Instant Credential Revocation

When an engineer leaves or a client is offboarded, every credential they held across every system should be gone in seconds. Not hours. Not days. Seconds — with a timestamped log you can show an auditor.
Book a board-ready briefing →
0
Average days to fully revoke a leaver's credentials — manually
0
Client churn risk per credential incident for MSPs
0
SEC mandatory breach disclosure window once discovered
0
Time to revoke all access with MyCena — provably
The problem

Why revocation fails — every time

Revocation failure is not a process problem. It is an architecture problem. You cannot revoke what you do not control. And right now, your users control their own credentials.

01
The leaver with live access
Average 3.2 days to fully revoke a departing employee or contractor across all systems — manually. Every hour is an open door. You cannot revoke what you cannot see.
02
The missed system
No organisation has a complete map of every system a person accessed. One missed system — a legacy portal, a shared login, an old vendor account — is the audit finding that costs you the contract.
03
The MSP cascade risk
One engineer at an MSP touches 8–15 client environments. When they leave, every client’s systems need separate revocation — across systems the MSP doesn’t fully govern. One missed client is a breach.
04
The BPO agent fraud window
High-turnover BPO environments see agents leave and rejoin. With each departure comes a revocation window — days where former agents retain access to client systems they no longer work on.
05
The vendor credential you can’t revoke
Third-party vendors hold credentials to your systems — credentials they created, not you. When the relationship ends, revocation is negotiated, not instant. You don’t own the key.
06
The audit you cannot pass
DORA Article 28, FCA SYSC 8, SOC 2, ISO 27001 — all require demonstrable, auditable access revocation. “We have a process” is not an answer. “Here is the timestamped log” is.
What currently happens vs what should happen

The revocation timeline

When an engineer or agent leaves today — versus with MyCena deployed.

Without MyCena
0min
Leaver notified
Engineer or agent departure confirmed
IT notified. Revocation checklist started — manually.
2hrs
Active directory
Primary account disabled
The central account is off. But every system they authenticated to separately remains live.
1day
Known systems
Main systems revoked
The systems IT knows about are addressed. The systems discovered during the audit are not yet found.
3.2days
Industry average
Full revocation complete — maybe
3.2 days average to close all known access. Unknown systems, shared credentials and vendor accounts may remain live for weeks.
With MyCena
0min
Departure confirmed
Engineer or agent departure confirmed
Same moment. Different architecture.
4sec
One command
All credentials revoked simultaneously
Every credential across every system — generated by the organisation, revoked by the organisation. No manual checklist. No missed systems.
4sec
Audit log generated
Timestamped revocation evidence ready
Every credential event — generation, use, revocation — logged in real time. DORA, SOC 2, ISO 27001 evidence ready immediately.
Done
Complete
Complete — provably
Not “we think we got everything.” Provably complete — the log shows every credential issued, to whom, for which system, and when it was revoked.
What MyCena delivers

Revocation that is structural, not procedural

The reason revocation fails is that organisations ask humans to manage keys that belong to other humans. MyCena gives the organisation the keys.

One command revokes everything
Every credential across every system — simultaneously, in seconds. Not a checklist. Not a process. A single authorised action.
No credentials to miss
Because the organisation generated every credential, the organisation knows every credential. There are no shadow credentials. No shared logins. No undiscovered systems.
Timestamped proof — not policy
Every revocation event logged with timestamp, authorising user, and affected systems. “Here is the log” is the answer. Not “here is our offboarding procedure.”
Third parties revoked instantly too
Vendor relationships end. BPO contracts conclude. MSP clients offboard. Every third-party credential is owned by you — revoked the same way, in the same seconds.
“The result of the audit matters more than the cost of the audit. The question is not whether you can afford to revoke instantly — it is whether you can afford not to.”
Allen Moffett — former Global Head of Identity Security, Atos
#1
MSP pain point — access revocation. Before password resets. Before compliance. Before everything else.
What you currently carry
Engineer offboarding overhead £7K–£15K/yr
Client breach notification exposure £90K–£225K/yr
Client churn risk per incident £150K–£500K
Total revocation risk £247K–£740K/yr
Regulatory obligations

Instant revocation is a compliance requirement

It is not a nice-to-have. DORA, FCA, SOC 2, ISO 27001, and HIPAA all require demonstrable, auditable revocation evidence. MyCena generates it automatically.

DORA Article 28
ICT third-party risk management requires documented access governance and instant revocation capability. Continuous audit log satisfies the evidence requirement.
✓ Structurally met
ISO 27001:2022 A.9
Access control requirements demand demonstrable control evidence — not policy documents. Continuous credential event logging provides the A.9 audit evidence.
✓ Structurally met
SOC 2 Type II
Access governance and offboarding controls. MSPs with instant revocation can demonstrate continuous control rather than point-in-time snapshots.
✓ Structurally met
FCA / SYSC 8
Operational resilience requires the ability to demonstrate timely access removal with audit evidence. Manual offboarding checklists do not satisfy SYSC 8.
✓ Structurally met
HIPAA 164.312(a)(1)
Access control requirements for healthcare — real-time logs and architectural access control satisfy HIPAA offboarding and audit obligations.
✓ Structurally met
Cyber insurance
Underwriters assess third-party access governance as a material risk factor. Timestamped revocation logs directly support premium negotiation at renewal.
✓ Premium reduction evidence
How it works

The architecture of instant revocation

Because the organisation generated every credential, the organisation revokes every credential. No checklist. No manual process. No missed systems.

Step 01
Organisation generates every credential
No user creates their own password. MyCena generates every credential centrally — employees, contractors, third parties. The organisation holds all the keys.
Step 02
Credentials injected — never seen
Users authenticate with one click. The credential is injected at the moment of use. They never see it, never copy it, never share it. Nothing to steal.
Step 03
Full access map maintained automatically
Every credential issued is logged — who, which system, when. The complete access map exists automatically. No manual inventory required.
Step 04
One command — everything gone
Departure or offboarding triggers a single revocation command. Every credential across every system revoked simultaneously. Timestamped log generated. Done in seconds.
Take credential control back
See instant revocation in a 2-week proof of value. No infrastructure change.
Book a board-ready briefing →
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.