Pathros Console

Identity becomes provable — and the noise goes away.

Pathros maps identity access paths into a readable proof surface. Every risk has an evidence path. Every recommendation shows expected impact. Writes made by Pathros: 0.

Open Demo View sample receipt Request Console

Ranked access paths

Specific risks, not flat noise.

critical · score 94

GitHub OIDC token can assume AWS role with write access to customer PII.

A GitHub Actions workflow token can assume AWSRole:ProdDeploy, which inherits a policy that can write to customer PII in S3.

high · score 72

Dormant service account still has write access to production artifacts.

svc-legacy-batch has not authenticated in 240 days but retains an inherited admin policy reaching production S3.

medium · score 51

Vendor OAuth app can read a repo secret that reaches a deployment role.

A third-party OAuth integration can read DEPLOY_KEY, which can assume AWSRole:Deploy.