PAMSEC Orbit is in design partner phase — limited spots available.Get in touch →
Independent operational intelligence

The independent operational intelligence layer for identity infrastructure.

For organisations running Idira (formerly CyberArk) who need vendor-independent visibility into rotations, drift, and posture — without sitting in the privileged access path.

Request a conversationSee the platform
Read-only by design Built against a live Idira tenant
app.pamsec.ai / runtime
Runtime · production tenant
Last polled 14:32:18 UTC · poll interval 30s
last 24h
Authentications
4,827
↑ 3.2% vs avg
Rotations
312
— normal
Drift events
7
↑ 4 new
Posture
96%
— stable
Authentications per minute · last 60m
live
Recent activity
14:32Rotation succeeded · domain-admin-svcSuccess
14:18Drift detected · safe policy modified corp-admins-prodReview
14:05Anomaly · unusual session time patternInvestigated
13:47Rotation failure · sql-readonly-svcAction
Independent — no partnership with Idira or Palo Alto Networks.
Read-only — never in the privileged access path.
Operational narrative — not a metrics dashboard.
Independence has meaning

The post-acquisition identity stack needs a second source of truth.

When Palo Alto Networks acquired CyberArk and rebranded it Idira, identity infrastructure customers found themselves running a platform owned by their security vendor's parent company. Self-reporting platforms tell their own story.

  • No vendor partnership. We don't sell Idira, and we don't sell anything to them.
  • Second source of truth. Built to give you a picture the platform itself didn't choose.
  • No platform suite play. One job, done well. We won't try to sell you ten more things.
For Idira

Verified against a live production tenant.

Orbit's Idira integration was developed against a real customer tenant — not a sandbox. We've mapped what the REST API offers, where it stops, and designed around the gaps honestly.

  • ISPSS OAuth2. Standard authentication, no proprietary credentials.
  • Per-account Activities polling at 15–60 second cadence.
  • Honest about limits. No fleet-wide audit stream. No webhooks. We tell you exactly where visibility ends.
GET/api/Accounts/{id}/Activities
200 OK
// Live response · production tenant · 30s poll
{
  "activities": [
    {
      "timestamp": "2026-05-26T14:32:18Z",
      "action": "Rotate",
      "target": "domain-admin-svc",
      "actor": "cpm-svc",
      "result": "Success"
    },
    {
      "timestamp": "2026-05-26T14:18:04Z",
      "action": "PolicyModify",
      "target": "corp-admins-prod",
      "actor": "jenna.r",
      "result": "Drift"
    }
  ],
  "total": 312
}
The platform

One platform. Four dimensions of visibility.

Most identity tools surface metrics. We assemble narrative — the connected operational story across the four dimensions that matter.

01 / Runtime

Live operations

Authentications, sessions, rotations, anomalies — observed in near-real-time against the Idira REST API.

02 / Incident

Connected context

When rotations fail or sessions misbehave, Meridian assembles the timeline and connected signals in plain language.

03 / Drift

Configuration timeline

Every meaningful change tracked over time. What was. What is. The diff. The actor. The moment.

04 / Posture

Continuous compliance

Assessed against your baselines, continuously — not periodic snapshots. Drift from posture is itself a signal.

Inside each dimension

What you'll actually see.

Four different views of the same underlying operational narrative — runtime activity, incident timelines, configuration drift, and continuous posture.

What's happening now.

Live operational view — auths, rotations, session activity, anomaly signals — polled from your Idira tenant at 15–60 second cadence and assembled into a single readable picture.

SourceIdira REST · per-account Activities
Freshness15–60s polling cadence
FootprintZero — no agents, read-only scopes
Auth events · last 60s
live
Meridian Investigation
#M-2847 · auto-opened
Resolved
Summary

Rotation failure on sql-readonly-svc. Root cause identified as approval routing change made 22 minutes prior.

Timeline
13:47Rotation attempt failed — CPM agent · 4 retries
13:25Policy modified — jenna.r disabled dual control
13:23Scheduled rotation queued
Meridian's note

“Approval routing was changed 22 minutes before the scheduled rotation. CPM didn't receive the secondary approval signal. Recommend re-enabling dual control on the corp-admins-prod safe — or updating routing to the new approval chain.”

Meridian

AI investigation in plain language.

When something breaks, Meridian assembles the connected timeline — what happened, what changed, what correlates — and explains it the way an experienced engineer would. No alert fatigue. No fishing through twenty dashboards.

  • Correlates across dimensions. Runtime + Drift + Posture in one investigation thread, not four.
  • Read-only too. Meridian interprets and recommends — never acts on your behalf.
  • Embedded. No second platform to learn. Investigation lives inside the dashboard.
Reporting & evidence

Audit-ready evidence, continuously assembled.

A continuous evidence trail of everything we observed — exportable, signed, and ready for the audit conversation before it happens. Independent of Idira's own audit logs, so you have a cross-check, not just a copy.

  • Period reports and on-demand. Monthly summaries, plus drill-downs for any incident or audit.
  • Export anywhere. PDF for boards. JSON or CEF for your SIEM. CSV for the auditor's spreadsheet.
  • Independent witness. Reports issued by a system that doesn't sell you the platform being audited.
Idira Operational Report
May 2026 · Production tenant · 31 days
Executive summary
  • 96% posture compliance · stable through period
  • 12 incidents · all resolved within SLA
  • 7 drift events · 5 acknowledged, 2 reverted
Posture baseline
MFA coverage
98%
Rotation SLA
92%
Dual control
74%
Period: 01 May — 31 May 2026
Signed: PAMSEC Orbit
PDFSIEMCSV
Architecture

We observe. We never touch.

Orbit polls your Idira tenant through standard REST endpoints with ISPSS OAuth2 authentication. We never call rotation, session, or write endpoints. If Orbit goes offline, your identity infrastructure operates exactly as it did before.

  • Read-only API scopes only. Provable in your own IAM logs.
  • No agents. Nothing installed on your hosts. No privileged credentials issued to us.
  • Your data in your region. Australian customer data in Sydney. Configurable elsewhere.
Common questions

Things buyers always ask.

If yours isn't here, get in touch.

What does "independent" actually mean in practice?
PAMSEC Pty Ltd has no partnership, reseller agreement, or commercial relationship with Idira, Palo Alto Networks, or any other identity vendor. We don't resell their platform. We don't get incentives from them. We don't have a marketing arrangement. Orbit observes the Idira tenant you've already deployed and tells you what we see — including what we can't.
How can you be sure you'll never modify our identity infrastructure?
Orbit is given read-only API scopes only — provable in your own Idira audit logs. We don't request, accept, or use write scopes anywhere in the integration. There are no rotation, session, account-create, or policy-modify calls in our codebase. If you revoke our credentials, Orbit stops observing immediately and nothing in your environment is affected.
Idira's REST API has known gaps — how do you handle that?
Honestly. The Idira REST API has no fleet-wide audit event stream — we poll per-account Activities. There are no webhooks anywhere. PVWA access logs aren't retrievable via REST. We've designed around these constraints and documented exactly where our visibility ends. For customers where syslog ingestion is feasible, we can layer it in parallel.
Where is our data stored, and who has access to it?
Customer data stays in your region — Australian customers' data lives in ap-southeast-2 (Sydney). Other regions configurable on request. Storage is encrypted at rest. Application access is restricted to authorised PAMSEC personnel under formal data-handling controls. We can walk through the full architecture in a design partner conversation.
Why did you build this, and why now?
The Palo Alto Networks acquisition of CyberArk in early 2026 changed the identity infrastructure landscape. Self-reporting platforms are tolerable when the vendor is neutral. They're harder to rely on when the vendor's parent company is also one of your security suppliers. Customers wanted a second source of truth. We built it.
What does Meridian actually do — and is it just another AI chatbot?
Meridian is an investigation engine, not a chat surface. When an incident fires — rotation failure, drift event, posture breach — Meridian correlates signals across Runtime, Drift, and Posture, assembles a timeline of what happened in what order, and writes a plain-language explanation with a concrete recommendation. It's read-only like the rest of Orbit: it interprets, it doesn't act. You're not asked to “chat with your data” — you're handed the investigation already done.
Can reports be ingested by our existing SIEM or GRC tooling?
Yes. Reports and events are exportable as PDF (board and audit consumption), JSON or CEF (Splunk, Sentinel, Chronicle, and other SIEMs), and CSV (auditors and spreadsheets). The continuous evidence trail is queryable via API, so GRC platforms can pull on a schedule. Because Orbit is independent of Idira, our reports become a cross-check against Idira's own audit output — not a duplicate.
Design partner phase

Building something Idira customers actually needed.

We're talking with a small number of organisations running Idira to refine the platform. If that sounds like your team — let's talk.

hello@pamsec.aiArchitecture brief
✓ Read-only✓ Independent✓ Built for Idira