LIVE · SCAN #1,847
--:--:-- UTC
ACME CORP
navigate
Demo Flow
War Room
Overview · 6 engines
Attack Graph
L1 · 12 critical paths
L2 Validation
Live AWS proof
Remediation
Cut-point · approve fix
XseeCyber L3
Runtime simulation
Certificate
Board-ready proof
847 assets indexed
6 engines · Demo mode

16 jump to screen
prev / next
Security War Room
ENGINE 01 / 06· CONTINUOUS MONITORING · ALL ENGINES ACTIVE
Critical Attack Paths
0
↑ 3 since last scan
L2 Validated · Exploitable
0
AWS API proof confirmed
Financial Exposure
$0
↑ Est. breach cost
Detection Coverage
0%
↓ 66% of attacks invisible
Live Activity Feed
2m
CRITICAL
New IAM privilege escalation path — Internet → EC2 → S3 Crown Jewel discovered
4m
L2
L2 validation confirmed — lambda-processor can assume admin-role via iam:PassRole
7m
SIM
XseeCyber simulation complete — Path AP-0031 exploitable in 4 steps, 0 detections triggered
12m
FIXED
Remediation verified — SG ingress rule revoked, path AP-0028 permanently closed
15m
AI
Claude Engine — Executive risk summary generated for board · 3 critical paths
21m
SCAN
Scan #1,847 complete — 847 assets indexed · 12 new findings · 4 validated
Claude Engine
AI SECURITY ANALYST · ACTIVE
I've identified 4 exploitable attack paths requiring immediate attention. Path AP-0031 leads directly to your customer PII database via a validated IAM privilege escalation chain. Estimated breach probability: 94%. A single IAM policy change closes 3 paths simultaneously.
AP-0031 · Internet → EC2 → IAM → S3-PII · CRITICAL
AP-0029 · Lambda → AssumeRole → Admin → All Resources · CRITICAL
AP-0033 · NHI token exposed in EC2 instance metadata · HIGH
AP-0034 · Public S3 + unencrypted secrets → Account takeover · HIGH
Attack Intelligence Graph
ENGINE 02 / 06· L1 GRAPH SIMULATION · 847 NODES · 2,341 EDGES · 12 CRITICAL PATHS
Critical   High   Crown jewel
AI Verdict · AP-0031
Path is immediately exploitable. EC2 has iam:PassRole to admin-role. L2 confirmed via SimulatePrincipalPolicy.
94%
CONF.
Path Details
Path IDAP-0031
Targets3://acme-pii
Exposure$1.8M
L2 StatusCONFIRMED
Cut Points2 identified
MITRE ATT&CK
T1190 · Exploit Public App T1548 · Elevation Control T1530 · Cloud Storage Data
L2 Attack Path Validation
ENGINE 03 / 06· LIVE AWS API VALIDATION · PATH AP-0031 · REAL EVIDENCE · NOT THEORETICAL
PROOF: This path is exploitable. Not theoretical. Proven.
AWS SimulatePrincipalPolicy → ALLOWED · Captured: 2026-04-05T09:47:22Z · sha256:8f3a9d2e...
EXPLOITABLE
Live AWS API Evidence — SimulatePrincipalPolicy
// AWS IAM · SimulatePrincipalPolicy // Captured: 2026-04-05T09:47:22Z · us-east-1 { "EvaluationResults": [{ "EvalActionName": "iam:PassRole", "EvalDecision": "allowed", "EvalResourceName": "arn:aws:iam::123456789012:role/admin-role", "MatchedStatements": [{ "SourcePolicyId": "ec2-processor-policy", "StartPosition": { "Line": 14 } }] },{ "EvalActionName": "s3:GetObject", "EvalDecision": "allowed", "EvalResourceName": "arn:aws:s3:::acme-customer-pii/*" }], "IsTruncated": false }
Security Group — Public Ingress Confirmed
// DescribeSecurityGroups · sg-0a1b2c3d4e5f { "GroupId": "sg-0a1b2c3d4e5f", "GroupName": "ec2-processor-sg", "IpPermissions": [{ "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "IpRanges": [{ "CidrIp": "0.0.0.0/0", "Description": "public-access" }] }] }
Validation Chain · 5 of 5 Steps
Public Internet Access Confirmed
SG allows 0.0.0.0/0 on port 443 · EC2 public IP: 54.23.11.87
IAM PassRole Permission Verified
SimulatePrincipalPolicy → ALLOWED · iam:PassRole on admin-role
No Permission Boundary Detected
No boundary on ec2-processor-role · Escalation unconstrained
Crown Jewel S3 Access Confirmed
s3:GetObject ALLOWED · 847,293 PII records directly accessible
!
No CloudTrail Alert Configured
iam:PassRole calls not alerting · Attack invisible to your team
Why Wiz can't show you this
Wiz uses an agentless graph model — it cannot call SimulatePrincipalPolicy, validate real AWS permissions, or generate a signed evidence package. It shows theoretical paths, not proof.

XSEE called 3 live AWS APIs and returned cryptographically signed evidence. This is the difference between a finding and a proof.
Smart Remediation Engine
ENGINE 05 / 06· OPTIMAL CUT-POINT ANALYSIS · PATH AP-0031 · ONE CLICK TO FIX
Cut-Point Analysis — Minimum Change, Maximum Impact
INT EC2 i-0a1b IAM PassRole ADMIN S3-PII CUT-1 · OPTIMAL Remove PassRole · kills 3 paths CUT-2 Permission boundary
✂ CUT-1 kills 3 critical paths simultaneously Single IAM change · zero service impact
Auto-Generated Terraform Fix
# Remove iam:PassRole from ec2-processor-role # Closes: AP-0031, AP-0032, AP-0035 resource "aws_iam_policy" "ec2_processor_restricted" { name = "ec2-processor-policy-v2" policy = jsonencode({ Version = "2012-10-17" Statement = [{ Effect = "Allow" Action = ["s3:GetObject", "logs:PutLogEvents"] # iam:PassRole REMOVED ← entire fix in one line Resource = "*" }] }) }
Fix Options · Ranked by Impact / Effort
Remove iam:PassRole Permission
Delete iam:PassRole from ec2-processor-policy. Kills AP-0031, AP-0032, AP-0035 in one change. Zero service impact. Reversible in seconds.
Risk −94%Effort: Low3 paths closedTime: 2 min
Enforce IMDSv2 on EC2 Instance
Block IMDSv1 metadata access. Kills the credential extraction step. Requires a brief instance restart.
Risk −60%Effort: Low2 paths closed
Attach IAM Permission Boundary
Limit maximum permissions of ec2-processor-role. Defense-in-depth.
Risk −40%Effort: Med1 path closed
REMEDIATION AGENT READY · AWAITING HUMAN APPROVAL
One click. Agent applies via AWS SDK → L2 re-validates → certificate generated.
Rollback available 24h if verification fails.
XseeCyber L3 Simulation
ENGINE 04 / 06· RUNTIME EXPLOIT SIMULATION · PATH AP-0031 · SAFE MODE · ZERO PROD IMPACT
↺ Replay
Safe sandbox · no prod impact
xseecyber-agent · v2.4.1 · path:AP-0031 · simulation-mode:safe
Kill Chain Timeline
1
T+00:00
Reconnaissance
Port scan · nginx/1.24.0 fingerprint · CVE-2023-44487 matched
2
T+02:11
Initial Access
HTTP/2 exploit · IMDSv1 abuse · EC2 credentials from metadata
3
T+04:47
Privilege Escalation
iam:PassRole → admin-role assumed · Full account control
4
T+08:33
Data Exfiltration
847K PII records · S3 bulk GetObject · 0 detections fired
Simulation Result
EXPLOIT SUCCEEDED
Stages: 4 / 4 complete
 IMDSv2 not enforced
 iam:PassRole not monitored
 S3 logging disabled
✓ 3 detection rules auto-generated
Breach Prevention Certificate
ENGINE 06 / 06· AUTONOMOUS LOOP COMPLETE · ALL PATHS CLOSED · BOARD-READY PDF GENERATED
XSEE
XSEE
BREACH PREVENTION CERTIFICATE · BOARD EDITION
3 Critical Attack
Paths Eliminated.
Acme Corp · AWS Account 123456789012 · April 5, 2026
3
Paths Closed
$2.4M
Risk Eliminated
94
Security Score
XSEE validated, simulated, and verified closure of all critical attack paths. Each fix was applied by the XSEE Remediation Agent following explicit human approval, then independently verified via L2 live AWS API re-validation. The attack paths listed above no longer exist in the customer environment. This certificate is cryptographically signed and tamper-evident.
Issued: April 5, 2026 · 10:17:44 UTC
Verified by: XSEE L2 Validation Engine v2.4
sha256: 8f3a9d2e1c4b7f6a0e9d3c8b5a2f1e4d7c0b9a3
XSEE
VERIFIED
✓ Autonomous Loop Complete
Discover847 assets · 12 paths
L1 Graph Validate4 exploitable
L2 ProveAWS API evidence
PrioritizeCut-points ranked
Human Approved1 click · 4 seconds
Fix AppliedAWS SDK · IAM updated
L3 SimulatePost-fix confirmed clean
VerifyL2 re-run · path closed
CertifyBoard PDF signed
The XSEE Difference
"You might have a problem here. We ranked it critical."
← What Wiz delivers
"This was exploitable. We proved it. We fixed it. Here's the signed certificate."
← What XSEE delivers
Loop time: 28 minutes total
Human effort: 1 approval click
Without XSEE: weeks of analyst time · still unverified
Next scan: tomorrow 09:00 UTC
Auto-alert: admin@acme.io
Certificate ID: XSEE-2026-04-05-AP0031
War Room · 1 of 6