← Case studies

Off-boarding · B2B SaaS archetype

Illustrative scenario: closing the off-boarding gap at a fast-growing SaaS company

Context

A Series-B B2B SaaS company runs lean and fast. Alongside ~180 employees it works with a rotating bench of contractors and agencies who need temporary access to specific systems. People come and go weekly. IT and security are combined into one small team, and de-provisioning is a manual checklist spread across a dozen tools.

The challenge

Offboarding worked — eventually. The identity provider was usually disabled on the last day, but downstream access lagged: a code host here, a data tool there, an API key nobody remembered, a third-party app connected months ago. The team had no reliable way to measure the gap between "departed" and "fully de-provisioned," let alone whether anything happened inside that window. With contractor churn, the backlog of "probably revoked" accounts kept growing.

What the signals show

Secriiti anchors on lifecycle events from the identity provider — terminations and contract-end dates — and correlates them with access and authentication metadata across connected systems. The signals that surface include:

  • Access that outlives the person: authentication or token use recorded after a departure date.
  • Time-to-revoke per system: how long each connected tool takes to actually reach zero access for a leaver — measured, not assumed.
  • Orphaned credentials: service accounts and API keys tied to a departed contractor that were never rotated or reassigned.
  • Pre-departure spikes: unusual access or egress volume in a leaver's final days.

The Secriiti approach

  • Off-boarding & lifecycle signals track each departure to "access zero" across every connected system, flagging the stragglers.
  • Identity & credential signals catch post-departure authentication and dormant keys waking up.
  • High-severity alerting escalates the genuinely urgent case — access used after a departure — immediately, instead of waiting for the weekly digest.
The right off-boarding metric isn't "did we disable the account?" It's "how fast did this person's access reach zero everywhere — and did anything happen before it did?"

What good looks like

Illustrative targets for a team like this:

  • A measured, falling median time-to-revoke across all connected systems.
  • Zero instances of access used after a departure date going unnoticed.
  • A standing inventory of orphaned service accounts and keys, worked to zero.
  • Contractor access that reliably expires with the contract, not weeks later.

Takeaway

Off-boarding risk isn't about whether you have a checklist — it's about the gap between the checklist and reality, and whether you can see it. Measuring time-to-zero from real lifecycle and access metadata turns "we think it's revoked" into "we know, per system, and we'd be alerted if it weren't."

Measure your own time-to-zero

Secriiti's lifecycle and identity signals are built for exactly this. Request early access.

Next scenario: Spotting anomalous egress without reading a file →