The credential gap is where every major breach begins.

81% of breaches start with a stolen or compromised credential. MyCena closes that gap structurally — not through policy or training, but by removing credentials from human knowledge entirely.
Book a briefing →
0
Of breaches involve stolen or compromised credentials — the single largest attack vector
0
Average total cost of a credential-based breach — IBM Cost of a Data Breach 2024
0
Days average dwell time before a credential breach is detected — IBM 2024
0
Value of a credential to an attacker when the user never holds it — MyCena's structural position
The risk in plain terms

Every tool you have leaves the same gap open.

Colonial Pipeline. SolarWinds. Marks & Spencer. Change Healthcare. Every one of these started the same way: an attacker obtained a credential that a human knew. The industry response — longer passwords, MFA, awareness training — leaves the fundamental vulnerability intact. The user still holds the credential. Anything in human hands can be extracted.

MyCena addresses this at the source. The organisation generates every credential centrally and injects it invisibly at login. Users access every system normally — they simply never see, never know, and never hold the credential. There is nothing to phish, share, or steal.

Colonial Pipeline — 2021
$4.4M
A single VPN password on the dark web. 45% of East Coast fuel supply shut for 6 days. National emergency declared.
Entry point: compromised VPN credential
Change Healthcare — 2024
$2.5B
Stolen Citrix credential, no MFA. Nine days inside. 190 million patient records exposed. 94% of US medical practices impacted.
Entry point: stolen remote access credential
Marks & Spencer — 2025
£300M+
Credential access led to ransomware across retail and supply chain systems. Online operations suspended. Shares fell 15%.
Entry point: compromised employee credential
The founding insight
“In the physical world, no employer asks an employee to manufacture their own office key. So why do we ask them to do exactly that in the digital world — every day, for every system?”
— Julia O’Toole, Co-CEO, MyCena Security
Board governance

The three questions your board should be able to answer.

These are the questions regulators, auditors, and insurers are now asking directly. They are not technical questions. They are governance questions.

Question 1 of 3
“If an employee is dismissed today — what happens to their access, and how quickly?”
One command. All systems. Revoked in seconds. Simultaneous across every connected system, logged with a timestamp, confirmed. No manual checklist, no days-long window of residual access. The audit log records termination-to-zero-access time for every departure — exportable on demand for any regulatory review.
Offboarding failures are not IT failures — they are governance failures. When an ex-employee retains access for weeks after departure, the liability sits with the board. NIS2 Article 20 creates personal liability for named management at essential service operators. The question regulators ask is not whether the IT team had a process. The question is whether the board had structural control.
Question 2 of 3
“Can we demonstrate to regulators and auditors exactly who accessed what and when?”
Yes — in under 30 seconds. MyCena generates a complete, tamper-evident audit trail of every access event: user identity, system, timestamp, device, source IP. Every access grant is administrator-authorised and logged. Every revocation is timestamped and confirmed. Exportable for any audit period at 100% coverage.
GDPR, HIPAA, SOC 2, NIS2, and DORA all require demonstrable evidence of individual user accountability — not policy documents. The ICO and OCR have made clear that the question in a post-breach investigation is not whether a policy existed, but whether that policy produced evidence. MyCena generates that evidence automatically for every access event from day one of deployment.
Question 3 of 3
“How do we prevent employees or vendors from sharing or selling access to our systems?”
Structurally — not through policy. Users cannot share or sell what they have never seen. Credentials are generated by the organisation, distributed encrypted, and injected invisibly at login. They never appear in any form a user can copy, share, or surrender under phishing pressure.
Policy-based credential governance assumes compliant behaviour. Training, acceptable use policies, and MFA requirements all operate on the assumption that the user is acting in good faith. The insider threat, the phished credential, and the dark web purchase all bypass policy entirely. Structural control — removing the credential from human knowledge — closes the gap that policy cannot.

“Attackers don’t break in. They log in. The credential is the entry point — and it is still in your employees’ hands.”

What changes

What changes at the governance level.

Before MyCena
Access governance depends on employee behaviour and policy adherence
Offboarding is a manual checklist — access windows of days or weeks are common
Credential sharing is a policy violation, not an architectural impossibility
Audit evidence is manually compiled and frequently incomplete
Regulators receive policy documents, not structural proof
One compromised credential can cascade across every system the user touched
Vendor access persists after engagement ends unless someone remembers to revoke it
After MyCena
Access governance is architectural — the organisation controls every credential
Offboarding is a single command, simultaneous across all systems, logged automatically
Credential sharing is structurally impossible — users never hold credentials
Audit evidence is generated automatically for every access event, at 100% coverage
Regulators and auditors receive evidence, not policy — exportable on demand
Credential compromise is contained to one account — no cascade
Vendor credentials are organisation-controlled and revoked instantly at engagement end
How it works

Four steps. Complete control. No infrastructure change.

MyCena deploys as a software overlay. No changes to existing systems, no disruption to operations. Operational in two weeks.

Step 01
Central generation — no employee creates their own access
Every credential — for employees, contractors, and suppliers — is generated by the organisation centrally. No individual creates a password for any system. Credential ownership is organisational from the moment of creation.
Step 02
Invisible injection — click to connect, nothing to phish
Users click to connect to any system. MyCena injects the credential at authentication. Nothing is displayed, typed, or held. The credential does not exist in any form a user can see, copy, or share.
Step 03
Automatic audit trail — compliance evidence generated continuously
Every access event is logged — which user, which system, timestamp to the second. Audit evidence exists continuously. No manual compilation. No preparation before inspection. Evidence on demand, not on request.
Step 04
Instant revocation — employee or vendor, all systems
An employee is dismissed: one command, all access revoked across every system in seconds. A vendor engagement ends: same command, same speed, complete revocation with timestamped log. A potential breach detected: immediate revocation before lateral movement completes.
Regulatory landscape

Frameworks directly addressed by MyCena.

MyCena generates the evidence required by these frameworks automatically — as a byproduct of normal operation, not as a separate compliance process.

SOC 2 Type II (AICPA TSC)
  • CC6.1 — Logical access controls
  • CC6.2 — User registration & authorisation
  • CC6.3 — Role-based access and removal
  • CC6.6 — External threat protection
  • CC7.2 — Security event monitoring
  • CC9.2 — Vendor access management
HIPAA · GDPR · NIS2 · DORA
  • Unique user identification per system
  • Audit controls — 100% access trail
  • Workforce security and authorisation
  • Person or entity authentication
  • Data integrity via access control
  • Third-party access governance
NIST CSF 2.0
  • PR.AA-01 — Identity & credential management
  • PR.AA-02 — Identity proofing and binding
  • PR.AA-05 — Least privilege access
  • DE.AE-02 — Anomaly detection
  • RS.MA-01 — Incident containment
  • GV.OC-01 — Governance and roles
To see other frameworks →
Request a board briefing
The credential gap is a governance decision. MyCena makes it a solved problem.
Book a briefing →
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.