THE PROBLEM
Non-human identities, reused local admins, default credentials, and Active Directory attack paths are the real fuel of lateral movement β and they're invisible to vulnerability scans framed around CVEs. The accounts attackers actually ride through your estate never show up on a severity-sorted finding list.
WHAT IT DOES
Janus builds a content-first inventory of every identity in the estate β human and non-human β via a 3-pass content sweep. It flags non-expiring, privileged, guest-enabled, and machine identities, then surfaces what attackers love most: credential reuse, default and blank credentials, AD attack-path exposure, and the coverage gaps (blind hosts) where it can't see at all.
KEY CAPABILITIES
- Identity discovery + classification β a 3-pass content sweep over plugin output finds human and non-human identities alike β service accounts, machine identities, the NHI population no CMDB tracks β and classifies each one.
- Risk flags from identity plugins β non-expiring passwords, privileged and guest-enabled accounts, default/blank credentials, and password-auth SSH, each flagged from specific plugin evidence rather than inference.
- Correlation layer β names your crown-jewel identities (privileged accounts on KEV/critical-exposed hosts) and surfaces credentials reused across five or more hosts β the exact fuel of lateral movement.
- Provenance columns β every identity claim traces back to the plugin that produced it, so IAM teams can verify a finding before acting on it instead of trusting a black box.
- Coverage-gap headline β blind and uncredentialed hosts lead the report rather than hiding in a footnote, so silence is never mistaken for safety.
- Gated tagging β identity risk becomes taggable, routable work β proposed and human-approved, like every write in the pack.
HOW IT WORKS
Janus runs against the local navi.db built from your Tenable data: the vulns plugin family and output, plus specific identity plugins (83303, 10860, 41028, 10859, 149334, 17651). All writes are proposed, human-approved, and logged.
WHY IT'S DIFFERENT
- Identity risk from vuln data you already collect β no extra agent, no new deployment, no separate identity scanner.
- It's the biggest single feeder to attack-path analysis β the credential pivots Fenrir chains come from Janus.
- Honest coverage-gap headline: Janus leads with what it can't see, so you never mistake silence for safety.
- Evidence-first with provenance β every claim traces to a plugin, so IAM teams can verify before they act.
PROOF POINTS
- Discovers and classifies identities across a reference environment of 268 mixed RHEL/Windows assets β including the non-human identities no CVE list mentions.
- Correlates privileged identities with KEV/critical exposure to name your crown-jewel identities, and flags credentials reused across 5 or more hosts. Honest caveat: signals depend on the relevant plugins being present in your scans β validate against a known host first. Blind and uncredentialed hosts are called out, not hidden.
WORKS BETTER WITH
Janus is Fenrir's biggest feeder β its credential weaknesses become the lateral-movement pivots in ranked attack paths β and it drives Anubis ACR calibration so identity-critical assets get the priority they deserve.
WHO IT'S FOR
IAM and identity-security teams who need visibility beyond the directory; AD admins hunting reuse and default creds; threat teams tracing the accounts attackers would actually use.
CALL TO ACTION
Ask Janus which doorways are open in your estate β both faces are watching.