This engagement helps organizations clearly answer one question:
Which users can still be phished, where, and why - and what can be fixed using what we already have?
Rather than inventorying identity systems or selling a future-state architecture, we focus on:
How access really happens today
Whether those access paths are phishing-resistant
Whether existing devices, credentials, or workflows can be reused to remove that risk
We examine:
Who needs access to do their jobs
(frontline users, knowledge workers, IT admins, vendors)
How access happens in practice
(shared terminals, personal devices, VPNs, remote access, cloud apps, admin tools)
What is already being used
(badges, phones, passwords, MFA variants, SSO, hardware-backed methods)
How credentials, devices, and access are enrolled, recovered, or changed
(new device registration, backup authentication methods, account recovery workflows)
Whether those access paths can be phished, replayed, or abused
(including authentication, enrollment, and recovery workflows)
Our default approach: reuse before replacing
In many environments, phishing resistance does not require introducing something new.
Frontline users already carry badges
Office workers already carry phones
Administrators already follow hardened workflows
This assessment prioritizes converting existing tools into phishing-resistant authentication wherever possible — and recommends new controls only when reuse cannot achieve the desired outcome.
