BybridGuard

HybridGuard unifies HR, AD, AWS, and Okta into one risk score per identity — catching ghost accounts, privilege creep, and stale credentials before attackers do.

Comment

Inspiration

According to Verizon's 2025 Data Breach Investigations Report, stolen or compromised credentials remain the single largest initial access vector, responsible for nearly a fifth of confirmed breaches. Furthermore, IBM's 2025 Cost of a Data Breach Report highlights that credential-driven incidents take longer to detect than almost any other vector because they simply look like valid logins.

The root cause of these breaches is rarely just a weak password. Instead, the vulnerability lies in accounts that nobody disabled after an employee was offboarded, permissions that were never revoked after a role change, or security keys that haven't been rotated in years. Because modern enterprises split identity management across HR systems, Active Directory, and cloud providers (like AWS and Okta), no single platform can see the full picture. I was inspired to build HybridGuard to close this dangerous visibility gap and tackle a massive real-world cybersecurity challenge.

What it does

HybridGuard is an Identity-Driven Risk Intelligence Platform and Identity Security Posture Management (ISPM) solution. It unifies telemetry from disconnected systems—HR, Active Directory, AWS IAM, and Okta—into a single, normalized view.

Key Features include:

  • Weighted Risk Scoring Engine: Every identity is evaluated and assigned a Unified Risk Score. This score is transparently calculated using three factors: Damage Score (privilege exposure/blast radius), Dormancy Score (inactivity), and a Ghost Account Factor. The engine evaluates risk using the following weighted model:

$$UnifiedRisk = 0.40(Damage) + 0.30(Dormancy) + 0.30(GhostFactor)$$

  • Direct Control Dashboard: The highest-risk identities automatically rise to the top of an interactive Streamlit console. Crucially, the platform closes the loop between detection and resolution: security analysts can execute direct, platform-specific remediation actions—such as Disable User, Revoke Access, or Rotate Token—directly against the database without ever leaving the dashboard.
  • Automated Threat Detection: Proactively flags Critical (Ghost Accounts), High (Privilege Creep), and Medium (Stale Tokens) vulnerabilities.

How we built it

As a solo developer, I architected HybridGuard using a robust data and backend stack consisting of Python, Pandas, SQLite, and Streamlit. The system follows a highly structured pipeline:

  1. Identity Resolution: Since platforms use wildly different username formats, I built a Fuzzy Name Matching Algorithm using Python's difflib.SequenceMatcher. It cleans usernames, generates naming patterns, and links cross-platform accounts to a canonical HR identity.
  2. Permission Tier Normalizer: To compare "apples to oranges," I designed a normalizer that maps distinct platform vocabularies into a universal 3-tier system: Tier 0 (Admin), Tier 1 (Elevated), and Tier 2 (Standard).
  3. Data Storage: Normalized records are stored in a 3NF relational SQLite database (hybridguard.db), allowing for rapid, complex querying.
  4. Presentation Layer: The front end is a custom, interactive Streamlit console that pairs high-level KPI metrics with sortable, filterable data tables.

Challenges we ran into

  • The "No Shared Key" Problem: Reconciling user identities across AWS, Active Directory, and Okta is incredibly difficult because they do not share a primary key. Developing the fuzzy matching logic to reliably link jsmith in AD to john.smith in Okta without generating false positives was a major hurdle.

  • Privilege Translation: Comparing an AWS IAM policy to an Active Directory Security Group is technically complex. Designing the Permission Tier Normalizer to accurately translate these different vocabularies into a single comparable metric required extensive schema design and testing.

Accomplishments that we're proud of

  • Building a complete ISPM pipeline : From raw data simulation to relational database structuring and UI design, successfully developing an end-to-end enterprise cybersecurity tool alone during the hackathon is a massive win.
  • Actionable Intelligence: Remediation feature. Instead of just creating another dashboard that shows alerts, HybridGuard actually allows security teams to neutralize threats instantly from the UI via database transactions.
  • Compliance Alignment: The platform's logic maps directly to real-world frameworks, satisfying NIST SP 800-53 (least-privilege) and CIS Controls 5 & 6.

What we learned

  • Advanced Database Architecture: Designing a 3rd Normal Form (3NF) relational schema to handle complex, multi-platform identity mapping efficiently.
  • UI/UX for Security Operations: Learning how to push the boundaries of the Streamlit framework to build a responsive, dark-mode SOC (Security Operations Center) console that prioritizes scannability and quick action.
  • Identity Mechanics: A much deeper understanding of how enterprise Identity and Access Management (IAM) vulnerabilities actually manifest in the real world through orphaned accounts and privilege creep.

What's next for HybridGuard

  • Machine Learning Integration: Replacing static threat rules with an Isolation Forest Machine Learning model to detect highly subtle behavioral anomalies and deviations in entitlement breadth across peer populations.
  • LLM Security Copilot: Integrating an LLM with MCP (Model Context Protocol) directly into the dashboard to allow security analysts to query identity risks using natural language.
  • Live API Connectors: Transitioning from simulated flat-file ingestion to live REST API connectors for real-time Okta, AWS, and Azure AD ingestion.
Share this project:

Updates