Skip to main content
NEW: RSAC 2026 NHI Field Report. How Non-Human Identity became cybersecurity's central axis
Free practitioner's guide · 18 pages · 2026 Q2 edition

The NHI Security Playbook

A year of Cremit's research, condensed. Nine failure patterns, a six-axis severity index, and a 30-60-90 plan you can start Monday.

Authored by Cremit Research. No credit card, no sales call.

  • Is this really free?
  • Who is it for?
  • Does the Korean version cover the same content?
Free · Just your email

Request the Playbook

Share your details and the Cremit team will send the latest edition of the Playbook to your inbox.

By submitting you agree that Cremit may store your information for sales and support follow-up. We don't spam. You can opt out any time.

What's inside

A field reference for practitioners, not a vendor brochure.

The NHI Kill Chain

Nine patterns every security team should be able to name. Ghost, Shadow, Aged, Over-shared, Zombie, Drifted, Public, Unattributed, plus the meta-pattern that ties them together. Each includes detection signals and the one question to bring to your next review.

The Severity Index

A six-axis framework for scoring credential exposure that CVSS cannot measure. Applied end-to-end to real-world cases, including a three-year Slack Bot Token exposure and a two-year Asana Admin API Key, so you can use it immediately.

The ISMS-P Crosswalk

For Korean enterprise readers: how the Kill Chain maps to 강화 인증기준, the 2027 의무화 timeline, and what to prepare in 2026 so the external audit becomes a formality.

Table of contents

Five parts, eighteen pages, zero filler.

01

Sprawl and the 45:1 ratio

Why non-human identities now outnumber employees 45 to 1, and why the programs built for the opposite problem keep missing the point.

02

The NHI Kill Chain

Nine failure patterns with detection signals, real-world examples, and the questions to bring to your next security review.

03

The Severity Index

A six-axis scoring model for credential exposure, with applied case studies on Slack Bot Tokens and Asana Admin Keys.

04

ISMS-P Crosswalk

Korean compliance mapping: 강화 인증기준, 2027 의무화 타임라인, 2026 준비 체크리스트.

05

The 30-60-90 Plan

A quarter-by-quarter playbook for inventorying, owning, rotating, and governing non-human identities.

Get the Playbook

Built on published research

  • Referenced in the NHI Kill Chain nine-part blog series, read by security teams at startups and enterprises.
  • Synthesizes Cremit Research's 2025-2026 field analysis.
  • Includes methodology cited across Korean security community discussions.

Frequently asked questions

Is this really free?+
Yes. Direct PDF download, no registration and no sales call required.
Who is it for?+
Security engineers, DevSecOps leads, CISOs, and platform teams running into the NHI governance gap. Useful whether you already run a secret detection tool or you're starting from zero.
Does the Korean version cover the same content?+
Yes. The Korean edition includes the full ISMS-P 강화 인증기준 mapping and 2027 의무화 preparation section in detail.
Can I share it with my team?+
Yes. Internal sharing with attribution is explicitly allowed. For external reuse, contact us.
Will I get spam?+
No. There is no email collection. The PDF is a direct download.

Grab the playbook

Eighteen pages, built from field research and published by practitioners. Take it back to your team today.

Get the Playbook
Or take the 3-minute NHI self-assessment first