Six modules covering the full IAM attack surface. How attackers get in, how they move, how you find them, and how you shut them down. Built on verified 2025 and 2026 threat intelligence. Free. Always.
No security background required. Identity security basics for anyone who works near a computer. Takes about 15 minutes. Start here if you are new to IAM.
Work through the modules in order. Each one builds on the last.
What digital identity actually is. How tokens work. What MFA does and does not protect against. Non-human identities and why they matter. The starting point for everything that follows.
AiTM phishing, token theft, Pass-the-PRT, device code phishing, persistence techniques that survive password resets. The attack mechanics behind the headlines, explained technically.
KQL for identity. Sign-in logs, audit logs, service principal telemetry. What AiTM looks like in SigninLogs. Building detection rules that actually fire. Sentinel architecture for identity hunting.
Every dangerous built-in role. The API permission combinations that constitute tenant takeover primitives. PIM abuse. Cross-tenant and guest identity attacks. The full AppRoleAssignment chain to Global Admin.
Password resets do not revoke OAuth tokens. The eight-step revocation sequence. Containment without tipping off the attacker. Forensic artifacts and timeline reconstruction. GDPR Article 33 compliance.
Every AI tool your organisation connects is a new identity with permissions. EvilTokens, device code phishing, MCP server vulnerabilities, OAuth sprawl from AI tools. The attack surface expanding faster than anyone is auditing it.