Cirro is an open-source framework for modeling Azure and Entra ID environments as relationship graphs to better understand privilege and security risk.

This session introduces the motivation behind Cirro and the core concepts of graph-based analysis for Azure and Entra ID environments. Led by Cirro creator Leron Gray, the workshop explores why attack path modeling has become a critical technique for understanding privilege relationships in modern cloud environments, what challenges it addresses, and how Cirro approaches data collection and modeling differently from existing tools.

Session Summary:

The workshop walks through how identities, permissions, and resources interact across Azure, demonstrating how seemingly benign configurations can combine into exploitable attack paths. It also highlights the importance of analyzing both the management plane and data plane, showing how deeper visibility into these relationships leads to more accurate risk identification.

Through real-world examples, attendees see how attackers can pivot across identity roles, resource permissions, and infrastructure components (like virtual machines and Key Vaults) to escalate access—reinforcing the need for holistic, graph-driven security analysis.

Key Takeaways:

• How identities, applications, resources, and role assignments map into a relationship graph
• How graph-based models make privilege propagation easier to visualize and analyze
• How attack path analysis works in Azure environments
• Why traditional approaches miss risk without data plane and configuration context
• How Cirro differs from existing tools by providing deeper, more complete visibility
• How attackers chain permissions and resource access into real-world escalation paths
• Why graph-based approaches improve cloud security posture and risk prioritization

Learn more about Cirro: https://bishopfox.com/tools/cirro