Hacking Identity: Exposing the Hidden Price of Privilege

By Aditya Dev

Elevator Pitch

An identity isn’t just a login; it’s a liability with a price tag. Introducing the Identity Score: an open-source schema to calculate the “Blast Radius” of a user using SaaS spend, privileged access & behavioral metrics. Stop ignoring & start accounting for the true cost of each access in your org.

Description

In most organizations, the decision to onboard a tool, a service, or a new person is often the means to an end, driven by the need to solve a problem or achieve a goal. Access control and identity costs are rarely accounted for in this equation and are arguably treated as static administrative units. In reality, every identity comes with a quantifiable “blast radius” of impact depending on the assigned human, the usage processes, and a myriad of organization-specific factors, making it a much-ignored economic object associated with a dynamic, real-world cost.

Currently, our visibility into this risk is dangerously fractured: Finance manages invoices, Business Operations tracks SaaS waste, Security monitors role assignments and vulnerabilities, while GRC ensures the compliance boxes remain checked. This fragmentation easily creates massive blind spots. For example, the “high-privilege, quick-response” user who does not complete their security training or often forgets their passwords. They represent a catastrophic failure point that leaves the organization vulnerable to attacks, yet they fly under the radar of traditional monitoring.

This talk introduces ICARUS (Identity Cost And Risk Unified Schema). This novel open-source framework hacks the siloed data of Finance and Security to create a single, actionable risk ledger. We will walk through the architecture of a data pipeline that exposes a scalable integration layer to ingest data and correlates three critical layers of identity telemetry:

  • Economic Baseline: Map SaaS license costs, device leases, and shadow IT spend to individual principals, creating a “cost-per-user” metric that gets the CFO’s attention.
  • Technical Risk (v0.1): Quantify the static attack surface by scoring privileged role assignments, MFA gaps, and dormant accounts that act as silent backdoors.
  • Human Risk (v0.2): Integrate behavioral signals such as phishing simulation fail rates, real-world threat targeting volumes, and DSPM data exposure metrics to score the integrity of each brick in the organization’s “Human Firewall”.

Attendees will leave with the knowledge to implement this ready-to-use open-source JSON standard in their own environments.

We will demonstrate how to use this schema to neutralize threats from high-risk users, reclaim licenses from low-value accounts, and present leadership with a defensible, data-driven ROI on identity security.

Stop ignoring the hidden costs within SaaS sprawl and start accounting for the actual cost of access.

Notes

What can you expect?

  • A demo of the ICARUS schema and the concept of an “Identity Score”, which are open methodologies we are developing.
  • All schemas and code examples shown will be made available to attendees via a GitHub repository.

Why this talk?

We are submitting this talk as a joint effort between a Senior Security Engineer and an OSINT Researcher. We realized that neither of us had the full picture of identity risk.

  • Internal View (Security Engineering): Able to see the differing costs and risks associated with privileges
  • External View (OSINT Research): Able to uncover breach exposure, social footprint, and targetability

We built the ICARUS framework to fuse these two worlds. We wanted to standardize a methodology to “moneyball” our risk by assigning a cost to our attack surface vectors and correlating internal IAM risk with external human vulnerability.

Technical Depth & Format

  • The Architecture (Engineering): Adi will demonstrate some Proofs-of-Concept models that fetch data (from Microsoft, Okta, AWS, Google, etc.) and normalize it into an “Economic Baseline”
  • The Human Factor (OSINT): Nick will demonstrate how we ingest external signals (breach data, PII exposure) to calculate the “Human Risk” score (v0.2).
  • The Schema: We will walk through the JSON structure of the ICARUS standard.
  • The Finale: We will show a sanitized “before and after” of an identity ledger, demonstrating how we flagged high-risk users that traditional tools missed.

Speaker Backgrounds

  • [Aditya Dev] (Senior Security Engineer): I focus on the trenches of Identity & Access Management and detection engineering. I build the pipelines that track the “cost and privilege” of our users.
  • [Nicholas Olsen] (OSINT Researcher): Nicholas specializes in open-source intelligence and external threat landscape analysis. He provides the “attacker’s eye view” of our identities, measuring how exposed our high-value targets actually are.

Technical Requirements

  • Standard HDMI connection for projection.
  • Dual mics preferred (for each speaker).
  • No internet required (demos will be recorded/local).