The platform also tracks CI/CD pipeline identities and secrets vault activity. All telemetry feeds into the same identity graph, so cross-environment correlation is native rather than bolted on through SIEM forwarding rules.

Risky Business appearances

Sources

Disclosure

Permiso appeared on Snake Oilers, which is a paid segment.