Plaidnox InfoSec
PLX-2025-020 . Confidential
Security EnablementCyberArk Privilege Cloud357 Outside Governance

PAM Deployment Assessment
[REDACTED]

Assessment of privileged account management maturity and CyberArk Privilege Cloud deployment for [REDACTED]. Covering account discovery, safe configuration, session recording, and Phase 2 onboarding pipeline. Engagement ref. ENG-2025-0560.

Report IDPLX-2025-020
Client[REDACTED]
Accounts Vaulted847 / 1,204
AssessedQ1 2025
01 . Overview

PAM Deployment Assessment

Plaidnox completed a deployment maturity review of [REDACTED]'s CyberArk Privilege Cloud implementation in Q1 2025. Of 1,204 discovered privileged accounts, 847 (70.3%) are vaulted with at least one access policy applied. The remaining 357 accounts . primarily middleware service accounts, legacy Windows scheduled tasks, and inter-system API credentials . remain outside PAM governance, creating unmonitored pathways to core banking and payment processing systems.

The most critical gap is 23 service accounts with direct access to the SWIFT messaging gateway that are not vaulted and have static credentials unchanged for an average of 847 days.

02 . Account Discovery

Privileged account inventory

1,204
Total Privileged
847
Vaulted (70.3%)
357
Outside PAM
23
Critical SWIFT Gap
Account TypeTotalVaultedGapPriority
Domain Admin / Tier-038380Complete
Local Admin (servers)41238032Medium
Service Accounts (AD)28419787High
Middleware / API Credentials312127185High
SWIFT & Payment Gateway482523Critical
Database Admin (DBA)1108030Medium
03 . Key Gaps

Priority findings

IDFindingPriority
PAM-G0123 SWIFT gateway service accounts not vaulted . static credentials aged avg. 847 daysCritical
PAM-G02185 middleware API credentials have no rotation policy . hardcoded in application config filesHigh
PAM-G03Session recording disabled for 63% of safes . limits forensic capability post-incidentHigh
PAM-G04No automated account discovery scan scheduled . new accounts created outside CyberArk not detectedMedium
04 . Phase 2 Plan

PAM onboarding roadmap

ActionTimelineOwner
Vault 23 SWIFT gateway accounts and enforce 90-day rotationWk 1-2IT / Plaidnox
Migrate 185 middleware credentials to CyberArk conjur / API key safeWk 2-6Plaidnox
Enable session recording across all Tier-1 and Tier-2 safesWk 1-3IT
Configure weekly automated discovery via CyberArk DNA scanWk 2-4Plaidnox
Onboard remaining 87 AD service accounts and 30 DBA accountsWk 4-12Plaidnox / IT
Conclusion
SWIFT gateway gap is a critical control failure requiring immediate priority
The 23 SWIFT-connected service accounts with static, unrotated credentials represent the most significant risk in the current deployment. These must be onboarded to CyberArk in the first two weeks to meet SWIFT CSCF v2025 requirements and avoid potential regulatory action. Phase 2 scope covers 357 remaining accounts with a target of 95% vaulting coverage within 12 weeks.
Plaidnox InfoSec . pam
Confidential . Authorised Distribution Only