Delinea Secret Server · Identity Security Training

DART

Privileged Account Management · Identity Security Framework

A structured, four-phase methodology for discovering, analyzing, remediating, and tracking privileged identities across on-premises, cloud, and SaaS environments — eliminating blind spots before attackers find them.

4 Phases
360° Coverage
Cycle
0 Blind Spots
Explore
// Why DART Matters
Identity is the new perimeter — and most organizations can't see theirs.
Every privileged account, misconfigured entitlement, and dormant credential is a potential entry point for attackers. The DART Method transforms identity security from a reactive scramble into a continuous, proactive discipline — built on the full power of the Delinea platform.
D
Discovery
Map every identity, account, secret, and entitlement across your environment.
A
Analyze
Evaluate risk, visualize access paths, and surface anomalies with AI-driven insights.
R
Remediate
Vault credentials, enforce JIT access, apply MFA, and close security gaps.
T
Track
Maintain immutable audit trails, session recordings, and real-time SIEM integration.
Core principles
🔄
Cyclical, Not Linear
DART is designed as a continuous loop. Insights from Track/Audit feed back into Discovery, creating a self-improving security posture that adapts to every change in your environment.
🧬
All Identity Types
Covers human accounts, service accounts, machine identities, API keys, AI agents, and non-human identities — across on-premises AD, cloud, and SaaS platforms simultaneously.
⚖️
Least-Privilege by Default
Every phase is oriented toward reducing the attack surface. From discovering over-provisioned accounts to enforcing just-in-time access, DART operationalizes zero-trust principles.
📋
Compliance-Ready
Built-in alignment to GDPR, NIST, ISO/IEC 27001, CIS, SOC 2, and CSA STAR. Immutable audit logs and session recordings provide forensic-grade evidence for regulators and auditors.
⚠️
Industry Reality: Over 80% of data breaches involve compromised privileged credentials. Most organizations cannot enumerate all their privileged accounts — let alone monitor them. DART addresses this gap systematically.
01
// Phase 01 · CID / PCCE / Secret Server

Discovery

Unveiling the Complete Identity Landscape

◎ Continuous Identity Discovery (CID) ◎ Privileged Cloud & Endpoint Control (PCCE) ◈ Secret Server ⚡ AD / Azure Entra / AWS / Okta / Google
// Why Discovery First
You cannot secure what you cannot see.
Shadow accounts, forgotten service accounts, unmanaged API keys, and AI agent identities exist in virtually every enterprise environment. Discovery eliminates blind spots by building a continuously refreshed, authoritative inventory across every connected source — before attackers exploit what you don't know exists.
What Discovery covers
🗂️
Multi-Source Scanning
Connects to Active Directory, Azure/Entra ID, AWS, Google, Okta, Snowflake, Ping Identity, and Workday. Every 12 hours for on-premises AD; every 4 hours for cloud environments.
👤
Human & Non-Human Identities
Enumerates standard users, admins, service accounts, machine identities, API keys, and AI agents — distinguishing internal from external accounts with associated privilege levels.
🏷️
Group & Entitlement Mapping
Inventories groups, memberships, and the privileges those groups grant — revealing the full scope of administrative access through both direct assignment and nested memberships.
💻
Local Machine Scanning
CID extends to endpoint-level scanning via WMI, mapping local accounts and domain group memberships on individual endpoints across the estate (currently in beta for PCCE).
📊
Centralized Dashboard
Real-time overview of total accounts, asset counts, entitlements, and identity posture indicators — including inactive accounts, MFA enrollment gaps, and shadow admin counts.
🔓
Vaulted vs. Unvaulted
Immediately identifies which privileged accounts are managed through Secret Server's PAM vault and which exist outside security controls as potential attack vectors.
What Discovery will uncover in your environment
🔍
Likely Findings in Your Environment
Common discoveries that surprise even experienced security teams
  • Dormant admin accounts with full domain privileges still active months or years after an employee's departure
  • Service accounts running critical applications with passwords that have never rotated — some years old
  • Shadow admin accounts that lack direct admin rights but can reset privileged passwords
  • API keys and machine credentials embedded in scripts, configs, or CI/CD pipelines with no owner
  • AI agent identities with excessive cloud entitlements acquired through automated provisioning
  • Privileged accounts not enrolled in MFA, representing open doors to sensitive infrastructure
  • Unmanaged local administrator accounts on endpoints outside the PAM vault
  • Nested group memberships that inadvertently grant Domain Admin or equivalent rights
  • Cloud accounts in AWS or Azure with standing high-privilege access that should be just-in-time
  • Third-party vendor accounts with broad access that were never deprovisioned after contract end
Operational implications
Risk Reduction
Every unknown account is a potential lateral movement path for an attacker. Discovery quantifies your actual attack surface — often revealing it is 3–5× larger than assumed.
Operational Impact
Discovery requires connecting identity sources and configuring credentials. Expect an initial surge of findings as dormant accounts surface. Plan triage workflows before enabling scanning at scale.
Compliance
Regulatory frameworks require complete identity inventories. Discovery provides the foundational data for SOC 2, ISO 27001, and NIST CSF access management controls.
Architecture
For on-premises AD, an AD/ITP engine workload must be deployed and LDAP certificate configuration must be verified before scanning can begin across domain controllers.
02
// Phase 02 · Iris AI · Secret Server Analytics · ITDR

Analysis

Assessing Risk and Identifying Anomalies with AI

◉ Iris AI / AIDA ◎ Access Explorer ◎ Identity Posture ⚡ ITDR (Identity Threat Detection & Response)
// Why AI-Driven Analysis Changes Everything
Raw data about accounts tells you nothing. Access relationships tell you everything.
An account may appear harmless in a flat list but hold the keys to your entire domain through nested group memberships and indirect permissions. Iris AI and the Access Explorer transform inventory data into a living map of actual risk — surfacing paths to privilege escalation that are invisible to traditional tools.
Four privileged account categories
👑
Administrative Accounts
Full administrative privileges across domains or applications (Okta, AD). The highest-risk tier — any compromise gives attackers complete control.
👥
Shadow Accounts
No direct admin rights, but capable of escalating access by resetting privileged passwords or modifying group memberships. Often completely missed by traditional PAM tools.
🔑
Privileged Accounts
Broader category of users with significant system-impacting permissions. Risk varies widely — analysis determines which accounts require PAM vaulting vs. enhanced monitoring.
🖥️
Local Admins
Administrative rights on individual endpoints, granted directly or through nested group memberships. A common lateral movement springboard if left unmanaged.
Analysis capabilities
01
Access Explorer — Visualizing Hidden Privilege Paths
Interactive flowchart diagrams map every relationship between accounts, groups, assets, and access policies. Reveals how a standard user account can reach Domain Admin through three layers of nested group membership — invisible in any flat report.
02
AI Risk Scoring — Iris AI Assigns Contextual Risk
Machine learning assigns risk scores to identities based on access patterns, privilege levels, and external threat intelligence. Flags admins lacking MFA, cloud accounts with standing excessive permissions, and unusual AI agent activity before exploitation occurs.
03
Identity Posture Score — Holistic Security Health
Calculates an overall security posture percentage from automated checks across privileged access and stale access categories. Critical findings like exceeding domain admin limits or unresolved shadow admins are flagged with severity ratings.
04
ITDR — Behavioral Anomaly Detection
Cross-references authentication logs, session monitoring, and entitlement usage to detect deviations from normal behavior — abnormal login patterns, off-hours access, unusual privilege elevation attempts, or sudden increases in credential usage.
05
Collections & Trend Analysis — Tracking Change Over Time
Dynamic groupings of accounts update continuously with scan data. Historical trendlines expose spikes in admin account counts that may indicate unauthorized provisioning, policy violations, or compromise events.
What Analysis will surface
🔍
Common Analysis Findings
What Iris AI and the Access Explorer typically reveal
  • Shadow admin paths where standard users can reset the password of a Domain Admin account
  • Admins without MFA enrolled on accounts with access to critical infrastructure
  • Cloud entitlements far exceeding what any job role legitimately requires
  • Privilege escalation paths through nested group memberships spanning 3–5 levels
  • Accounts accessing sensitive systems at unusual hours or from unexpected locations
  • Service accounts that have accumulated permissions across multiple systems over years
  • Security posture scores well below acceptable thresholds — often revealing systemic policy failures
  • Active Directory misconfiguration patterns that replicate across hundreds of accounts
Operational implications
Risk Reduction
Analysis transforms a list of accounts into a prioritized risk register. Teams can focus remediation effort on the 5% of accounts that represent 80% of the actual attack surface.
Workflow Impact
Security queries can be scheduled for automated execution, feeding continuous compliance monitoring without manual effort. Expect initial analysis runs to generate a significant backlog of findings requiring prioritization.
Governance
Analysis produces the evidence base required for access certification campaigns, executive risk reporting, and demonstrating least-privilege adherence to external auditors and regulators.
Extends Beyond PAM
By incorporating workforce, developer, and machine identities alongside traditional privileged accounts, analysis provides a genuinely holistic view of identity risk rather than just vault coverage metrics.
03
// Phase 03 · CID / PCCE · Secret Server · CIEM

Remediation

Turning Analysis Into Concrete Security Action

◎ Secret Server Vaulting ◎ JIT Access Controls ◈ CIEM (Cloud Infrastructure Entitlement Management) ⚡ RBAC & Workflow Approvals ⚡ MFA Enforcement (Duo / Entra)
// Why Remediation Must Be Systematic
Finding risks without fixing them is just a more detailed picture of your exposure.
Remediation without a structured framework creates inconsistency, audit gaps, and alert fatigue. Delinea's remediation tools enforce policy changes systematically — vaulting credentials, applying just-in-time access, enforcing MFA, and rotating passwords — all with complete auditability baked in from the start.
Remediation capabilities
🏦
Credential Vaulting
Privileged credentials are secured within Secret Server using templated secret types for AD accounts, SSH keys, certificates, and more. Access is audited and password rotation policies are enforced automatically.
⏱️
Just-in-Time Access
Users request elevated privileges for a defined window. Access is granted on approval and automatically revoked on expiry — eliminating standing privileges and dramatically shrinking the window for privilege abuse.
🔐
MFA Enforcement
Integrates with Duo and Microsoft Entra to enforce secondary verification before privileged resource access. Administrators can identify and act on every account missing MFA enrollment.
☁️
Cloud Entitlement (CIEM)
Applies least-privilege principles across multi-cloud environments, minimizing standing cloud privileges and automatically revoking excessive entitlements identified during analysis.
🚨
Threat Response Automation
The Threat Center tracks active cases — brute force attempts, MFA bombing, suspicious behavior — mapped to MITRE ATT&CK. Automated responses include password resets, access denial, and account isolation.
🔔
Proactive Alert Configuration
Custom thresholds trigger alerts for inactive admin accounts, password reset events, and access key expiration — enabling security teams to act before gaps are exploited rather than after.
What Remediation addresses
🛠️
Vulnerabilities Closed During Remediation
Security gaps systematically closed when DART remediation is fully implemented
  • Privileged credentials stored in spreadsheets, wikis, or email threads — moved into the vault
  • Standing admin access replaced with time-bound JIT workflows requiring approval
  • Stale accounts inactive for 30+ days (admin) or 90+ days (standard) flagged and disabled
  • Shadow admin pathways removed by modifying group memberships and direct permission grants
  • Cloud identities with over-broad IAM roles right-sized through CIEM policy enforcement
  • Privileged users without MFA enrolled and enforced before next login cycle
  • Unmanaged service account passwords rotated and brought under vault management
  • Shadow IT credential usage flagged and rerouted through approved PAM workflows
  • Password rotation policies enforced on all vaulted secrets based on account sensitivity
Stale account thresholds
ℹ️
Recommended Inactivity Thresholds: Admin accounts should be flagged after 30 days of inactivity; standard user accounts after 90 days. These thresholds are configurable within identity protection policies and represent industry best practice baselines — tighten them based on your risk tolerance and regulatory requirements.
Operational implications
Risk Reduction
JIT access alone can reduce standing privileged access exposure by 60–80%. Combined with vault management and MFA enforcement, the attack surface for privilege escalation becomes orders of magnitude smaller.
Change Management
Implementing JIT and MFA enforcement will impact privileged users' daily workflows. Budget time for communication, training, and a phased rollout. Expect initial friction that resolves as teams adapt to new access patterns.
Auditability
All remediation actions are logged with full RBAC controls and workflow approval chains, satisfying audit requirements for demonstrating that access changes were authorized, reviewed, and compliant with policy.
Continuous Cycle
Remediation is not one-and-done. New accounts, entitlement drift, and cloud provisioning events continuously create new gaps. Scheduled security queries and automated alerts ensure the cycle never stops.
04
// Phase 04 · Secret Server · AIDA · SIEM Integration

Track & Audit

Immutable Logging, AI-Driven Session Analysis, and Continuous Oversight

◉ AIDA (AI-Driven Auditing) — Iris AI ◎ Secret Server Audit Logs ◎ Advanced Session Recording (ASR) ⚡ SIEM / Syslog / Splunk / Google SecOps
// Why Tracking Closes the Loop
An undocumented privileged action is an undetectable breach.
Remediation creates controls; Track & Audit verifies they work and proves it to regulators. As session volumes scale across hybrid environments, manual review becomes impossible. AIDA's AI-powered video analysis transforms hours of session recordings into searchable, annotated audit trails — ensuring no privileged action goes unreviewed, even at enterprise scale.
Audit and tracking capabilities
📝
Immutable Audit Logs
Every action in Secret Server creates a tamper-proof record: secret access, password copies, check-outs, config changes, permission modifications, script executions, and expiration events — with timestamp, username, and full context.
🎬
Privileged Session Recording
Second-by-second screenshots compiled into video recordings for every RDP, SSH, and custom application session — from the moment a secret is checked out through every action taken on the target system.
🤖
AIDA — AI Session Analysis
Powered by Iris AI using computer vision and LLMs. Processes Visual Frame OCR, Keystroke Logs, and Process Traces simultaneously — automatically classifying activity with labels like Privilege Elevation, IAM Changes, and File Transfers.
🗺️
Session Heatmaps
Color-coded timeline overlays highlight exactly where high-risk activity occurred in a session recording. Reviewers jump directly to critical moments without scrubbing through entire videos.
🔗
SIEM Integration
Forwards audit logs as Syslog/CEF records and Windows Event Log entries to Splunk, Google Security Operations, and other SIEM platforms — correlating privileged access activity with broader security telemetry.
👁️
Live Session Monitoring
Administrators can watch active sessions in real time, send in-session messages to users, or immediately terminate sessions exhibiting unauthorized behavior — combining documentation with active supervision.
AIDA's three data streams
OCR
Visual Frame OCR
High-resolution screenshot analysis with optical character recognition reads on-screen text: commands typed, output displayed, file paths navigated, and SQL queries executed — regardless of the protocol used.
KEY
Keystroke Log
Time-stamped command input with window-focused context. Captures exactly what was typed, in which application, and in what sequence — providing ground truth that complements the visual record.
PRC
Process Trace
All background processes spawned during the session are captured — including processes launched by scripts, spawned child processes, and service modifications that would never appear on the visible screen.
⚠️
Four Eyes Principle: For organizations subject to regulations requiring dual oversight, Secret Server's Dual Control feature requires two authorized individuals to be present before sensitive reports or session recordings can be accessed — ensuring no single administrator can silently review or modify audit evidence.
What Track & Audit uncovers
🔍
Threats and Behaviors Detected in Session Data
What AIDA and session monitoring consistently reveal in production environments
  • Privilege escalation commands run during sessions that weren't part of any approved change ticket
  • Data exfiltration — large file transfers or bulk database exports conducted during remote sessions
  • Credential harvesting — privilege users accessing credential stores beyond their authorized scope
  • Unauthorized configuration changes to firewalls, domain controllers, or cloud security groups
  • Lateral movement — a privileged session used as a launchpad to access additional systems
  • Insider threat indicators — employees accessing sensitive systems before resignation or after PIPs
  • Vendor sessions exceeding approved scope — third parties accessing systems not in their SOW
  • Brute force and MFA bombing attempts surfaced in real-time through Threat Center case management
Operational implications
Incident Response
During a breach investigation, AIDA-analyzed session recordings with searchable activity labels can compress forensic investigation time from weeks to hours — providing definitive evidence of what occurred and when.
Scale Challenge
As privileged session volume grows, human review becomes a bottleneck. AIDA automation is essential — configure AIDA policies to automatically analyze all sessions, not just flagged ones, to maintain coverage at scale.
Regulatory Evidence
GDPR, NIST, and SOC 2 require demonstrable access controls and audit trails. Immutable logs plus video recordings plus AI-generated session summaries create compliance documentation that satisfies even the most demanding auditors.
Feeds Discovery
Track & Audit completes the DART cycle — behavioral insights from session analysis, new account detections, and posture score trends all feed back into the next Discovery and Analysis cycle, continuously improving the security posture.