This control plane turns Defender exposure data into one buyer-readable surface: attack-path posture, privileged identity risk, device coverage gaps, stale remediation, and the response packets needed before change windows, audits, or tenant trust drift.
| Lane | Owner | Focus | Status | Findings | Next action |
|---|---|---|---|---|---|
| Attack path lane An active attack path remains open across admin workstation and cloud app trust. |
Exposure Operations | Chained-risk paths across devices, identities, and cloud apps. | red | 2 | Break the chained path before the next privileged change window. |
| Privileged identity lane Privileged identities still carry unresolved Defender recommendations. |
Identity Operations | Standing access, break-glass risk, and privileged review hygiene. | red | 2 | Re-validate break-glass access and close excess standing permission paths. |
| Device resilience lane Device exposure is containable, but remediation proof is not complete yet. |
Endpoint Engineering | Server exposure, EDR drift, and remediation packet completeness. | yellow | 6 | Restore Defender telemetry and reconcile remediation status for finance nodes. |
| Collaboration posture lane Email posture and collaboration proof are still degraded in the EMEA tenant. |
Collaboration Security | Mailbox exposure, anti-phish coverage, and forwarding-risk controls. | red | 3 | Repair collaboration protection evidence before external workflows expand. |