AD Threat Detection & Response

Directory Services Protector

Protect your critical identity infrastructure from cyberattacks with the industry’s most comprehensive identity threat detection and response (ITDR) platform for Active Directory and Entra ID.

Semperis Lightning Identity Runtime Protection screenshot

Semperis Extends ML-Based Attack Detection with Specialized Identity Risk Focus

Identity Runtime Protection (IRP), the first offering in the Semperis Lightning™ platform, merges deep machine learning with unmatched identity security expertise to detect and stop the most successful attack techniques.

Learn more

Comprehensive hybrid AD security

Securing Active Directory and Entra ID is hard. Misconfigurations accumulate over time, creating legacy security vulnerabilities that attackers love to exploit—in fact, 9 out of 10 cyberattacks involve AD, according to Mandiant researchers. Semperis provides the most comprehensive hybrid AD threat detection and response by continuously monitoring the environment, automatically rolling back malicious changes in on-premises AD and Entra ID and providing a single view of AD and Entra ID security posture.

Stop attackers from gaining access to AD and Entra ID
Capture AD and Entra ID changes that bypass security logs
Automatically remediate malicious changes
Accelerate incident response and prevent future attacks

Gain control of your Active Directory and Entra ID security

Active Directory can’t stand up to current cyber threats. And protecting both on-premises AD and Entra ID in a hybrid environment is notoriously difficult. Plus, attackers often move from on-premises to the cloud (or vice versa) in pursuit of elevated privileges—as in the SolarWinds attack. In our mobile-first, cloud-first world, any connected device can expose the heart of your IT infrastructure.

In a hybrid AD and Entra ID scenario, the potential attack surface expands. Directory Services Protector is the only threat detection and response solution that provides a single view of security vulnerabilities across the hybrid environment. With DSP, you can correlate changes across on-prem AD and Entra ID to stop attackers.

Minimize the attack surface
Minimize the attack surface

Discover AD and Entra ID vulnerabilities and risky configurations in hybrid environments before attackers do. Get prioritized, action-oriented guidance from a community of AD security threat researchers. Reduce your hybrid identity system attack surface and stay ahead of the ever-evolving threat landscape.

Request a demo
Detect advanced attacks
Detect advanced attacks

Shine a spotlight on attackers moving laterally through your hybrid AD environment unchecked. Use multiple data sources, including the AD replication stream, to gain uninterrupted visibility into advanced AD attacks that bypass agent- or log-based detection. Integrate detailed security data with Splunk, Microsoft Sentinel, or other SIEM solutions for unparalleled visibility into potential threats.

Request a demo
Automate remediation
Automate remediation

Put AD and Entra ID security on autopilot to stop attackers in their tracks. Automatically roll back malicious changes in AD and Entra ID that are too risky to wait for human intervention. Create custom rules and alerts for your security operations team.

Request a demo
Accelerate AD incident response
Accelerate AD incident response

Speed up AD attack forensic analysis. Mitigate the damage from an attack by quickly finding and eradicating malware. Translate unstructured AD and Entra ID change data into a human-readable format. Easily search, correlate, and undo AD changes at object and attribute levels. Drill down to any point in time to isolate compromised AD accounts and prevent future attacks.

Request a demo
Our mission resonates with industry leaders

Restore sight to your SIEM

A growing number of attacks circumvent security auditing

Unlike tracking tools that rely solely on security logs and agents on every domain controller, Semperis DSP monitors multiple data sources, including the Active Directory replication stream. The AD replication stream is the only reliable method of catching every change, no matter how attackers attempt to cover their tracks. Semperis DSP forwards suspicious AD changes to your SIEM system with meaningful context, drastically reducing the burden on security analysts. You can use pre-defined alerts for Microsoft Sentinel, Splunk, and other SIEM and SOAR tools. You can also build custom alerts for SecOps tools and ticketing systems, including ServiceNow.

Azure Sentinel
IBM radar
Alien Vault
RSA Netwitness Platform
Sumo logic

Is your Active Directory vulnerable to a cyberattack?

Active Directory is the primary identity service for 90% of businesses worldwide, providing user authentication and access to business-critical applications and services. An attack that wipes out AD (as in the 2017 NotPetya cyberattack on shipping giant Maersk) can disrupt business operations. Because of legacy misconfigurations and unpatched vulnerabilities, AD is a frequent target for attackers, including sophisticated ransomware groups such as LockBit and Vice Society. Mandiant researchers now estimate that 9 out of 10 attacks involve AD.

EMA report:
of organizations experienced an attack on AD in the last 1-2 years
EMA report:
of pen testers’ attempts to exploit AD are successful
of organizations have no AD defense in place
2023 Veeam report:
of businesses that paid ransom were unable to recover their data
Join our star-studded team

Trusted by industry-leading companies

Semperis offers superior technology, and their Directory Services Protector is a tremendous asset for any company that uses Active Directory.

Chen Amran Deputy Director of Infrastructure & Communication, El Al Airlines

Frequently asked questions

What is Directory Services Protector?

Directory Services Protector (DSP) is a Gartner-recognized identity threat detection and response (ITDR) solution that puts hybrid Active Directory security on autopilot with continuous monitoring and unparalleled visibility across on-premises AD and Entra ID environments, tamperproof tracking, and automatic rollback of malicious changes.

Why would I need DSP if I already have a SIEM?

In AD-based attacks, the only unalterable data source is the AD replication stream, which is outside the scope of any SIEM’s view. Additionally, most agent-based AD change auditing tools lack deep visibility to detect and thwart such attacks. The AD replication stream is the only reliable method of catching every change (pre-attack and during an attack), no matter how an attacker might attempt to cover their tracks. DSP integrates with any SIEM solution that consumes SYSLOG-formatted data. DSP further integrates with Microsoft Sentinel and Splunk. With Microsoft Sentinel, DSP provides workbooks that allow you to view additional DSP data within the Sentinel dashboard, such as Active Directory change data and notification rule events. The DSP Splunk Enterprise app provides detailed AD security data in the Splunk dashboard to provide additional context and visibility into vulnerabilities across the environment.

Does Directory Services Protector’s capabilities include AD vulnerability assessments?

DSP provides continuous security vulnerability assessment across your on-prem and hybrid AD environment, scanning for hundreds of Indicators of Exposure (IOEs) and compromise (IOCs) across various categories of AD security, including account security, Group Policy, Kerberos, AD delegation, AD infrastructure, and Entra ID. DSP provides a dashboard of the overall security posture score, category scores, security indicators grouped by severity, and prioritized remediation guidance from AD security experts.

Does DSP remediate unwanted changes in both on-prem AD and Entra ID?

Yes, DSP offers rollback of malicious changes for both on-prem AD and Entra ID. DSP provides automated remediation of risky changes in on-prem AD and Entra ID to prevent attacks that move too fast for human intervention. DSP also supports granular rollback, allowing you to revert changes to individual attributes, group members, objects, and containers—and to any point in time, not just to a previous backup. 

What is DSP’s performance impact on AD?

DSP is non-intrusive and built for compatibility with AD. This unique approach captures changes without compromising AD stability. 

Can DSP support complex AD environments?

DSP is purpose-built for AD and can support even the most complex AD environments, including multi-organization and multi-forest deployments. Large and small organizations rely on Semperis to help them spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. With processing optimized for some of the largest organizations in the world, DSP can handle the large volume of daily and hourly changes that are common in massive AD environments. 

How is Directory Services Protector different from Microsoft Defender for Identity?

Both Microsoft Defender for Identity (MDI) and Semperis solutions have critical roles in protecting identity systems from attack:

  • MDI uses user-based analytics (UBA) to monitor and alert on user behaviors that fit into known user identity attack models.
  • Semperis protects the entire hybrid AD service—the common attack vector in 90 percent of incidents—with patented technology purpose-built to prevent, mitigate, and recover from identity-based attacks.

Combining Semperis solutions with Microsoft Defender for Identity (MDI) provides a layered defense against attacks that exploit user identities and the AD identity service.

Does DSP help with compliance reporting?

Directory Services Protector includes compliance report templates that align with common compliance standards, including GDPR, HIPAA, PCI, and SOX. You can import individual compliance bundles into DSP to support your organization’s needs. You also can schedule any DSP report, including compliance reports, for recurring generation and distribution.

What criteria does DSP use for generating the security score?

The Directory Services Protector scoring method comprises various factors, including the potential consequences of an exploited vulnerability, ease of exploitation, and the overall prevalence. Based on these factors, each indicator is assigned a severity rating (level and number) that reflects the potential impact on security posture, availability, and performance. The severity rating is then used in the scoring formula to calculate the overall risk posed by the vulnerability.

Does DSP let me specify which events trigger an alert?

DSP lets you add individual objects or conditions that are a known risk to an ignore list so they no longer trigger an alert in DSP or affect the overall security posture score. This approach helps you accurately assess risk and accelerate remediation.

Latest news

  • Tomer Nahum and Eric Woodruff
  • Feb 29, 2024
Our mission resonates with industry leaders

See Directory Services Protector in action

Request a demo and talk with an Active Directory security expert.