Termination Window Risk Calculator

Calculator inputs

Use realistic offboarding timings and control coverage for your environment.

White theme · Responsive grid

Termination window (hours)

Time from notice to confirmed access removal.

Deprovision SLA (hours)

Target time to disable accounts and sessions.

Alert SLA (minutes)

Time to triage alerts during offboarding.

Privileged accounts affected

Admin, production, or elevated identities.

Critical systems in scope

Apps, cloud, VPN, CI/CD, finance, HR.

Data sensitivity (1–5)

Higher means greater impact if misused.

Monitoring coverage (%)

Coverage for auth, admin actions, and data access.

Automation level (%)

Auto disable, token revoke, group removal, SSO.

Log retention (days)

Longer retention supports investigations and proof.

Remote access available?

VPN, zero-trust, VDI, or cloud console access.

MFA enforced?

For SSO, VPN, privileged elevation, and email.

Shared accounts exist?

Shared IDs increase ambiguity and delay revocation.

Peer review for offboarding?

Second-person check for privileged removals.

Advanced weighting

Adjust weights to match your threat model. We normalize automatically.

Weights sum is auto-normalized

Window length weight

Field: w_window

Deprovision SLA weight

Field: w_sla

Privilege footprint weight

Field: w_priv

Systems scope weight

Field: w_systems

Data sensitivity weight

Field: w_data

Monitoring gap weight

Field: w_monitoring

Automation gap weight

Field: w_automation

Remote access weight

Field: w_remote

MFA gap weight

Field: w_mfa

Logging gap weight

Field: w_logging

Shared accounts weight

Field: w_shared

Example data table

Sample scenarios to sanity-check scoring and control assumptions.

Scenario	Window (h)	SLA (h)	Privileged	Monitoring %	Automation %	MFA	Remote	Retention (d)	Expected band
Fast offboarding	24	2	1	85	80	Yes	No	180	Low
Typical enterprise	72	8	3	70	50	Yes	Yes	90	Moderate
High exposure	120	24	8	45	25	No	Yes	30	High/Critical

Formula used

We compute a normalized risk score from 0 to 100 using weighted drivers. Each driver is scaled to 0..1 and weights are automatically normalized to sum to 1.

raw = Σ (wᵢ × driverᵢ)

score = 100 × clamp(raw, 0, 1) × modifier

driver_window = min(window_hours / 168, 1)
driver_sla = min(deprov_sla_hours / window_hours, 1)
driver_monitoring = (100 − coverage) / 100
driver_automation = (100 − automation) / 100
modifier reduces risk for faster alerting and peer review.

How to use this calculator

Enter the termination window and your deprovision SLA.
Estimate privileged accounts and critical systems involved.
Set monitoring, automation, and log retention realistically.
Choose MFA, remote access, and shared account settings.
Adjust advanced weights if your environment differs.
Click Calculate Risk to see score and actions.
Download results as CSV or PDF for reporting.

Use this tool for risk estimation and prioritization. Validate assumptions with offboarding tests, access reviews, and incident simulations.

Termination window exposure drivers

Termination windows create short, high-impact gaps between an HR event and full access removal. The longer the window, the more opportunities exist for credential reuse, token replay, and data extraction. This calculator models exposure using window length, deprovision SLA, and the size of the privileged footprint. For example, a 72-hour window with a 48-hour SLA leaves 24 hours of unmanaged risk even when processes “meet SLA”.

Privilege concentration and blast radius

Privileged accounts and critical systems multiply impact. A single admin account can create new identities, disable logging, and grant persistence. Tracking counts of privileged identities and tier‑0 systems provides a practical proxy for blast radius. If 10 privileged accounts can reach 40 critical systems, investigation scope expands quickly across IAM, endpoints, and cloud consoles. Reducing shared accounts and enforcing least privilege lowers both the probability of abuse and the cost of investigation.

Detection and response effectiveness

Monitoring coverage and alerting speed reduce dwell time inside the window. Higher telemetry coverage increases the chance of detecting suspicious logins, unusual exports, or mass permission changes. Faster alerting and human review can stop actions before data leaves controlled systems. Log retention supports investigations when alerts are delayed or missed, and it improves evidence quality for legal and compliance needs.

Control strength and operational maturity

MFA, remote access controls, and automation change the risk curve. Automation increases consistency and reduces manual delays for identity, VPN, SSO, and endpoint access removal. Remote access restrictions limit exfiltration paths, while strong MFA reduces credential replay success. Track automation as a percentage of key revocations executed without human touch. Weights let teams reflect their environment, such as prioritizing SSO revocation, SaaS session invalidation, or endpoint isolation.

Reporting, benchmarking, and improvement targets

Use the score to benchmark business units, vendors, or regions over time. Pair results with measurable targets: reduce window hours, cut SLA by 50%, reach 90% monitoring coverage, or achieve 80% automation for key revocations. Export CSV for audits and PDF for leadership updates, then validate progress with offboarding drills, access review sampling, and tabletop scenarios. When the score drops, confirm that controls still function during outages.

FAQs

1) What is a termination window in security terms?

It is the time between a separation trigger and complete removal of access, including accounts, sessions, tokens, VPN, and device trust.

2) Why does deprovision SLA matter if we revoke access quickly?

SLA defines the worst-case delay. Risk rises when the SLA is close to, or exceeds, the window because access can persist long enough for misuse.

3) How should we estimate privileged accounts?

Count identities with admin, IAM, database, cloud, or security tooling rights. Include service accounts that can grant access or change policies.

4) Do MFA and remote access controls lower the score?

Yes. Strong MFA and restricted remote paths reduce credential replay and external access opportunities, so the modifier lowers the final score.

5) How do weights affect the result?

Weights prioritize drivers that are most relevant for your environment. The calculator normalizes weights so comparisons remain consistent across scenarios.

6) What should we do after exporting CSV or PDF?

Use exports for audit trails and improvement tracking. Re-test offboarding steps quarterly, verify automation logs, and sample terminated users to confirm access is gone.