Classifications
Classifications group accounts by their assigned classification labels (such as "Admin", "Service Account", or "Standard User"). Each classification provides pre-calculated risk metrics that help security teams assess the posture of account groups without running ad-hoc queries.
Overview
What it is: Classifications are account groupings derived from classification rules configured in Hydden Discovery. Hydden.Control imports these classifications during data sync and computes aggregate security statistics for each group.
Why it matters: Reviewing accounts one by one does not scale. Classifications let you compare risk across account groups — for example, comparing MFA coverage between admin accounts and standard user accounts, or tracking how many privileged accounts lack an owner.
Classifications List
Navigate to Classifications in the left sidebar to view all imported classifications.
Summary Statistics
The page header displays four summary cards:
| Card | Description |
|---|---|
| Total Classifications | Number of distinct classification groups |
| Total Accounts | Sum of accounts across all classifications |
| Unique Platforms | Number of platforms represented |
| Average Risk Score | Mean risk score across all classified accounts |
Search and View
- Search — Filter classifications by name or description (real-time filtering)
- View Toggle — Switch between List view (compact rows) and Tile view (cards)
- Refresh — Reload classification data from the latest sync
Classification Details
Click a classification to open its detail page. The detail page provides a comprehensive risk breakdown for all accounts in the classification.
Risk Metrics
The detail page displays pre-calculated statistics across several security dimensions:
MFA Coverage:
| Metric | Description |
|---|---|
| MFA Disabled Count | Accounts without multi-factor authentication |
| MFA Disabled Percentage | Proportion of accounts lacking MFA |
Password Hygiene:
| Metric | Description |
|---|---|
| Password Never Set | Accounts where no password was ever configured |
| Password Age 90+ Days | Accounts with passwords older than 90 days |
| Password Age 180+ Days | Accounts with passwords older than 180 days |
| Password Age 365+ Days | Accounts with passwords older than one year |
Account Staleness:
| Metric | Description |
|---|---|
| Stale 90+ Days | Accounts with no login activity for 90+ days |
| Stale 180+ Days | Accounts with no login activity for 180+ days |
| Stale 365+ Days | Accounts with no login activity for 365+ days |
Privileged Accounts:
| Metric | Description |
|---|---|
| Total Privileged | Accounts classified as privileged |
| Highly Privileged | Accounts with the highest privilege level |
| Unvaulted | Privileged accounts not managed by a PAM solution |
| Unvaulted Percentage | Proportion of privileged accounts without PAM coverage |
Other Risk Indicators:
| Metric | Description |
|---|---|
| Shared Accounts | Accounts mapped to multiple owners |
| No Owner | Accounts without an assigned owner (orphaned) |
| Breached | Accounts flagged by breach detection (e.g., HIBP) |
| Failed Logins | Accounts with recent failed login attempts |
| Top Risk Accounts | Highest-risk accounts in the classification with their scores |
Account Distribution
The detail page also shows distribution breakdowns:
- By Status — Active, Disabled, Suspended account counts
- By Type — Service, User, Admin account counts
- By Platform — Account counts per connected platform (Active Directory, Azure, Okta, etc.)
Common Workflows
Compare Classification Risk
- Open the Classifications page.
- Review the summary cards for total accounts and average risk score.
- Click into individual classifications to compare MFA coverage, password hygiene, and privileged account metrics across groups.
- Use the findings to prioritize remediation — for example, focusing on classifications with high unvaulted privileged accounts.
Identify Hygiene Gaps
- Open a classification detail page (e.g., "Admin" accounts).
- Review the Password Hygiene and Account Staleness sections.
- Note accounts with passwords older than 90 days or no login for 180+ days.
- Use this data to justify password rotation campaigns or account cleanup initiatives.
Related Topics
- Applications — Application-level access review
- Campaigns — Access review campaigns
- Custom Dashboards — Visualize classification metrics in dashboard widgets
- Data Sync — Synchronize classification data from Discovery