Attackers don't break in,
they log in.

Can they reach your data?

vec0 maps how compromised users, service accounts and workloads can move through permissions and cloud resources to reach sensitive data.

Identity Progression

What is an Identity Progression Vector?

An Identity Progression Vector is a path a compromised identity can take through permissions, service accounts, workloads and cloud resources to reach sensitive data.

It is not one misconfiguration. It is the chain that turns valid access into breach risk.

A high-technical diagram illustrating an identity progression vector from a compromised identity through permissions, service accounts, workloads, and cloud resources to sensitive data. The style is minimalist with white lines and glowing nodes on a deep black background, maintaining a professional enterprise security aesthetic.

Model the breach
before it happens.

BreachLab gives security teams a controlled environment to model Identity Progression Vectors, test changes and compare remediation options.

Simulate compromised identities

Test permission changes

Compare remediation options

Ask "what if" questions

Understand controls

Query Logic

Critical Questions, Answered.

Query

Can any external identity reach production customer data?

Answer

Yes. 3 external identities can reach prod_customer through external support access paths.

Break The Path

Remove Service Account User on [email protected], or remove BigQuery Data Viewer from that service account.

Shortest Path

[email protected]→ Google Group: External Engineers→ Project role: Service Account User→ Service account: [email protected]→ Dataset: prod_customer→ Table: customer_profiles

Query

Which service accounts are the highest risk if compromised?

Answer

The highest-risk service account is [email protected] . It can reach production customer data through a short path with direct BigQuery access.

Break The Path

Remove BigQuery Data Viewer from [email protected], or move customer data access behind a narrower service account.

Shortest Path

Service account: [email protected]→ Project role: BigQuery Data Viewer→ Dataset: prod_customer→ Table: customer_profiles

Query

Which single change would remove the most paths to production customer data?

Answer

Removing Group: Prod Data Support from external support access would break 14 identity-to-data paths into customer records.

Break The Path

Remove Group: Prod Data Support from External Engineers, or replace it with a narrower read path that excludes customer datasets.

Shortest Path

[email protected]→ Google Group: External Engineers→ Google Group: Prod Data Support→ Dataset: prod_customer→ Table: customer_profiles

Platform Use Cases

One platform for identity-to-data risk.

vec0 maps Identity Progression Vectors across identities, permissions, cloud resources and sensitive data, then uses that graph to assess exposure, test changes and detect active movement toward data.

When attackers move along these paths, that is an Identity Progression Attack.

BreachRisk

Assess exposure

See which identities can reach sensitive data directly or through chained access.

 BreachLab

Test changes

Test whether changes reduce Identity Progression Vectors before they reach production.

 BreachDetect

Detect progression

Detect Identity Progression Attacks as identities move toward sensitive data.

Related reading

Related reading.

Read more on identity progression, breach movement, and the paths attackers follow toward sensitive data.

2026-05-04 7 min read

What are Identity Progression Attacks?

A practical definition of Identity Progression Attacks and why defenders need to detect movement from foothold to high-value target.

2026-05-05 5 min read

The real breach starts before attackers exfiltrate data

Why security teams need to detect attacker progression before confirmed data loss.

2026-05-20 5 min read

Assume credentials will leak. Detect movement toward data

Why the CISA credential exposure is a reminder to monitor valid identity activity as it moves toward sensitive data.

Reduce identity-to-data paths.