Secrets Security
What is Secrets Security?
Secret Security provides visibility into secrets across cloud environments, source code, and infrastructure. Secret types include: API keys, connection strings, certificates, and OAuth tokens.
Security teams can discover, classify, and assess non-human identities and their associated credentials, and map how those credentials contribute to privilege escalation risk through BeyondTrust's True Privilege™ engine.
What does Secrets Security do?
Most secrets visibility tools stop at discovery. Secret Security goes further by connecting each discovered secret to its effective access paths. The path shows not just what credentials exist, but who can reach them, how, and with what downstream privilege.
Use Secrets Security to:
- Identify secrets that haven't been rotated within the past year
- Detect plaintext secrets that should be encrypted
- Reduce oversized access audiences (blast radius) on high-value credentials
- Validate effective permissions across all supported providers from a single view
- Trace privilege escalation paths that originate from exposed or overly permissive secrets
The Secrets page
The Secrets dashboard surfaces posture metrics across all connected providers at a glance.
Performance indicators
- Total Discovered Secrets: Count of all secrets detected across integrated providers
- Secrets Not Rotated in 1 Year: Credentials that have exceeded the recommended rotation window
- Provider breakdown: Distribution of secrets by source (AWS, Azure, GCP, GitHub, BeyondTrust)
Breadth of Access
Secrets are grouped by accessor count to surface credentials with the widest effective reach. This view helps prioritize remediation by identifying which secrets, if compromised, would expose the most identities or resources.
Direct vs. True Access
- Direct access: Configured grants. Explicit permissions assigned to an identity.
- True access: Effective runtime access. Permissions derived through role chaining, group membership, policy inheritance, and other escalation paths
The gap between direct and true access indicates where privilege has grown beyond what was intentionally configured.
Secrets Inventory
The Secrets Inventory is a full catalog of discovered secrets with filtering and detailed per-secret analysis.
Inventory metrics
- Lifecycle: Active, inactive, or unknown status for the credential.
- Rotation status: Whether the secret has been rotated, and when.
- Total accessors: Number of identities with any form of access to the secret
- Secret Path: Graph visualization of all paths through which the secret can be reached
Secret graph
The Secret graph visualizes the full relationship between a secret and the identities, roles, and resources that can access it.
Graph features:
- Auto-grouped connections: Related nodes are collapsed into groups to reduce visual complexity on large graphs
- Path highlighting: Select a path to trace it end-to-end through the graph
- Fit-to-view controls: Resize and reframe the graph to the current selection
- Escalation path highlighting: Privilege escalation paths are highlighted in orange
- AI-powered Explain Path: Generates a plain-language explanation of how a selected path grants access
- Direct link to AWS console: ARN nodes link directly to the corresponding resource in the AWS console
Supported providers
| Provider | Coverage |
|---|---|
| AWS Secrets Manager | Full access path mapping; IAM, Identity Center, and Bedrock relationships |
| AWS SSM Parameter Store | Parameter classification (String, StringList, SecureString); secret identification. |
| Azure Key Vault | Secret visibility and access analysis |
| GCP Secret Manager | Full resource hierarchy; inherited permissions; Vertex AI agent access. |
| GitHub | Code scanning alerts; escalation entitlements for exposed AWS credentials. |
| BeyondTrust PRA | Vaulted accounts |
| BeyondTrust Password Safe | Managed accounts |
