Delinea ยท Product Capability Training Framework ยท v2.0

Threat Pillar
Coverage Model

A structured framework mapping Delinea product capabilities to the five core Threat Pillars. Use this guide to understand attack coverage, feature alignment, and to assess and communicate your security maturity.

5Threat Pillars
6Product Modules
30+Attack Techniques
5Maturity Levels
Security Posture Dashboard

Select a maturity level for each pillar by navigating to its section. Your overall posture is visualised below. Click any pillar card to jump to its detail view.

PILLAR 01
Secure Credentials
NOT SET
PILLAR 02
Minimise Attack Surface
NOT SET
PILLAR 03
Control Applications
NOT SET
PILLAR 04
Monitor & Audit
NOT SET
PILLAR 05
Detect & Respond
NOT SET
SECURE CREDS MIN. SURFACE CTRL APPS MONITOR DETECT โ€” 1 2 3 4 5

Coverage Maturity

Secure Credentials โ€” /5
Minimise Attack Surface โ€” /5
Control Applications โ€” /5
Monitor & Audit โ€” /5
Detect & Respond โ€” /5
Overall Score
0 / 25
Product Module Key
Secret Server Privilege Manager DevOps Secrets Vault Connection Manager Account Lifecycle Mgr Cloud Suite
Maturity Scale Reference
1
Initial
Ad hoc processes. No formal controls. Reactive posture only.
2
Developing
Basic tooling deployed. Some policies exist. Inconsistent enforcement.
3
Defined
Consistent controls. Policies documented and enforced across most assets.
4
Managed
Measured outcomes. Automation in place. Regular review cycles.
5
Optimising
Continuous improvement. Threat-led. Integrated across entire org.
01

Secure Credentials

Privileged credentials are the primary target in over 80% of breaches. This pillar focuses on eliminating credential sprawl, enforcing vaulting, rotating secrets automatically, and ensuring no standing access persists beyond its need.

โ€” /5
Maturity
Level
Why it matters: Credential theft โ€” through phishing, pass-the-hash, Kerberoasting, and lateral movement โ€” is the root cause of most enterprise breaches. Vaulting, rotation, and just-in-time access directly cut attacker dwell time and blast radius.
โš”๏ธ
Attack Techniques
MITRE ATT&CK Mapped
  • TA0006
    Credential Dumping T1003
    LSASS extraction, SAM database access, DCSync attacks
  • TA0006
    Kerberoasting / AS-REP Roasting T1558
    Offline cracking of service account tickets
  • TA0008
    Pass-the-Hash / Pass-the-Ticket T1550
    Reuse of credential hashes without needing plaintext
  • TA0003
    Hardcoded & Embedded Secrets T1552
    Credentials in code repos, scripts, config files
  • TA0001
    Brute Force / Password Spray T1110
    Systematic credential guessing at scale
  • TA0006
    Unsecured Credentials in Files T1552.001
    Passwords stored in text files, spreadsheets, wikis
๐Ÿ›ก๏ธ
Delinea Features
Product-to-Control Mapping
  • Secret Server
    Centralised PAM Vault
    Eliminates credential sprawl. Single authoritative store for all privileged accounts with granular RBAC.
  • Secret Server
    Automated Password Rotation
    Scheduled & event-driven rotation. Immediate rotation on suspected compromise. Zero standing access.
  • Secret Server
    Just-in-Time (JIT) Access
    Requestโ€“approveโ€“expire workflow. Ephemeral credentials with automatic revocation.
  • DevOps Secrets Vault
    Secrets Injection for Pipelines
    Removes hardcoded secrets from CI/CD. Dynamic secrets delivered at runtime via API.
  • Account Lifecycle Mgr
    Account Discovery & Governance
    Discovers unmanaged accounts. Automates provisioning/deprovisioning tied to HR systems.
  • Cloud Suite
    Cloud Identity Vaulting
    Manages AWS/Azure/GCP service principals, IAM roles, and API keys within unified policy.
๐Ÿ“Š
Maturity Measurement
Select your current level
1
Initial
Passwords stored in spreadsheets/notes. No vault. Shared accounts. No rotation policy.
2
Developing
PAM vault deployed for some admin accounts. Manual rotation. Partial discovery.
3
Defined
All privileged accounts vaulted. Automated rotation. JIT requests for most systems.
4
Managed
Full vault coverage incl. DevOps secrets. Metrics on rotation compliance >95%. Zero standing access enforced.
5
Optimising
Ephemeral credentials everywhere. Continuous discovery. Breach-trigger auto-rotation. Integrated threat intel.
Current Level
Not Set
Progress to Level 5
Set a maturity level above to track progress
Coverage
02

Minimise Attack Surface

Reducing the available attack surface limits an adversary's options after initial access. This pillar covers least-privilege access, removal of local admin rights, session brokering, and cutting unnecessary entitlements.

โ€” /5
Maturity
Level
Why it matters: Excessive privilege is a force multiplier for attackers. When every endpoint has local admin and every user has global rights, lateral movement is trivial. Least-privilege enforcement directly reduces the blast radius of any compromise.
โš”๏ธ
Attack Techniques
MITRE ATT&CK Mapped
  • TA0004
    Privilege Escalation via Local Admin T1068
    Exploiting local admin rights to escalate to SYSTEM or Domain
  • TA0008
    Lateral Movement with Over-Privileged Accounts T1021
    Using broad entitlements to pivot across network segments
  • TA0003
    Abuse of Remote Services T1021.001
    RDP, WinRM, SSH exploitation leveraging excessive rights
  • TA0005
    Access Token Manipulation T1134
    Token impersonation enabled by unconstrained delegation
  • TA0006
    Dormant / Orphaned Account Exploitation T1078
    Valid accounts that were never deprovisioned
๐Ÿ›ก๏ธ
Delinea Features
Product-to-Control Mapping
  • Privilege Manager
    Local Admin Removal (LAPS+)
    Removes persistent local admin rights. Elevates only specific approved tasks without broad rights.
  • Privilege Manager
    Least-Privilege Policies
    Endpoint privilege policies enforce minimum required access. Policy-based elevation with justification.
  • Secret Server
    Session Brokering / Proxying
    Users connect to systems through an authenticated session broker without ever seeing credentials.
  • Account Lifecycle Mgr
    Entitlement Reviews & Certification
    Regular access reviews. Automatic deprovisioning of orphaned accounts. SoD enforcement.
  • Cloud Suite
    Cloud Privilege Right-sizing
    Analyses and reduces over-permissioned cloud IAM roles. Enforces least-privilege cloud entitlements.
๐Ÿ“Š
Maturity Measurement
Select your current level
1
Initial
Universal local admin. No privilege model. Standing access to all systems.
2
Developing
Local admin removed from some endpoints. Partial session brokering. Basic access reviews.
3
Defined
Enterprise-wide least-privilege policy. All remote sessions brokered. Quarterly entitlement reviews.
4
Managed
Measured privilege creep score. Automated deprovisioning. Cloud right-sizing active. SoD enforced.
5
Optimising
Zero-standing-privilege everywhere. Continuous entitlement intelligence. Privilege analytics feeding risk scores.
Current Level
Not Set
Progress to Level 5
Set a maturity level above to track progress
Coverage
03

Control Applications

Application control prevents malware, ransomware, and unauthorised tools from executing. This pillar covers allowlisting, application behaviour policies, and preventing living-off-the-land (LotL) attack techniques.

โ€” /5
Maturity
Level
Why it matters: Modern attackers abuse trusted system tools (PowerShell, WMI, certutil) rather than dropping custom malware. Application control that understands behaviour โ€” not just signatures โ€” stops these techniques before they cause damage.
โš”๏ธ
Attack Techniques
MITRE ATT&CK Mapped
  • TA0002
    Malicious Script Execution T1059
    PowerShell, cmd, VBScript abuse for payload delivery
  • TA0005
    Living-off-the-Land (LotL) T1218
    mshta, regsvr32, certutil, rundll32 abuse to evade AV
  • TA0002
    Ransomware Execution T1486
    Encryption binaries launched with privilege
  • TA0005
    DLL Side-Loading / Hijacking T1574
    Malicious DLLs loaded by trusted application processes
  • TA0003
    Software Supply Chain Compromise T1195
    Trojanised software updates and dependencies
๐Ÿ›ก๏ธ
Delinea Features
Product-to-Control Mapping
  • Privilege Manager
    Application Allowlisting
    Trust-based execution control. Only approved apps run. Reputation-based auto-allow for trusted publishers.
  • Privilege Manager
    Application Behaviour Policies
    Block/allow based on process lineage, file hash, publisher cert, path, and network destination.
  • Privilege Manager
    Greylisting & Sandbox Elevation
    Unknown apps enter a sandbox mode. Approval workflow for new software requests.
  • Privilege Manager
    LotL Technique Blocking
    Specific policies to block known LotL execution paths. Restricts dangerous interpreter invocation.
  • Secret Server
    Launcher-based Session Control
    Privileged sessions launched only via approved launchers โ€” prevents arbitrary client execution.
๐Ÿ“Š
Maturity Measurement
Select your current level
1
Initial
No application control. AV only. Users can run any application.
2
Developing
Basic blocklisting. Some high-risk paths blocked. No allowlisting.
3
Defined
Allowlisting on critical endpoints. LotL paths restricted. Approval workflow for new apps.
4
Managed
Enterprise-wide allowlisting. Behaviour-based policies. Block rate metrics tracked. Supply chain controls.
5
Optimising
Zero-trust app execution. AI-driven reputation scoring. Continuous policy tuning fed by threat intel.
Current Level
Not Set
Progress to Level 5
Set a maturity level above to track progress
Coverage
04

Monitor & Audit

Comprehensive visibility across privileged sessions, credential usage, and access patterns is essential for compliance, forensic investigation, and real-time threat detection. This pillar ensures every privileged action leaves an immutable trace.

โ€” /5
Maturity
Level
Why it matters: The average breach dwell time before detection exceeds 200 days. Without session recording and privilege event logging, organisations cannot detect insider threats, satisfy auditors, or reconstruct what an attacker did post-compromise.
โš”๏ธ
Attack Techniques
MITRE ATT&CK Mapped
  • TA0005
    Log Tampering & Deletion T1070
    Clearing event logs to cover tracks post-compromise
  • TA0009
    Exfiltration over Privileged Sessions T1048
    Data theft conducted through unmonitored admin connections
  • TA0003
    Insider Privilege Abuse
    Legitimate users accessing systems beyond their role without detection
  • TA0009
    Undetected Long-Term Presence T1078
    APT persistence via valid accounts with no session visibility
  • TA0005
    Audit Trail Gaps for Compliance
    Missing records enabling regulatory violations and failed audits
๐Ÿ›ก๏ธ
Delinea Features
Product-to-Control Mapping
  • Secret Server
    Session Recording & Playback
    Full video and keystroke capture of all privileged sessions. Tamper-proof storage with searchable metadata.
  • Secret Server
    Privilege Event Audit Trail
    Immutable log of every secret view, checkout, rotation, and access request. Exportable for SIEM.
  • Connection Manager
    Session Metadata Enrichment
    Enriches connection logs with user identity, target, duration, and commands run. Feeds SIEM/SOAR.
  • Privilege Manager
    Endpoint Privilege Event Logging
    Logs every elevation event, blocked application, and policy exception across all endpoints.
  • Secret Server
    Compliance Reporting (SOX, PCI, HIPAA)
    Pre-built reports for major compliance frameworks. Access certification evidence packaging.
๐Ÿ“Š
Maturity Measurement
Select your current level
1
Initial
No session recording. Logs scattered and inconsistent. No SIEM integration.
2
Developing
Some sessions recorded. Basic audit log. SIEM receives partial data.
3
Defined
All privileged sessions recorded. Centralised audit trail. Compliance reports available.
4
Managed
Searchable session recordings. Anomaly detection active. Full SIEM/SOAR integration. Regular audit reviews.
5
Optimising
AI-powered session analysis. Real-time behavioural alerts. Zero audit gaps. Forensic-ready architecture.
Current Level
Not Set
Progress to Level 5
Set a maturity level above to track progress
Coverage
05

Detect & Respond

Detection capability determines how quickly a breach is identified and contained. This pillar maps Delinea's threat detection features to active attack scenarios โ€” from anomalous session behaviour to credential misuse and privilege abuse indicators.

โ€” /5
Maturity
Level
Why it matters: Every second of dwell time increases breach cost. A mature detect-and-respond capability built around privileged access telemetry can reduce mean-time-to-detect (MTTD) from months to minutes โ€” and automated response cuts remediation from hours to seconds.
โš”๏ธ
Attack Techniques
MITRE ATT&CK Mapped
  • TA0011
    Anomalous Session Activity T1078
    Off-hours logins, impossible travel, unusual command patterns
  • TA0006
    Credential Stuffing / Replay T1110.004
    Repeated authentication attempts with stolen credential lists
  • TA0008
    Lateral Movement Detection Evasion T1021
    Slow, low-volume lateral movement to avoid signature detection
  • TA0040
    Ransomware Pre-indicators
    Mass file access, shadow copy deletion, backup targeting
  • TA0009
    Data Exfiltration via Admin Tools T1041
    Large data transfers through trusted admin channels
๐Ÿ›ก๏ธ
Delinea Features
Product-to-Control Mapping
  • Secret Server
    Anomalous Access Alerts
    Rule-based and ML-assisted alerting on unusual checkout patterns, off-hours access, geo-anomalies.
  • Secret Server
    Automated Session Termination
    Policy-driven kill of suspicious active sessions. Instant credential rotation on alert trigger.
  • Privilege Manager
    Endpoint Threat Detection
    Real-time alerts on blocked application events, policy violations, and anomalous elevation requests.
  • Connection Manager
    SIEM/SOAR Event Forwarding
    Structured session event feeds to Splunk, Sentinel, QRadar. Enables playbook automation on PAM events.
  • Secret Server
    Workflow-based Incident Response
    Automated ticket creation, approver notification, and account lockdown integrated with ITSM platforms.
๐Ÿ“Š
Maturity Measurement
Select your current level
1
Initial
No privileged activity detection. Incidents discovered by accident or third parties.
2
Developing
Manual review of access logs. Basic alerting on failed logins. No automated response.
3
Defined
Automated alerts for key privilege events. SIEM receives PAM data. Defined IR playbook.
4
Managed
Behavioural analytics active. Automated session kill on critical alerts. MTTD measured <4 hrs.
5
Optimising
Threat-intel-driven detection. Fully automated containment. MTTD <15 min. Continuous purple team exercises.
Current Level
Not Set
Progress to Level 5
Set a maturity level above to track progress
Coverage