The 25 1Password security checks Black Cat runs
Black Cat SSPM evaluates 25 security policies against your 1Password configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Investigate activity from a suspended 1Password user and revoke any residual access
Remove suspended 1Password users after confirming data handoff is complete
Suspend or remove dormant 1Password users after verifying account necessity
Investigate repeated failed 1Password sign-in attempts and lock the account if brute-force is suspected
Investigate 1Password sign-in from an untrusted location and verify with the user
Investigate failed 1Password sign-ins from untrusted locations and reset credentials if unauthorized
Verify the new 1Password service account token was authorized and revoke it if not needed
Investigate successful 1Password sign-in from an unknown country and verify with the user
Investigate failed sign-in attempts without MFA and ensure MFA is enforced for all users
Investigate 1Password sign-in with no client application recorded
Investigate 1Password sign-in with no IP address recorded and check for API or automation access
Investigate failed 1Password sign-in from an unknown country as a potential credential stuffing attempt
Review the newly created 1Password resource and verify it was authorized
Enable MFA for suspended 1Password user before any potential reactivation
Investigate 1Password user with no recorded activity and verify account necessity
audit
Verify the 1Password master password change was user-initiated and document it in the change log
configuration
Send onboarding reminders to 1Password users with empty vaults and remove unused licenses
Verify the 1Password SSO policy change was authorized and revert if not approved
Re-enable 1Password SSO immediately if disabled without authorization and review the audit trail
Verify the 1Password signing key change was authorized and escalate to security if not
Verify the 1Password firewall rule change was authorized and revert if it weakens security posture
data exposure
Investigate unauthorized 1Password vault export, contain the incident, and assess data exposure scope
mfa
Enable MFA for the 1Password user account immediately to prevent unauthorized access
Verify MFA status for 1Password users with unknown MFA state and require enrollment
Investigate 1Password sign-ins that bypassed MFA and enforce MFA via security policy