Speedrun Incident Investigations Across GitHub, AWS, Okta, and More

Security teams spend hours stitching together logs from disconnected systems during investigations. Learn how to get clarity in minutes by tracing identity signals across everything in your stack.

The Problem: Investigations Drag On

A valid token is discovered by a security researcher. Maybe a personal access token was leaked in GitHub, or an AWS access key is lighting up AWS CloudTrail.

You open your logs, parse through fragmented audit data, pivot between your IdP, cloud infrastructure, and source control systems, and start scripting queries to understand scope and blast radius. Hours, even days can go by without clear answers.

But what if this entire investigation could be condensed into two minutes?

In this blog, we’ll walk through three examples demonstrating how chaining identity activity across systems can accelerate investigations, expose hidden access pathways, and cut through the noise of modern infrastructure.

Traditional Tools Can’t Find Hidden Risks

Before we dive into examples, let’s talk about why traditional tooling makes investigations so painful.

Developers and services interact with systems through identity providers (IdPs), bastions, access gateways, cloud consoles, API keys, service accounts, and CI/CD pipelines. Each of these components logs activity in its own format, with different naming conventions, timestamps, and levels of detail.

When incidents happen, these fragmented “incident buckets” make investigations time-consuming and error-prone, even with a SIEM or CNAPP in place.

SIEMs aggregate, but don’t correlate

SIEMs are great at collecting logs, but they treat identity data as just another signal. They don’t natively understand how identities are structured, how privileges are inherited, or how relationships form across systems.

That means they struggle to answer questions like:

• How did this user obtain access to a production database?
• What group membership changes preceded the incident?
• Is this token linked to a known identity?

Answering these requires manual correlation across multiple log types and lots of detective work.

CNAPPs reveal what could happen, not what did

Cloud-Native Application Protection Platforms (CNAPPs) shine at finding misconfigurations and policy violations. But there’s a catch: they show what could happen, not what did.

For example, if a developer can access an S3 bucket, your CNAPP flags it. But if that developer actually used that access for malicious activity, the CNAPP won’t tell you when, how, or through which chain of roles or tokens.

The result: Wasted hours, missed context

Security teams spend hours manually correlating logs and often miss critical context. This is where Teleport comes in, bridging the gap by unifying and interpreting identity behavior in real time across your full stack.

Teleport Identity Security in Action

Let’s examine how this works in common scenarios. Below are three investigation challenges security teams face every day, each with an explanation of how Teleport Identity Security turns hours of manual effort into clarity in minutes.

1. Investigating a leaked GitHub token

A GitHub PAT (personal access token) is reported as publicly exposed. The token has potential access to AWS resources via GitHub Actions.

Before Teleport, the investigation took 14 hours, four engineers, and countless manual scripts stitching together GitHub logs, AWS CloudTrail events, and SIEM data.

With Teleport, the investigation took two minutes.

Pasting the suspicious key into the Identity Activity Center. Teleport instantly correlates activity across GitHub, AWS, and your IdP, showing everything in a single timeline. In this real-world example, investigators learned that:

• The token was used to enumerate AWS KMS keys.
• API activity originated from a Kali Linux user agent.
• Actions included uploading objects to an ECR repository.

Armed with this view, the team quickly locked the associated identity, closing the window of opportunity for adversaries in minutes, not hours.

2. Tracing identity across distinct systems

Infrastructure is complicated. (Accurately) tracking activity across your environment with traditional tools is next to impossible.

For example, an identity might start in Okta, assume an AWS IAM role, and then interact with multiple internal services. Traditional tools treat each of these steps as disconnected events, offering no way to bridge related events outside of manual correlation.

Teleport quickly reconstructs incidents with AI-generated timelines, tracing identity activity by user, resource, or time across traditionally fragmented systems – including Okta, AWS, GitHub, and more.

In a recent red team exercise, attackers exploited an Okta service account. The investigation revealed that:

• Initial access came from a non-human identity in Okta.
• The attacker assumed an AWS role via an external trust relationship.
• That role was then used to access sensitive cloud infrastructure.

With classic tools, this would’ve looked like a puzzle missing half its pieces. With Teleport, investigators saw the entire identity journey in one traceable view, identifying the origin and extent of the intrusion in minutes.

3. Discovering hidden access paths and privileges

Access sprawl is a hidden but massive risk in cloud-native environments. Engineers often belong to multiple groups, each granting new privileges across systems like AWS, Kubernetes, databases, or GitHub. The result is more access than anyone truly realizes

Teleport Identity Security visualizes these access relationships, exposing previously hidden paths and privileges.

A common early discovery is wildcard privileges, such as roles that grant access to production resources. Another frequent finding is orphaned SSH keys, often left behind by decommissioned CI pipelines or former employees.

In one customer deployment, Teleport detected:

• Two engineers with maintainer access to all their GitLab repos
• Over-privileged roles granting broad AWS access
• SSH keys configured for root login that were missed during deprovisioning

This feature makes it more efficient to audit access across IdPs, roles, and cloud accounts all from one place. Query specific users, invert the view to start from sensitive resources, and determine exactly who has access and how.

Why Speed is Everything for Identity Security

Security teams are overwhelmed with tools, alerts, and fragmented data. Teleport Identity Security offers a fundamentally different approach by unifying identity activity across your infrastructure stack.

With identity attacks on the rise, and investigation timelines stretching into hours or days, your team needs a faster way to ask and answer questions like:

• Who accessed this sensitive database, and how?
• What’s the full blast radius of this API key?
• Does this engineer really need access to every repository?

Teleport Identity Security makes these questions answerable in minutes, not hours.

See Teleport Identity Security in Action

For deeper insights, watch our recorded red team documentary to learn how security teams are detecting threats faster with infrastructure-aware identity intelligence.

Want to try a two-minute investigation on your own infrastructure? Request a complimentary identity security audit from our team.