Directory Services Protector
See and stop identity attacks in Active Directory and Entra ID before they become outages.
Get AI-powered, tamperproof threat detection for hybrid AD and Entra ID
Semperis delivers identity threat detection and response that goes beyond traditional logging tools, combining tamperproof tracking of every directory change with automatic rollback of malicious activity to stop attacks in real time. Our AI-powered detection engine recognizes suspicious patterns that evade rules-based systems, while built-in service account protection uncovers and locks down the non-human identities attackers love to abuse.
Shrink your hybrid identity attack surface
Continuously uncover misconfigurations and exposures across AD and Entra ID before attackers do.
Catch stealthy identity attacks
Detect changes that bypass logs and agents using tamperproof AD replication stream monitoring.
Stop damage automatically
Automatically roll back malicious changes in AD and Entra ID faster than humans can.
Hybrid AD and Entra ID create a massive, shifting attack surface
Securing legacy AD alone is hard. Securing hybrid AD and Entra ID systems is even harder. Misconfigurations and unpatched vulnerabilities pile up over years, while attackers pivot between on-prem and cloud identity systems in search of elevated privileges. In hybrid environments, any connected device or misconfigured account can expose the heart of your identity infrastructure. DSP gives you a single view of vulnerabilities and changes across AD, Entra ID, and service accounts so you can regain control of hybrid identity security.
Stop attackers from gaining access to AD and Entra ID
Capture attacks that bypass security logs
Automatically remediate malicious changes
Use AI-powered attack pattern detection
Monitor, detect, and remediate identity attacks
Any connected device can expose the heart of your IT infrastructure. The systems you rely on to communicate, to coordinate, and to share data will be inaccessible if an attacker breaches your hybrid AD/Entra ID system. And in a hybrid AD and Entra ID scenario, the potential attack surface expands.
Directory Services Protector is the only threat detection and response solution that provides a single view of security vulnerabilities across the hybrid AD/Entra ID environment, including non-human identities, or service accounts.
Minimize the attack surface
Discover AD and Entra ID vulnerabilities and risky configurations in hybrid environments before attackers do. Get prioritized, action-oriented guidance from a community of AD security threat researchers. Reduce your hybrid identity system attack surface and stay ahead of the ever-evolving threat landscape.
Request a demo
Detect advanced attacks
Use AI-powered attack detection with a specialized identity risk focus to cut through the noise and accelerate incident response for the most widespread and successful attacks, including password spray, credential stuffing, other brute force attacks, and risky anomalies.
Request a demo
Automate remediation
See how Directory Services Protector automatically detects and shuts down attacks on critical AD objects like AdminSDHolder, disabling compromised accounts and rolling back malicious changes in real time.
Request a demo
Protect service accounts from attack
Discover dormant and unmanaged service accounts, continuously detect misuse, and receive alerts on malicious service account behavior with Service Accounts Protection in Directory Services Protector.
Request a demoDial in your hybrid Active Directory security
Securing Active Directory is difficult because of its complexity and the proliferation of ransomware groups that target AD with new tactics, techniques, and procedures (TTPs). Directory Services Protector puts AD and Entra ID security on autopilot with continuous AD threat monitoring, real-time alerts, and autonomous remediation capabilities. DSP helps you respond more effectively to AD security incidents and everyday operational mistakes.
Vulnerability assessment
Continuously monitor AD and Entra ID for indicators of exposure (IOEs) and indicators of compromise (IOCs) that could result in hybrid identity system compromises. Use built-in threat intelligence from expert security researchers to uncover common misconfigurations such as expired passwords and trust accounts with old passwords.
Automated AD and Entra ID remediation
Automatically roll back malicious changes in on-prem AD and Entra ID. Create audit notifications on risky changes to sensitive AD and Entra ID objects and attributes. Auto-undo risky Entra ID changes in users, groups, and roles with custom rules and alerts.
Tamperproof tracking
Capture changes even if security logging off, logs are missing, agents are disabled or inoperable, or risky changes are injected directly into AD.
Service account protection
Discovers dormant and misplaced service accounts, manage service account risk, remediate excessive permissions, detect risky configurations, and receive alerts on malicious service account behavior.
Entra ID change tracking
Use near real-time change tracking in DSP for Entra ID to monitor changes to role assignments, group memberships, and user attributes.
Compliance reports
Use pre-built compliance report templates that align with common compliance standards, including GDPR, HIPAA, PCI, and SOX.
Splunk integration
Bring detailed Active Directory security data—including Active Directory change data, DSP Security Indicator data, and DSP notification rule events—into familiar Splunk Enterprise views to provide meaningful context and visibility into vulnerabilities across your entire environment.
Microsoft Sentinel integration
Use new workbooks for Microsoft Sentinel that allow you to view additional data from DSP, such as Active Directory change data and DSP notification rule events, within Sentinel dashboards.
Is your Active Directory vulnerable to a cyberattack?
Active Directory remains the primary identity backbone for about 90% of organizations worldwide, and recent data shows that roughly 9 in 10 intrusions now involve an AD compromise. In high-profile incidents such as BlackCat/ALPHV’s ransomware attack on MGM Resorts—leveraging AD and Azure resources to disrupt operations—and Iranian APT33 password-spray campaigns against Entra ID (Azure AD) accounts at global defense organizations, identity systems have been central to the blast radius.
Frequently asked questions
What is Directory Services Protector?
Directory Services Protector (DSP) is a Gartner-recognized identity threat detection and response (ITDR) solution that puts hybrid Active Directory security on autopilot with continuous monitoring and unparalleled visibility across on-premises AD and Entra ID environments, tamperproof tracking, and automatic rollback of malicious changes.
Why would I need DSP if I already have a SIEM?
In AD-based attacks, the only unalterable data source is the AD replication stream, which is outside the scope of any SIEM’s view. Additionally, most agent-based AD change auditing tools lack deep visibility to detect and thwart such attacks. The AD replication stream is the only reliable method of catching every change (pre-attack and during an attack), no matter how an attacker might attempt to cover their tracks. DSP integrates with any SIEM solution that consumes SYSLOG-formatted data. DSP further integrates with Microsoft Sentinel and Splunk. With Microsoft Sentinel, DSP provides workbooks that allow you to view additional DSP data within the Sentinel dashboard, such as Active Directory change data and notification rule events. The DSP Splunk Enterprise app provides detailed AD security data in the Splunk dashboard to provide additional context and visibility into vulnerabilities across the environment.
Does Directory Services Protector’s capabilities include AD vulnerability assessments?
DSP provides continuous security vulnerability assessment across your on-prem and hybrid AD environment, scanning for hundreds of Indicators of Exposure (IOEs) and compromise (IOCs) across various categories of AD security, including account security, Group Policy, Kerberos, AD delegation, AD infrastructure, and Entra ID. DSP provides a dashboard of the overall security posture score, category scores, security indicators grouped by severity, and prioritized remediation guidance from AD security experts.
Does DSP remediate unwanted changes in both on-prem AD and Entra ID?
Yes, DSP offers rollback of malicious changes for both on-prem AD and Entra ID. DSP provides automated remediation of risky changes in on-prem AD and Entra ID to prevent attacks that move too fast for human intervention. DSP also supports granular rollback, allowing you to revert changes to individual attributes, group members, objects, and containers—and to any point in time, not just to a previous backup.
What is DSP’s performance impact on AD?
DSP is non-intrusive and built for compatibility with AD. This unique approach captures changes without compromising AD stability.
Can DSP support complex AD environments?
DSP is purpose-built for AD and can support even the most complex AD environments, including multi-organization and multi-forest deployments. Large and small organizations rely on Semperis to help them spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. With processing optimized for some of the largest organizations in the world, DSP can handle the large volume of daily and hourly changes that are common in massive AD environments.
How is Directory Services Protector different from Microsoft Defender for Identity?
Both Microsoft Defender for Identity (MDI) and Semperis solutions have critical roles in protecting identity systems from attack:
- MDI uses user-based analytics (UBA) to monitor and alert on user behaviors that fit into known user identity attack models.
- Semperis protects the entire hybrid AD service—the common attack vector in 90 percent of incidents—with patented technology purpose-built to prevent, mitigate, and recover from identity-based attacks.
Combining Semperis solutions with Microsoft Defender for Identity (MDI) provides a layered defense against attacks that exploit user identities and the AD identity service.
Does DSP help with compliance reporting?
Directory Services Protector includes compliance report templates that align with common compliance standards, including GDPR, HIPAA, PCI, and SOX. You can import individual compliance bundles into DSP to support your organization’s needs. You also can schedule any DSP report, including compliance reports, for recurring generation and distribution.
What criteria does DSP use for generating the security score?
The Directory Services Protector scoring method comprises various factors, including the potential consequences of an exploited vulnerability, ease of exploitation, and the overall prevalence. Based on these factors, each indicator is assigned a severity rating (level and number) that reflects the potential impact on security posture, availability, and performance. The severity rating is then used in the scoring formula to calculate the overall risk posed by the vulnerability.
Does DSP let me specify which events trigger an alert?
DSP lets you add individual objects or conditions that are a known risk to an ignore list so they no longer trigger an alert in DSP or affect the overall security posture score. This approach helps you accurately assess risk and accelerate remediation.
See Directory Services Protector in action
Request a demo and talk with an Active Directory security expert.