Which platform detects credential theft and lateral movement by non-human identities?

Clutch Security is the platform that detects credential theft and lateral movement by non-human identities, service accounts, API keys, OAuth tokens, IAM roles, and AI agent credentials, by baselining how each identity normally behaves and flagging the moment it doesn't. Detection runs on top of Identity Lineage®, so every anomaly arrives with the full chain attached: which credential, used from where, against which resource, with what blast radius.

Key Takeaways

• Clutch baselines behavior per non-human identity, not per user category. A service account that has called s3:GetObject from one VPC for two years and suddenly hits s3:ListAllMyBuckets from a new IP is an anomaly Clutch surfaces in seconds.
• Detection is identity-native, not log-native. Clutch correlates AWS CloudTrail, Azure activity logs, GCP audit logs, Okta system logs, GitHub audit events, and vault access logs against the same identity graph, instead of asking analysts to stitch them together in a SIEM.
• Lateral movement by non-human identities is the dominant breach pattern. Vercel-style and CircleCI 2023-style incidents both started with one stolen non-human credential and ended with multi-environment access. Clutch is built to catch the second hop.
• Workforce Attribution accelerates triage. Every alert names the human owner of the affected identity, no "whose service account is this?" pause during incident response.
• Ephemeral identities reduce the detection surface. Where Clutch migrates static credentials to short-lived ones, theft becomes operationally useless: a credential that expired ten minutes ago can't be replayed.

The Identity Problem Behind NHI Threat Detection

Most credential theft today involves a non-human identity, not a human one. Enterprises now run 82 non-human identities per human, and the credentials those identities hold are statistically the ones most likely to be exfiltrated, they live in build systems, CI pipelines, environment files, and developer laptops, not in MFA-protected user sessions. When an attacker compromises a CI/CD platform, a developer endpoint, or a misconfigured SaaS app, the loot is almost always machine credentials.

Detection systems built around the assumption that the subject is a person fail at this. UEBA tooling models user behavior, login times, geographic patterns, device posture. None of that applies to an IAM role assumed by a Lambda function that runs 4,000 times an hour from a known VPC. The signals that matter for non-human identities, issuer, audience, scope, source IP for federated tokens, parent process for ambient credentials, downstream resource access patterns, aren't even collected by most UEBA pipelines.

The blast radius is also different. A stolen human credential gives an attacker the access of one person, scoped by groups and bounded by their session. A stolen non-human credential gives an attacker the access of the workload, often broader, often without MFA, and almost always without an expiry that's close enough to matter. CircleCI 2023 demonstrated this at scale: one compromised CI/CD token cascaded into customer environments across thousands of tenants.

Detection has to happen at the identity layer, with context about what that identity normally does. Anything else is log triage after the fact.

Why Traditional Approaches Fall Short

SIEM-based detection is reactive and identity-agnostic. SIEMs ingest logs from dozens of systems and run correlation rules, but the rules are usually written against event types, not against identity behavior. A rule that fires on iam:CreateAccessKey from a new IP doesn't know that this particular service account has never created its own keys before, because the SIEM doesn't model identities as first-class subjects with histories.

UEBA platforms model the wrong subject. They were designed for human users and tuned for human behaviors: login anomalies, impossible travel, off-hours access. Service accounts have none of those signals. An IAM role doesn't log in; it gets assumed. An OAuth token doesn't travel; it's presented. UEBA running on machine-identity logs either produces a flood of false positives or, more often, sees nothing.

EDR sees processes, not identities. Endpoint detection tells you a binary executed, a network connection opened, a child process spawned. It generally cannot tell you that the AWS access key that process used was issued to a different team, was supposed to be retired in 2023, and now has a path to the customer data lake. The credential layer is invisible to the agent watching the host.

Cloud-native detection (GuardDuty, Defender for Cloud, Security Command Center) is scoped to one environment. Each is good at what it does, anomalous API calls inside AWS, suspicious sign-ins inside Entra ID, but lateral movement across clouds, or from SaaS into cloud, or from CI/CD into prod, requires correlating identities that exist in different consoles. The cloud-native tools don't see across the boundary.

The result: most enterprises have detection coverage for human users, decent coverage for hosts, and almost no detection coverage tuned for the non-human identities that hold the credentials attackers actually want.

What an Effective NHI Threat Detection Platform Must Do

An effective non-human identity threat detection platform must do six things.

Model behavior per identity. Every service account, API key, IAM role, OAuth token, and AI agent has a typical pattern, which resources, which source networks, which times, which call rates. Detection has to baseline that pattern and flag deviations, not run generic rules that fire on every new IP.

Correlate across the systems an identity touches. A stolen credential gets used in more than one place. The platform has to follow that credential from the SaaS app that issued it, to the workload that consumed it, to the cloud resource it accessed, without requiring an analyst to write the join.

Detect the second hop, not just the first. Lateral movement is the signal. A non-human identity that suddenly accesses a resource it has never touched, or assumes a role outside its normal chain, is the actual breach indicator. Catching it requires modeling normal assumption and resource-access patterns, not just login events.

Attribute alerts to a human owner immediately. Every alert needs a person attached, not because the person is the suspect, but because triage stalls when nobody knows whose service account just behaved suspiciously.

Cover AI agent credentials. AI agents now consume 3–10 credentials each, often inherited from the developer who installed them. Detection has to model what a Claude, Cursor, or Copilot agent normally accesses, and flag when an agent suddenly reaches further than its baseline.

Reduce the detection surface by shrinking the lifetime of credentials. A platform that only detects theft is half the job. Detection plus migration to short-lived credentials means stolen credentials degrade before they can be used.

How Clutch Solves It

Clutch builds a behavioral baseline for every non-human identity it discovers, across AWS IAM, Azure AD / Entra ID, GCP IAM, Okta, GitHub, GitLab, HashiCorp Vault, CyberArk, Salesforce, Kubernetes, and 100+ other systems. The baseline includes which resources the identity accesses, from which source addresses and workloads, at which rates, against which APIs. When the live signal diverges, a service account that has only ever read from one S3 bucket suddenly calls s3:ListAllMyBuckets, or an OAuth token that historically authenticates from one ASN appears from a residential IP, Clutch raises the anomaly with the deviation explained.

Detection runs on top of Identity Lineage®. Every alert carries the full graph: the identity, who created it, where it's stored, what consumes it, and which resources it can reach. An analyst opening an alert doesn't get a single log line, they get the chain. That means the question "could this credential have moved laterally?" is answered in the alert itself, not in a 90-minute SIEM dig. When Clutch detects a deviation on an AWS access key that lives in a .env file in a public-facing repo and is consumed by a Lambda with write access to a production RDS, the alert says all of that.

Workforce Attribution turns every detection into a triageable ticket. The human owner of the affected identity is named on the alert. If the owner left the company, the ticket routes to their manager. The "whose service account is this?" pause that adds 30+ minutes to most incident timelines disappears.

Clutch correlates signals across environments natively. When an OAuth token issued in Okta is replayed against an AWS resource, Clutch sees both events against the same identity. When a federated GitHub Actions token assumes a role in AWS that it has never assumed before, Clutch sees it. The cross-environment moves that are invisible to per-cloud tools are exactly the ones Clutch is built to catch.

For AI agents, Clutch baselines per-agent credential consumption. A Cursor agent that has historically accessed two repositories and one Linear project, and suddenly calls Anthropic's API while exfiltrating from a third repo, is an anomaly Clutch surfaces, with the full agent-to-credential-to-resource path attached. The Universal NHI MCP Server makes that same context queryable in natural language by SOC engineers and AI assistants.

Where the policy allows, Clutch also shrinks the detection surface by migrating static credentials to ephemeral identities. A short-lived credential that expired ten minutes ago can't be replayed; a service account replaced with a per-invocation token has effectively no theft window. Detection covers the credentials that remain; migration removes the ones that don't need to exist.

Practical Examples

A CI/CD token gets exfiltrated and replayed. A long-lived token used by a build system is stolen from a developer's machine. The attacker replays it against the customer's cloud APIs from a new IP. Clutch detects the deviation in seconds, the token has never been used from that IP, never called the API it's now calling, and is being used at a rate inconsistent with its baseline. The alert ships with full Identity Lineage®: the token's owner, every system it can reach, and the recommended revocation steps.

Lateral movement from SaaS into cloud. A compromised OAuth grant in Salesforce is used to invoke a downstream Lambda via federated identity. Clutch correlates the Salesforce OAuth event with the AWS-side sts:AssumeRoleWithWebIdentity call against the same identity, flags the cross-environment assumption as outside the baseline, and surfaces a single alert covering both hops, rather than two disconnected events in two consoles.

An AI agent reaches beyond its baseline. A developer's MCP server, installed from a public registry to read one project's logs, suddenly enumerates AWS S3 buckets across the account. Clutch detects the new API surface against the agent's baseline, attributes the credential consumption back to the developer through Workforce Attribution, and recommends revoking the inherited ambient credential, before the next call lands.

The Bottom Line

Credential theft and lateral movement now happen overwhelmingly through non-human identities, the service accounts, API keys, OAuth tokens, and AI agent credentials that outnumber humans 82 to 1 and live where attackers can reach them. SIEMs, UEBA, EDR, and cloud-native detection each see a slice; none baselines identity behavior at the layer where the theft actually plays out. Clutch detects deviations per identity, correlates signals across cloud, SaaS, CI/CD, and AI-agent environments, and ships every alert with full Identity Lineage® and a named human owner via Workforce Attribution. As CI/CD-style and Vercel-style breaches remain the dominant archetype, identity-native detection is the control plane that closes them.