Ledger Concepts
Ledger integrations DO NOT, under any circumstances, transmit secret values to the Defakto Control Plane. Integrations record metadata about discovered secrets (e.g. secret type, location). For example, an integration might report the name of an environment variable, and that it contains a suspected AWS Access Secret Key, but not the Secret Key's value.
Integrations may record prefixes or hints to fingerprint secrets, but only in circumstances where that data also exists as a plaintext reference in a source system (e.g. the first 4 characters of a MS Entra Enterprise Application password are also displayed in the Entra console).
Overview
Ledger is Defakto's unified platform for non-human identity (NHI) visibility, risk management, and secret eradication. Static secrets that live in environment variables, config files, and vaults accumulate over time, and most organizations lack visibility into where they are, who uses them, or whether they're still needed. Organizations use Ledger to discover where those secrets live, understand the risk each one poses, and run remediation campaigns — eradicating them and replacing them with short-lived Mint credentials where possible.
How Ledger Works
Ledger begins by collecting data from integrations deployed across your cloud and on-premise environments. Integrations query IAM APIs, audit logs, and workload configurations to discover Applications, Identities, Deployments, and the Secrets used to connect them. This data is continuously refreshed so Ledger's inventory reflects the current state of your environment.
With that inventory in place, Ledger maps the relationships between discovered items and surfaces them in the Defakto Console. You can trace a Secret from the Identity that owns it, through the Application it belongs to, down to every Deployment actively using it — giving you the organizational context needed to understand scope and assign ownership.
Ledger then scores each Secret across multiple risk dimensions: how old it is, when it was last used, how many applications share it, how it is stored, and how broadly it allows access. Scores are updated after every Scan, so risk levels reflect changes as they happen. See Risk Scoring for a full breakdown of how scores are calculated.
Based on those scores, Ledger recommends a remediation action for each Secret — whether that is rotation, retirement, or replacement with a Mint-issued short-lived credential. Recommendations account for the type of Secret, the platform it lives on, and whether the associated applications are already enrolled in Mint.
For each recommended action, Ledger guides users through the remediation steps at the source. Where migration to Mint is possible, Ledger orchestrates the full workflow: planning the replacement credential, managing the transition period during which both old and new credentials are active, and retiring the original secret once the cutover is confirmed.
Throughout this process, Ledger tracks NHI adoption over time. Teams can monitor progress toward secretless goals, measure the reduction in secret exposure across their environment, and report on milestones to stakeholders.
Terminology
Application
An Application is a logical representation of a software service or component, such as "the payments service" or "the data pipeline worker." Applications are not tied to any particular infrastructure; in practice, a single Application is often deployed across multiple environments, regions, or stacks such as test and production.
Deployment
A Deployment is a specific running instance of an Application in a particular environment, such as the payments service running in the production cluster in us-east-1.
Integrations such as the Kubernetes integration discover Deployments by scanning your infrastructure. Each discovered Deployment is linked to a parent Application based on shared characteristics such as origin, ownership, or configuration. Ledger also inspects each Deployment to find the secrets it consumes, including those stored in environment variables, Kubernetes Secrets, ConfigMaps, or volume mounts.
Identity
An Identity is a non-human account managed by an identity provider, such as a Microsoft Entra service principal, an AWS IAM user, or a GCP service account. Identities are the primary principals that own Secrets.
Integrations discover Identities by querying cloud IAM APIs and audit logs, capturing metadata such as creation date, last sign-in activity, and assigned permissions. Ledger uses this metadata to assess risk and surface unused or over-privileged accounts that are candidates for retirement.
Secret
A Secret is a credential owned by an Identity, such as a password, API key, access key, certificate, or federated credential. Secrets are cataloged by integrations, which record metadata about them (type, location, validity window, and recent usage activity) without ever capturing the secret's value.
Ledger scores each Secret across multiple risk dimensions and tracks it through its full lifecycle, from initial discovery through rotation, retirement, or replacement with a Mint-issued short-lived credential. See Risk Scoring for details on how risk is assessed.
Integration
An Integration connects Ledger to an external system, giving it the ability to discover and inspect resources in that environment. Most integrations require only a permission grant, such as read access to a cloud provider, and Defakto handles collection remotely. In some cases, such as the Kubernetes integration, a lightweight runtime job is installed within your infrastructure to perform the scan.
Scan
A Scan is a single collection run performed by an integration. Each time an integration executes, it produces a Scan record that represents the observed state of your environment at that moment. Scans move through a lifecycle, from creation, through processing, to success or failure, and their results drive updates to Ledger's view of your Applications, Identities, Deployments, and Secrets.
Ledger compares successive Scans to detect drift: when a Secret disappears from a Deployment, or a new Identity appears in your cloud provider, Ledger records the change and updates risk scores accordingly.
Remediation
Remediation is the process of eliminating a Secret risk, by retiring an unused secret, rotating it to a new value, or replacing it entirely with a Mint-issued short-lived credential. Ledger structures this work as a guided workflow with discrete stages.
A Remediation workflow progresses through planning, deployment of any replacement credential, a transition period during which both old and new credentials may be active, retirement of the old secret, and finally completion. Ledger tracks the status of each workflow, giving teams a clear view of what is in progress and what has been resolved.
Where a Deployment is already on the Mint platform, Ledger can recommend and orchestrate migration to workload identity federation, replacing the static secret with an automatically rotated SVID and eliminating the secret entirely.