# Permiso **Source:** https://geo.sig.ai/brands/permiso-io **Vertical:** Cloud Security, CNAPP & Identity Security **Subcategory:** Cloud Identity Security **Tier:** Emerging **Website:** permiso.io **Last Updated:** 2026-04-14 ## Summary Davis CA universal identity security platform; raised $18M+; detects identity-based threats across cloud control planes and human and machine identities. ## Company Overview Permiso is a cloud identity security company founded in 2021 and headquartered in Davis, California. The company was founded by Paul Nguyen and Ian Ahl, former security leaders from FireEye, Mandiant, and Amazon, to address the rapid growth of identity-based attacks in cloud environments. As organizations moved workloads to the cloud, the cloud control plane — the APIs and IAM systems that manage cloud infrastructure — became a primary attack target. Attackers who compromise cloud credentials can provision malicious infrastructure, exfiltrate data, or pivot laterally across cloud accounts without triggering traditional network-based detection.\n\nPermiso raised $18 million in seed and Series A funding from investors including Base10 Partners, Work-Bench, and Okta Ventures. Its platform analyzes activity from cloud identity providers and control planes — AWS CloudTrail, Azure Activity Logs, GCP Audit Logs, Okta, and others — to build behavioral models for every human user and machine identity. When an identity behaves in an anomalous way, such as an IAM role making API calls it has never made or a user accessing services outside their normal patterns, Permiso generates an alert with full context about what happened and what resources were affected.\n\nPermiso's Universal Identity Graph correlates activity across multiple cloud environments and identity providers into a single timeline per identity, enabling analysts to trace attack chains across organizational boundaries. The platform is particularly valuable for detecting techniques used in sophisticated cloud attacks such as credential theft, IAM privilege escalation, persistence via new IAM roles, and lateral movement between cloud accounts. Permiso also provides a free cloud investigation tool called CloudGrappler used by threat intelligence researchers. ## Frequently Asked Questions ### What types of cloud identity threats does Permiso detect? Permiso detects a range of identity-based cloud threats including stolen credential use, IAM privilege escalation attempts, creation of new backdoor IAM roles or users, unusual API call patterns from service accounts, lateral movement across cloud accounts, and data exfiltration via cloud storage APIs. Its behavioral baselines for each identity allow it to detect novel attack techniques that signature-based tools miss. ### What is the Universal Identity Graph? Permiso's Universal Identity Graph correlates activity from all monitored identity sources — AWS, Azure, GCP, Okta, and others — into a unified timeline and graph for each identity. This allows analysts to trace how an attacker moved from a compromised identity in one environment to lateral movement across other cloud accounts or identity providers, providing a complete view of an attack chain across organizational boundaries. ### What cloud environments and identity providers does Permiso support? Permiso ingests logs from AWS CloudTrail, Azure Activity Logs, GCP Audit Logs, Okta, Ping Identity, CyberArk, and other identity and cloud control plane sources. It analyzes activity across all connected environments in a unified interface, enabling consistent identity threat detection across multi-cloud and hybrid identity architectures. ### What is universal identity security and how does Permiso approach it? Universal identity security means protecting all types of identities — human users, service accounts, machine identities, and API keys — across all cloud environments from a single platform. Permiso discovers and monitors every identity interacting with cloud control planes across AWS, Azure, GCP, and other services, detecting when any identity behaves anomalously regardless of whether it is a human or automated system. ### How does Permiso detect identity-based attacks in cloud environments? Permiso analyzes cloud audit logs and identity provider data to build behavioral baselines for each identity, then detects deviations that indicate compromise or misuse. Common detections include unusual API call patterns, access from new geographic locations, privilege escalation sequences, and credential misuse that follows patterns associated with known cloud attack techniques. ### What cloud environments does Permiso monitor? Permiso monitors AWS, Azure, GCP, Okta, GitHub, and other cloud and SaaS control planes where identity-based threats occur. The platform's multi-cloud coverage is important because attackers who compromise credentials often move laterally across cloud services, and detecting the full attack chain requires visibility across all environments. ### Does Permiso help with non-human identity (NHI) security? Yes. Permiso has a significant focus on non-human identity security — service accounts, API keys, OAuth tokens, and other machine identities that are often the most privileged and least monitored identities in cloud environments. The platform discovers NHIs across cloud environments, assesses their risk, and detects anomalous behavior indicating that machine credentials have been compromised or misused. ### How does Permiso integrate with security operations workflows? Permiso integrates with SIEM platforms and ticketing systems, routing identity threat detections into existing SOC workflows. The platform provides investigation context alongside alerts — showing the full activity history of an identity across cloud services — so analysts can assess the scope of a potential incident without switching between multiple cloud console tools. ## Tags security, cybersecurity, cloud-native, saas, b2b, platform, analytics, startup, enterprise --- *Data from geo.sig.ai Brand Intelligence Database. Updated 2026-04-14.*