Every scan runs a security audit against your real Dynamics customization graph: a role shared between humans and integrations, an over-broad grant, an application user that can write the security model. Each finding carries a severity, the principals it exposes, and the control it answers to, and you work it from open to mitigated without leaving Pathix.
This is the risk Pathix finds in your environment. For how Pathix itself is built and secured, see Security →
A scan lands in the console: every open finding across the environment, faceted by severity and category, each with a delta since the scan before. A privileged role shared between a human and an integration, a disabled user that still holds its roles, a field secured with no profile that can read it, in one ranked list you work top down. Each finding can be assigned and triaged with a captured reason, and an environment-wide decision log records who decided what and when.
A scan on a ten-year-old environment can surface a lot at once, and a wall of alerts is one a team learns to ignore. Pathix is built so that does not happen. Findings on Microsoft-shipped and system-authored components are flagged as noise and hidden by default, so you see what your team actually owns rather than thousands of platform artifacts. What remains groups by rule and sorts by severity, so you work a short list of rules from the top instead of a backlog no one reads, and when a view is hiding anything it says so, with nothing suppressed silently.
When a finding is a known, accepted risk, an admin accepts it with a written justification. It leaves the working view and lands in an append-only decision log, and it stays accepted the next time the scan re-detects it, so the call is made once, not on every scan. An entire finding type can be tuned out across the environment, reversibly, without losing the record. Every acceptance and suppression is captured with who, when, and why: an auditable risk-acceptance trail that maps cleanly to your exception-management controls.
Open a finding and Pathix explains the risk in plain language, scores its severity, names the principals affected, and gives concrete remediation steps. Each one maps to the control it satisfies, so the work is legible to a security review, not just to you. A status workflow of open, reviewing, accepted risk, and mitigated, plus a captured reason and an activity log, means the decision and who made it are recorded by the time anyone asks.
Control mappings (SOC 2 CC6.3, ISO 27001 A.8.2 and the like) are shown where a finding maps cleanly. Pathix surfaces and tracks the risk; it is not a substitute for your audit or your auditor.
With AI on: hand a finding to an agent over the Pathix MCP and it triages the risk, drafts the remediation, and checks whether your last change actually cleared it.
Every finding rolls up to its type, and the type page is its definition: what the risk is, the remediation that clears it, and every instance of it in your environment with the principals each one exposes. The instances-per-scan trend is the part that matters to a CISO: it tells you whether you are actually closing this class of risk, or just opening new ones faster than you fix the old.
A finding is a verdict: a check fired, and it carries a severity. But a field can also matter because it is prominent in the graph, heavily written, sensitive, sitting next to a finding, even with no finding on it. Signals shows both, in separate lanes that never merge: findings ranked by severity, hotspots ranked by salience. A high-severity finding on a quiet field and a noisy field with no finding each deserve a look, for different reasons. Salience flags what is noisy, not what is risky, and a low score is not a safety verdict.
The feed also surfaces observations: deterministic checks on your own plugin code, starting with catch blocks that silently swallow exceptions, so a failure that vanishes today becomes visible. The check runs even with no AI configured.
The risks that matter in Dynamics live in its own security model: roles, teams, the business-unit hierarchy, field-level security, application users, and the privileges the platform grants quietly on its own. Pathix reads all of it from the same deterministic graph that traces your dependencies, so it flags a role widened across a human and an integration, a disabled user that still holds its roles, or a field secured with no profile that can read it, the exposure an IAM tool pointed at the tenant never sees.
And Pathix never calls an environment clean without showing you what it did not scan. No findings is not the same as no problems, and the product says so out loud. One click turns the open findings into a printable Environment Report, the leave-behind for an assessment.
A 30-minute walkthrough on a pre-scanned demo environment. No access to your tenant, nothing to install.