Control validation for JML and offboarding

Validate access deprovisioning. Prove offboarding. Automate device return.

TheAltening is an API for access control validation. Verify that IdP and SaaS access is removed after termination, detect residual access, and generate audit evidence. Coverage includes Okta, Azure AD, Google Workspace, SAML, and SCIM targets. Device return is tracked with a chain of custody.

Start free Read docs

What gets validated

IdP policy enforcement and group/role removals

Session and token revocation across target apps

License reclamation and privilege reduction (RBAC)

Residual access checks for shadow or unmanaged apps

Device handoff workflow with MDM checkpoints (Intune, Jamf)

Signed audit summary for SOC 2, SOX, ISO 27001

Flow

1 HRIS marks leaver (Workday, BambooHR)

2 Offboarding playbook executes via adapters and webhooks

3 Evidence pushed to SIEM/ITSM (Splunk, ServiceNow)

Pass or fail with reasons. Every step is timestamped and signed.

API

REST, JSON. Idempotent endpoints. Webhooks for step updates. OpenAPI 3.1 spec. SDKs for Node and Python.

POST /v1/auth/validate-login

Assert expected outcome against IdP and a set of SaaS targets.

curl -X POST https://api.TheAltening.com/v1/auth/validate-login \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "user": "lee@company.com",
    "expect": "deny",
    "targets": ["okta", "github", "jira"]
  }'

import fetch from 'node-fetch'

const r = await fetch('https://api.TheAltening.com/v1/auth/validate-login', {
  method: 'POST',
  headers: {
    Authorization: `Bearer ${process.env.TheAltening_KEY}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ user: 'lee@company.com', expect: 'deny', targets: ['okta','github','jira'] })
})
console.log(await r.json())

import requests, os
r = requests.post('https://api.TheAltening.com/v1/auth/validate-login',
  headers={'Authorization': f"Bearer {os.environ['TheAltening_KEY']}", 'Content-Type':'application/json'},
  json={'user':'lee@company.com','expect':'deny','targets':['okta','github','jira']})
print(r.json())

POST /v1/offboarding/run

Execute a named offboarding playbook. Produce a signed report.

{
  "user": "lee@company.com",
  "playbook": "standard-employee-exit",
  "webhook": "https://example.com/hooks/TheAltening"
}

POST /v1/devices/handoff

Track laptop or phone return with due dates and MDM checkpoints.

{
  "asset_id": "LAP-20394",
  "assigned_to": "lee@company.com",
  "due": "2025-10-05",
  "steps": ["backup","wipe","return"]
}

Use cases

Common ways teams deploy TheAltening.

CI/CD gate

Block a deploy if a required access test fails. Prevent drift.

JML control

Validate leaver steps end to end across IdP and key apps.

Privileged accounts

Test break glass access and PAM downsizing after role changes.

License cleanup

Confirm seat removal and reclaim unused licenses.

Device return

Collect chain of custody with user attestations and MDM state.

Audit support

Export signed evidence for SOC 2 and SOX control testing.

Overview

Control objectives require evidence. TheAltening performs outcome-based tests and provides repeatable reporting. Use it as part of continuous controls monitoring.

Outcome based

No screenshots. Actual attempts, with clear pass or fail and reasons.

Policy as code

Store playbooks in git. Review and version the expected state.

Integrations

Okta, Azure AD, Google Workspace, GitHub, Atlassian, Slack, and more.

Pricing

Simple usage pricing. SLA available for enterprise.

Starter

Free

1,000 validation units per month
3 playbooks
Webhooks

Team

$99 per month

50k validation units
Unlimited playbooks
Signed audit exports

Enterprise

Contact

SSO and SCIM
Data residency options
SLA and support

Usage, security, and risk

An outline of intended use and the controls in place.

Service category

B2B security and IT administration tooling focused on control validation for join-move-leave and offboarding. Not a consumer service. No marketplaces or user-generated content.

Intended use

Customers validate access deprovisioning inside systems they own or administer. Tests run with customer-provided credentials or test accounts. The customer confirms authorization to perform validation.

Data handling

Data minimization by design. Typical inputs are business emails, role and group identifiers, asset IDs, and test outcomes. Password collection is not required. Transport is TLS. Storage is encrypted. Logs are redacted for tokens and secrets. Retention is configurable with short defaults.

Operational controls

Scoped API keys, role-based access, rate limiting, signed webhooks, static egress IPs for allow-listing, and respectful use of provider APIs.

Acceptable use

Use only on systems where you have authorization. No attempts to defeat provider anti-abuse protections. No activity targeting individuals. Violations result in account closure.

Compliance support

Outcome-based evidence supports SOC 2, SOX, and ISO 27001 control testing. DPA available. Region selection is available. Security contact and abuse reporting are provided.

Summary

TheAltening is an admin-only API that validates offboarding controls in customer-managed environments using customer-scoped credentials. It produces signed, exportable logs for audits. Data is minimized, encrypted in transit and at rest, and retained for short, configurable periods. Acceptable use is enforced.

FAQ

What is a validation unit

One assertion against one target. Example: deny login to GitHub for a user.

Sandbox vs production

Run in sandbox during development or validate production on a schedule.

Evidence format

JSON and PDF summary, signed with an integrity hash.

Security

TLS in transit, encrypted at rest, scoped API keys, role based access.