Skip to content
IronSOC
IronSOC/Platform/Attack Surface

Platform

Every asset. Every identity. Every signal.

Modern attacks don't stay in one layer. IronSOC monitors identity, cloud, endpoints, SaaS, AI systems, and network traffic as one unified attack surface.

Identity & access

Users, service accounts, OAuth tokens, sessions, MFA events, privilege escalation, and identity provider risk signals.

Detection examples

  • Impossible travel detection
  • Privilege creep alerting
  • Session hijacking
  • Stale access review
  • SSO anomaly correlation

Cloud infrastructure

IAM mutations, public exposure, Kubernetes activity, CI/CD pipelines, infrastructure-as-code drift, and storage misconfigurations.

Detection examples

  • S3/GCS bucket exposure
  • IAM role assumption chains
  • Kubernetes RBAC violations
  • Terraform plan anomalies
  • Container escape patterns

Endpoints

Workstations, servers, mobile devices, and IoT — process execution, file integrity, registry changes, and EDR telemetry.

Detection examples

  • Process injection
  • Credential dumping
  • Living-off-the-land techniques
  • Firmware tampering
  • USB device policy

SaaS applications

Microsoft 365, Google Workspace, Salesforce, Slack, GitHub, and 100+ integrations — admin events, data access, and configuration drift.

Detection examples

  • Mailbox forwarding rules
  • OAuth app consent
  • Admin privilege changes
  • Data exfiltration patterns
  • Shadow IT discovery

AI & LLM systems

Model inputs, agent tool calls, RAG pipeline retrieval, vector store modifications, and permission boundaries.

Detection examples

  • Prompt injection attempts
  • Excessive agent permissions
  • RAG context poisoning
  • Model output leakage
  • Shadow AI usage

Network

East-west and north-south traffic, DNS queries, proxy logs, firewall events, VPN sessions, and encrypted traffic metadata.

Detection examples

  • Lateral movement
  • C2 beacon detection
  • DNS tunneling
  • Data exfiltration
  • Anomalous traffic patterns

Coverage

Unified coverage across every surface

6
Attack surfaces
Unified telemetry across all layers
30+
Detection categories
Behavioral, signature, and anomaly-based
100%
MITRE coverage goal
Mapped to ATT&CK and ATLAS frameworks
Real-time
Correlation speed
Cross-surface events linked instantly

Cross-surface detection

Attacks cross boundaries. So do our detections.

Real attacks chain across surfaces. IronSOC correlates signals across identity, cloud, AI, endpoint, SaaS, and network to catch attack paths that siloed tools miss.

Identity to cloud lateral movement

01Phished credentials
02OAuth token theft
03AWS role assumption
04S3 data exfiltration

Attackers pivot from a compromised identity into cloud infrastructure. IronSOC traces the full chain from the initial phish through IAM role assumption to data access.

AI supply chain to SaaS compromise

01Poisoned MCP server
02Agent tool-call abuse
03Slack credential harvest
04Internal data access

A compromised AI tool server injects malicious actions into agent workflows. IronSOC monitors tool calls, flags anomalous behavior, and correlates downstream SaaS access.

Endpoint to network C2 establishment

01Malicious attachment
02Process injection
03DNS tunneling
04Encrypted C2 channel

Traditional endpoint compromise establishes command-and-control through DNS. IronSOC correlates endpoint process telemetry with network DNS anomalies to catch what either alone would miss.

See attack surface monitoring in action

Explore how IronSOC unifies telemetry from every surface into one operational view.

Open Command Center