Trace Every Identity Action with Teleport Identity Security

From 24‑Hour Incidents to 2‑Minute Investigations

It’s 5:54 a.m. and your phone buzzes: #security‑incident‑071525. Another “coffee‑shop compromise?” You’re still waiting on espresso while the team chases log across the SIEM, GitHub, Okta and AWS. Eight hours later the verdict arrives: a harmless dev login from shared Wi‑Fi.

One false alert. One full workday burned.

Sound familiar? We built Teleport Identity Security because this story plays out every single day.

Attackers Don't Hack In Anymore. They Log On

Cloud killed the network perimeter. Cloud and SaaS have erased the tidy network edges we used to defend. Today, every workload, engineer, and contractor authenticates through an identity provider, but also uses service accounts, tokens, keys and roles that unlock production.

In most environments, those credentials control access to critical infrastructure and cloud services.

When attackers win that game, they bypass your controls entirely.

Yet the tooling landscape is still siloed:

• Identity and IdP teams wrangle Okta policies.
• Platform teams secure cloud runtime and Cloud IAM.
• Security tries to glue it all together after the fact.

The result? Endless swivel‑chair investigations that start with who and stall at what did they actually do?

What 50+ Security Leaders Told Us

53% of the incidents I see in a week are identity based, and that doesn't count the ad-hoc legal or other executive requests for investigation."

CISO, Large Insurance Company (20k+ employees)

During spring we interviewed CISOs, heads of engineering and front‑line security practitioners. . Themes popped up fast:

1. 40+ known infrastructure identity gaps: shared creds, stale tokens, orphaned roles.
2. Most cloud breaches start with an identity compromise. Not an exploit.
3. Weeks spent on root‑cause because access context lives in separate systems.
4. Insider risk is rising as compliance frameworks demand provable least privilege.

At bSides SF, I presented the findings from talking to 50+ security leaders, and some of the hidden pathways that engineers use to access infrastructure. Watch the talk here

Teams need a way to see the entire chain of custody for every action, without crawling every log bucket by hand.

Introducing Teleport Security - Identity Activity Center

Teleport already sits in the flow of every engineer and machine connecting to infrastructure. Teleport Identity Security provided visibility into the access graph, but we’ve extended that vantage point with Teleport Identity Security, Identity Activity Center:

An Example Identity Chain

Before we dive into alerts, logs, and timelines, it helps to see what a complete “chain of identity” actually looks like.

The diagram below shows a minimal but common path:

1. A human authenticates to Okta.

2. Their group memberships grant new privileges.

3. Teleport issues a short-lived certificate and starts a recorded session.

4. That session assumes an AWS IAM role.

5. CloudTrail captures the resulting API call.

Follow the arrows from top to bottom and you can answer, in seconds, who did what, where, and how.

+------------------------------------------------------------+
|                        Okta  User                          |
|  UID: 00u7h4xq2…                                           |
|  Creds: WebAuthn + TOTP                                    |
+-------------------------------+----------------------------+
                                |
                                |  (1) PRIMARY LOGIN
                                v
+------------------------------------------------------------+
|                        Okta  Group                         |
|  GID: Dev-Ops                                               |
|  Grants: ci-runner , prod-read                             |
+-------------------------------+----------------------------+
                                |
                                |  (2) GROUP MAPPING
                                v
+------------------------------------------------------------+
|                   Teleport Zero-Trust                      |
|  SID : tp-sess-14fa…                                       |
|  Cert: short-lived X.509   (<12 h)                         |
|  RBAC: kubernetes , ssh , db                               |
+-------------------------------+----------------------------+
                                |
                                |  (3) SESSION START
                                v
+------------------------------------------------------------+
|                   AWS  IAM  Role  Assume                   |
|  ARN  : arn:aws:iam::123:role/…                            |
|  STS  : temporary creds  (<1 h)                            |
|  Privs: s3:GetObject* , lambda:*                           |
+-------------------------------+----------------------------+
                                |
                                |  (4) API REQUEST
                                v
+------------------------------------------------------------+
|                      CloudTrail  Event                     |
|  EventID : 9bf3…                                           |
|  Action   : s3:GetObject                                   |
|  SourceIP : 203.0.113.42                                   |
+-------------------------------+----------------------------+
                                |
                                v
+============================================================+
|              🔍  IDENTITY  ACTIVITY  CENTER  🔍             |
|  WHO ▶ HOW ▶ WHERE ▶ WHAT   —  one continuous timeline      |
|  • Links every step above into a single chain of custody    |
|  • Behavioral detections (MFA spray, role-hops, token reuse)|
|  • Two-minute investigations instead of 24-hour log hunts   |
+============================================================+

Traditional tools only capture snapshots; disconnected events with no clear storyline. Identity Activity Center shows you the full film: every login, group membership, session, and cloud action stitched together into a correlated identity chain.. And yes, we actually made a documentary. Real red team. Real incident. Real footage from theIdentity Activity Center

Video: Introducing Teleport Identity Activity Center

Battle‑Tested With Real Adversaries

We partnered with Persistent Security and their red‑team crew to punch holes in our beta. They received:

• A ‘phished’ engineer credential to an EKS access.
• A service account token for an internal build runner.

Over several days, they executed common tactics: MFA fatigue, role hopping and token exfiltration. Each move lit up Identity Activity Center, with correlated alerts and identity-linked session trails, giving our defenders instant visibility into escalation paths, blast radius, and exposure.

Integrations at Launch

Identity Activity Center connects signals across your core identity stack:

• [IdPs] Okta – users, groups & MFA events for rich identity correlation
• [Code] GitHub – PAT & OAuth activity tied to engineer sessions
• [Cloud] AWS – CloudTrail + IAM role mapping to trace privilege and access
• [Infra] Teleport – sessions, RBAC and live audit log

(More IdPs and clouds are on the roadmap. Tell us what you need! )

Teleport Identity Activity Center is available in Teleport 18.

See It Live: 30‑July Webinar

Join us on on July 30, 10 a.m. PT. for “The 2‑Minute Investigation: How Teleport Identity Security Sees What Your SIEM Can’t”

We’ll recreate the coffee‑shop incident, then solve it before your latte cools.

Register here »

Ready to shrink false‑positive Fridays?

Grab a free 14-day trial of Teleport Identity Security and watch your #security‑incident channels quiet down.