Blast Radius
Overview
Section titled “Overview”Blast Radius answers a simple, high-stakes question: if this identity were compromised, what could the attacker reach? It maps everything an identity can touch — directly and through chains of access — so you can quantify worst-case impact.
Key benefits
Section titled “Key benefits”| Benefit | Capability | Business value |
|---|---|---|
| Impact clarity | Reachable-resource mapping per identity | Know which identities are truly dangerous if breached |
| Prioritization | Combine blast radius with feasibility | Focus on identities that are both reachable and high-impact |
| Containment | Reveals over-broad access | Drive least-privilege decisions with evidence |
How it works
Section titled “How it works”Open Security Testing → Blast Radius Search. Pick an identity (user, group, or service account), and RedCloud computes the set of resources it can reach — following permission grants, impersonation, and lateral movement. The result shows both the immediate reach and the extended reach through chains.
Implementation / workflow
Section titled “Implementation / workflow”- Run a scan to populate the access graph.
- Open Blast Radius Search and select an identity.
- Review the reachable resources and the paths that get there.
- Trim over-broad access, then re-check to confirm the radius shrinks.
Best practices
Section titled “Best practices”- Start with the identities at the top of the Identity Risk ranking.
- Treat a large blast radius on an internet-reachable identity as a top priority.
- Use the results to justify least-privilege changes to resource owners.