Privileged Access Management (PAM) constrains who can use privileged credentials plus when they can use them. EoP Auditing tests whether the local Windows configuration allows privilege escalation once an attacker has any foothold. PAM is a preventive control on credential usage. EoP Auditing is a detective control on configuration weakness. They serve different defense in depth roles plus a mature Windows security program runs both. PAM is not a substitute for EoP Auditing plus EoP Auditing is not a substitute for PAM.
What PAM does
Privileged Access Management products vault privileged credentials in an encrypted store plus mediate access to them through approval workflow, session monitoring plus credential rotation. Major PAM products include CyberArk, BeyondTrust, Delinea (formerly Thycotic), Microsoft Privileged Identity Management plus several smaller vendors targeting mid-market.
The PAM operational model is that administrators do not hold the standing privileged credentials themselves. They request access through the PAM platform, the platform records the request plus delivers the credential for a time-limited session, the session is monitored plus recorded plus the credential is rotated after use. The blast radius of any individual credential compromise is materially reduced because the credential is short-lived plus the access surface is logged.
Specific capabilities PAM products deliver include credential vaulting, session recording, just-in-time access provisioning, credential rotation, privileged session monitoring, secrets management for application-to-application authentication plus delegated authorization workflow for sensitive operations. The compliance value is significant because many frameworks (SOC 2, ISO 27001, PCI DSS, HIPAA) explicitly require privileged access controls.
What EoP Auditing does
EoP Auditing tests whether the local Windows configuration on a host allows privilege escalation from any starting identity to a more privileged identity. The Sherlock EoP Auditor enumerates the conditions that would let a regular user account become SYSTEM regardless of which user account was compromised plus regardless of which privileged credential was protected by PAM.
Specific conditions EoP Auditing tests include third-party Windows services running as SYSTEM with authorization gaps, named pipe authorization issues in privileged services, kernel driver attack surfaces, scheduled task misconfigurations, COM object permission gaps, registry ACL issues on autorun paths, file system permission vectors on privileged executables plus token impersonation opportunities through Windows API misuse.
The findings are configuration-class. They exist on the local Windows host independent of which identity is logged in. A perfectly hardened PAM deployment does not eliminate them because the conditions sit at the OS plus third-party software layer below the credential management layer.
Why PAM does not prevent the escalation findings EoP Auditor surfaces
The architectural mismatch matters. PAM controls who gets the privileged credential. EoP Auditor tests what happens after any user lands on the host through any path.
Consider the scenario where an attacker compromises a regular user account through phishing. The user has no PAM-vaulted privileged credentials, no admin rights, no special access. The PAM control did its job: the attacker did not get a vaulted credential. But the user lands on a Windows host that has a third-party Windows service with a named pipe authorization gap. The attacker uses the regular user account to message the named pipe plus invoke privileged operations the service exposes. The attacker is now SYSTEM on that host without ever touching a PAM-vaulted credential.
This pattern is exactly the configuration-class privilege escalation surface Sherlock Forensics Labs disclosed in our recent SF-LABS-2026-04 disclosure (the PARTY LINE category). The PAM deployment is irrelevant to the attack chain because the attack does not require a privileged credential. The attack requires a Windows host with a vulnerable configuration that exposes privileged operations to unprivileged callers.
Multiple recent ransomware case investigations Sherlock Forensics responded to follow this pattern. The PAM deployment was sound. The compromised credential was never vaulted because it was an end-user credential that did not warrant vaulting. The escalation happened at the configuration layer below PAM's reach.
Why EoP Auditing does not replace PAM
The reverse mismatch also matters. EoP Auditing tests for escalation surfaces but does nothing about the standing-credential exposure that PAM addresses.
Consider the scenario where an administrator holds a standing domain admin credential on their workstation. EoP Auditor finds zero privilege escalation surfaces on that workstation: the configuration is hardened. But the administrator's workstation gets compromised through a different vector (browser zero day, malicious package, supply chain compromise). The attacker captures the standing domain admin credential from memory or from the credential manager.
The hardened EoP Auditor configuration is irrelevant. The attacker did not need to escalate locally because the privileged credential was already present in memory. PAM would have prevented this scenario by not vaulting the credential on the workstation. The administrator would have requested just-in-time access through PAM, used the credential, plus PAM would have rotated it after use. The attacker who compromised the workstation later would find no usable privileged credential.
PAM addresses standing-credential exposure that EoP Auditing does not test for. EoP Auditing addresses configuration-class escalation surfaces that PAM does not prevent. The two controls cover non-overlapping attack vectors.
Coverage matrix
Standing credential exposure on administrator workstations: PAM covers. EoP Auditing does not test this.
Approval workflow for sensitive operations: PAM covers. EoP Auditing does not provide.
Session recording for forensic review: PAM covers. EoP Auditing does not provide.
Credential rotation: PAM covers. EoP Auditing does not provide.
Local privilege escalation surface: EoP Auditing covers. PAM does not prevent.
Third-party Windows service authorization gaps: EoP Auditing covers. PAM does not prevent.
Named pipe authorization issues in privileged services: EoP Auditing covers. PAM does not prevent.
Kernel driver attack surfaces: EoP Auditing covers. PAM does not prevent.
Compliance evidence for privileged access controls: PAM provides extensively. EoP Auditing does not directly map to most compliance privileged-access requirements.
Application-to-application secrets management: PAM covers. EoP Auditing does not address application-level secrets.
Just-in-time privileged access: PAM enables. EoP Auditing does not address.
The mature Windows program layers both
The operational pattern that mature Windows security programs adopt is to deploy PAM for credential-class controls plus run EoP Auditing on hosts for configuration-class verification. The two controls answer different security questions.
PAM answers: "Who can use which privileged credentials plus when plus with what oversight?" The answer is a credential vault, approval workflow plus session recording.
EoP Auditing answers: "On each host, can a regular user account become privileged regardless of credential exposure?" The answer is a list of configuration-class findings, vendor coordination plus sometimes vendor product replacement.
A Windows program that deploys only PAM has hardened the credential surface but left the configuration surface untested. A Windows program that runs only EoP Auditing has hardened the configuration surface but left the standing-credential surface unprotected. The defense in depth posture requires both layers.
When PAM is the right starting point
PAM is the right starting compensating control when the security program has:
(1) standing privileged credentials held by administrators on workstations or held by applications in configuration files,
(2) compliance frameworks (SOC 2, ISO 27001, PCI DSS, HIPAA) that explicitly require privileged access controls with auditable workflow,
(3) limited maturity around just-in-time access provisioning plus credential rotation,
(4) sufficient budget for the multi-six-figure PAM deployment cost plus the operational maturity to run the platform.
When EoP Auditing is the right starting point
EoP Auditing is the right starting compensating control when the security program has:
(1) PAM already deployed but the team is uncertain whether the underlying Windows hosts are hardened against configuration-class escalation,
(2) significant third-party Windows software heterogeneity (each new vendor introduces new privilege escalation surface),
(3) post-incident response work requiring forensic audit of whether compromised hosts could have been further escalated,
(4) limited budget that cannot stretch to full PAM deployment but needs Windows hardening evidence.
What this means for security planning
The mistake security programs make is treating PAM as complete Windows privilege control. It is not. PAM is necessary plus insufficient. The Sherlock Forensics incident response casework consistently surfaces breaches where the PAM deployment was sound plus the Windows configuration was vulnerable. The attacker bypassed PAM entirely because the attack chain did not require a vaulted credential.
The honest practitioner posture is to deploy PAM for credential-class controls plus add EoP Auditing for configuration-class verification. The two controls cover different attack vectors. Skipping either leaves the other class of vulnerability unaddressed.
The Sherlock Forensics services practice handles ransomware response, breach investigation plus court-defensible forensic examination. The forensic toolchain includes the Sherlock Disk Imager for acquisition with chain of custody, the Sherlock Universal Events Viewer for timeline reconstruction plus the Sherlock EoP Auditor for privilege escalation surface assessment. Talk to our team about incident response or proactive Windows hardening assessment.
PAM controls who holds credentials. EoP Auditing tests what happens after compromise. Get on the EoP Auditor early access list for the configuration-class privilege escalation layer. Talk to our team about layering EoP Auditing with your PAM program.