The Power of the Graph: Why Identity Context Is the Key to Cyber Resilience

Tuesday, August 5, 2025

4 minutes

Posted by

Guillaume Eyries

Co-founder & CPO

Olivier Eyries

Co-founder & CEO

Think back to your last identity audit. You probably had lists. Users, groups, roles. Maybe some screenshots. Maybe a spreadsheet. It felt thorough. But did it show how those identities could actually be used in an attack?

Most likely, it did not. And that is the problem.

Attackers do not care about your org chart. They care about access and how to chain it together. They think in paths, not points. In context, not checkboxes.

As John Lambert from Microsoft said:

“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”

And it is not just mindset. It is also time, focus, and scale. Attackers only need one path in. Defenders are expected to secure everything. Most defenders are overworked and spread thin. Attackers are dedicated, focused, and have time on their side.

That is why graph modeling is so powerful. It does not just show who has what. It maps how identities, permissions, and systems are connected. It reveals how access flows and where risk concentrates.

We helped one team uncover an indirect path from a development environment to their production domain controller. The connection came from a shared PowerShell script and legacy group memberships that had never been cleaned up. No one had flagged it. But once modeled, the blast radius was obvious.

Graphs are not just diagrams. They are operational tools that help defenders:

Spot lateral movement before it happens
Simulate attacks from any identity
Validate whether a fix actually reduces real risk

More importantly, graphs change how security teams communicate. When you can show the full picture — not just an isolated permission but how it leads to critical systems — leadership listens. A low-priority finding can become a top concern when its blast radius is visualized.

Cyber resilience is not about reacting quickly. It is about ensuring the attack cannot succeed in the first place. That requires defenders to stop thinking in lists and start thinking in graphs. It means building a complete view of identity, access, and risk — a digital twin of your environment.

Attackers are already doing this. The only question is whether defenders will too.