cascade-idp-breach — cloud IdP org compromise → OAuth persistence
Cascade Identity Partners super admin Elena Vasquez (evasquez@cascade-idp.io) — password spray, MFA fatigue, multi-country session ipChain, system.api_token.create backdoor, app.oauth2.as.token.grant into SCIM/Entra/Slack, lateral movement as evasquez across jump box and domain controllers. Fully synthetic.
synthetic reference
inspired by — not a copy of — cloud identity provider org-compromise incidents (Okta support-system breach class, MFA fatigue, API token abuse). cascade identity partners is a fictional organization at cascade-idp.io. elena vasquez, marcus chen, and all evidence artifacts are synthetic and deterministically generated from a public seed. educational reference only. not affiliated with okta or any real idp vendor.
what this proves
- every primary engine produces deterministic, fixture-locked output — verified by
npm run check:flagship(4/4). - every output is generated 100% locally in your browser — export IdP and CASB logs, never upload tenant data.
- the full case binder is built from these outputs without uploading a single byte — click below to generate it locally.
primary engines locked to this fixture
build the case binder
one click runs all four primary engines on the synthetic evidence, assembles findings into a self-contained html binder, and opens it in a new tab. print to pdf from there — still zero upload.
runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload
download the synthetic evidence
MIT-licensed, fully synthetic, safe to attach to a PR or send to a reviewer. compare your local runs against the published goldens.
built deterministically from scripts/fixtures/build-cascade-idp-breach.mjs. seed: cascade-idp-breach:v1.
methodology
cloud IdP org compromises start at the identity plane — not the endpoint. scope the tenant first: spray noise in Security EVTX, MFA fatigue and multi-country ipChain in Okta System Log, API token and OAuth grant persistence, then CASB OAuth abuse and Windows lateral logons for the super-admin account. contrast with meridian-ato (single-user SIM-swap ATO). read the full account takeover (ATO) guide →
after the playbook
run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across spray, MFA fatigue, session hijack, API token creation, OAuth grants, and lateral logons — still zero upload.