KuShu-Atama is a visual mind map project designed to explore strategies in cybersecurity--specifically focusing on attack and defense models. This repository includes both source mind maps and generated artifacts in PDF and PNG formats for easy review and distribution.
KuShu-Atama/
├── artifacts/ # Exported visualizations (PDF/PNG)
│ ├── Entra_Hybrid_Attack_And_Defence_Collapsed.pdf
│ ├── Entra_Hybrid_Attack_And_Defence_Full.pdf
│ ├── M365_Breakglass_Maturity_Model_v1.1.pdf
│ ├── M365_Breakglass_Maturity_Model_v1.2.png
│ ├── SPADE_MindMap_v1.pdf
│ └── SPADE_MindMap_v1.png
├── src/ # Source mind maps
│ ├── Entra_Hybrid_Attack_And_Defence.mm
│ ├── Entra_Hybrid_Attack_And_Defence.smmx
│ ├── M365_BreakGlass_Maturity_v1.1.mm
│ ├── M365_BreakGlass_Maturity_v1.1.smmx
│ ├── SPADE_MindMap_v1.mm
│ └── SPADE_MindMap_v1.smmx
├── LICENSE
└── README.md
This map breaks down hybrid identity attack vectors and corresponding defense strategies across tiers, with visibility into Entra ID, Active Directory, and key integration points.
A structured matrix model for evaluating the maturity of Microsoft 365 breakglass strategies--from unprepared scenarios to highly resilient, isolated configurations.
Recent Additions to v1.1:
- New Level 6: Isolated Resilience
- Offline recovery paths: QR codes, printed passphrases
- Scoped CA policy exclusions guidance
- Multi-outage scenario planning (e.g., misconfig, Microsoft outages, attacker lockouts)
- Optional red-tenant or alternate IDP support for breakglass identity paths
This model aligns with Zero Trust principles and includes implementation insights for Conditional Access, PIM, workload identities, and automated detection/resilience patterns.
This companion model captures common anti-patterns observed in real-world M365 tenants.
Grouped into four categories:
- 🔥 Fire Hazard
- 🔑 Shared Secrets
- 🕳️ Hidden Traps
- 🙈 We Don't Talk About Breakglass
- 📉 Governance
It’s not a maturity ladder, but a cautionary map of what not to do -- based on direct experience and community input.
📄 artifacts/M365_Breakglass_Immaturity_Model_v1.0.pdf
🖼️ artifacts/M365_Breakglass_Immaturity_Model_v1.0.png
🧠 src/M365_Breakglass_Immaturity_Model_v1.0.mm
🧠 src/M365_Breakglass_Immaturity_Model_v1.0.smmx
Huge thanks to the security community for contributions, feedback, and field horrors.
Special thanks to: David Sass (@sassdawe) and Kay Daskalakis (@kaydaskalakis) who helped refine the immaturity model through shared insights.
This model captures attack paths, mitigations and related concerns for abuse of SaaS platforms that perform code execution in browser, where that execution occurs remotely in remote execution agents.
- Open
.mmfiles in SimpleMind or FreeMind - Open
.smmxfiles in SimpleMind - For Entra Attack & Defend mind map visuals: import to SimpleMind and set diagram type to Radial
- For matrix visuals: import to SimpleMind and set diagram type to Matrix
- Refer to the
/artifactsfolder for exported, share-ready diagrams in PDF/PNG format
Suggestions, edits, or expansions are always welcome--feel free to fork, improve, or discuss via GitHub Issues.
These models are not endorsed by Microsoft. They are practical tools designed to help security teams think critically and defensively about privileged identity design in M365.
Feel free to fork, adapt, or reference them with credit to KuShuSec.
