Alex Weinert | Chief Product Officer
As any organization that has suffered a cyberattack knows, identity recovery and incident response go hand in hand. Independent research has verified time and again that at least 90 percent of attacks involve the identity system in some way—and for virtually all organizations worldwide, that identity system is a hybrid on-premises and cloud environment—most likely Active Directory and Entra ID.
In our experience helping some of the largest global organizations recover from attacks, we’ve observed that even if the recovery team can efficiently restore the identity system, the chaos surrounding the incident management turns what could have been a 3-hour outage into a days-long, headline-generating disaster.
The great philosopher Mike Tyson once said, “Everyone has plans until they get hit for the first time.” (He may have been inspired by the Prussian military strategist Helmuth von Moltke the Elder, who said that “No plan of operations extends with any certainty beyond the first encounter with the main enemy forces.”)
An identity outage is the ultimate organizational punch in the mouth. From that moment, chaos reigns—the business is panicking, the pressure is on, and performance relies on the team’s ability to collaborate and innovate. And that ability relies on coordination and—perhaps most critically—communication.
What does it take to recover identity during a crisis?
During those 90% of cyber incidents that involve the identity system, response teams need to orchestrate the response, communicate with the team and stakeholders, recover the identity system, and conduct post-attack forensics—when all systems are down. Email, conferencing, file shares, contacts, operations, and sometimes even building access rely on identity systems. And without a means to coordinate response in an identity outage, you might as well throw in the towel.
Any identity recovery plan must answer:
- How do you coordinate the response team?
- How do you communicate with them?
- How do you ensure they have the resources they need?
- How do you give status updates to stakeholders—keeping execs, the board, and customers out of the team’s hair so they can get the work done?
- How do you ensure they are generating the audit trail you’ll need to satisfy regulators, auditors, and insurers later?
And how do you do it all while the business, the community it serves—and the identity team responsible for saving the day—are all having their worst day ever?
We believe that any identity recovery solution that doesn’t answer these questions is incomplete. That’s why we are bringing together our market-leading identity recovery solutions—Active Directory Forest Recovery (ADFR) and Disaster Recovery for Entra Tenant (DRET)—with our ground-breaking crisis management platform, Ready1. The new offering, Ready1 for Identity Crisis Management, gives organizations everything they need to streamline IR and recover the identity infrastructure, significantly speeding return to normal business operations.
And we are making it available at no additional cost for customers of ADFR and DRET.
Meet Ready1 for Identity Crisis Management
Here’s a short video we put together featuring the previously undiscovered acting talent among our own product managers and solutions architects. They demonstrate what happens during a real-life crisis that involves the identity system—and how Ready1 for Identity Crisis Management can help.
Hey, Dan. Hey, man. Alex. I’m calling from the road, man. I’ve got a problem. I can’t log in. I’ve called a couple other people. They can’t log in either. It seems like we’re dead in the water, man. I dug your number up from, like, when we were going out. We went the other day and, like, I’m glad I had that on my phone, man, because I couldn’t even get into the email or the contacts or anything. What’s up? Hey, boss. How’s it going? Yes. I’m looking at this right now. It looks like everything is down, and I mean everything is down. Email, conferencing, file shares, SaaS, operations, you name it. It it’s all because our identity systems are down right now. When identity is down, all systems stop. But don’t worry, we’ve got this. Remember, have Ready One for identity crisis management. We’ve been using it to prepare the team for this contingency. Is isn’t that down too? No. It’s completely independent of our normal identity infrastructure, we’re coordinating a response on Ready one right now. Alright, man. Dan, you seem pretty chill. Last time we had an outage, it was all kinds of confusion and delays and chaos. Well, fortunately, inside Ready one, we are running from a playbook Semperis helped us develop, which we have tested and refined to our tabletops. The playbook is easily accessible right here for Ready one. Linking it to the incident was super easy. We’ve trained for this. We’re ready. Alright. Awesome, man. Do you have all the folks you need engaged? I mean, do you have everything you need? I can’t even get to our contacts. No worries. Even though our corporate communication channels are down, we have a communication bridge started right here in ReadyOne and the right folks from the identity team, application, network, and infrastructure teams, they’re all engaged. They’ve been assigned tasks from the playbook and you can follow our progress in ReadyOne too, so please watch the app. We’ve got it covered on our end. Alright, man. I’ll step out of your way, and I’ll just keep an eye on Ready One for progress. Keep me posted. Okay, sir. Well, I’m headed back to the bridge now. Alright. Thanks a lot. Hello, team. I’m back. So it’s time to get some of these tasks completed and let’s start going down through our update list. So how’s it going, Hampton? It looks like you’re up. Our teams have completed their assigned tasks for analysis, detection, containment, and eradication. So you’re on deck as our AD admin to kick off the recovery. Oh, man. Looks like today’s the day we’re doing the thing, Well, I’m way ahead of you. Luckily, I’ve been through this a bunch of times with the guys in recovery tests. So I’m kicking off the recovery now. Recovery targets have already been deployed, validated that we don’t have any external connectivity from the isolated recovery environment. So the recovery is underway. Give me just a moment. I’ll share my screen. Alright. We’re underway, gentlemen. Hey, Chin. How are you doing? As our scribe, are you getting everything tracked on our actions for this case? Hey, Dan. All good. Yep. I sure am. We want to capture every decision in real time, and the system also automatically tracks our actions. Excellent. Alright, guys. Good news. Looks like we had a one hundred percent successful recovery. I’ve run through my post recovery checks on my end. The forest looks healthy. I’m just going to quickly upload. I’ve just finished the execution of the ADFR post breach report. I’ll upload that along with the log display to the ReadyOne Forensic Repository. Alright. Thanks a lot, Hampton. I’ll go start the Identity Forensics right now, and I’ll let you know when you’re good to every good to log in. Hey, team. Just wanna give you a heads up. I got a text from the boss. We need to go get our general counsel and we need to bring him in here ASAP so that we can make sure we’re addressing our regulatory compliance and insurance reporting. Hey, everyone. Thanks for bringing me in. It’s going to be really important that we have all the records for the outage, do we? Hi, yes, I’ve been following along and updating the scribe logs. I think we have everything we need for post incident reviews for regulatory insurance purposes, including the decision logs, action logs, forensics, timeline. I’ll export them and send it to you for review right away. Awesome. Thanks. I’ll get started. Thank you. All great news. So we’ll go ahead and we’ll just do a status check right now. First checking in with the doc. Greg, how’s it going? Have you completed the post breach forensic analysis? Yeah, certainly have. And we’ve tightened some policies. Looks like everything’s okay now to move on, move forward with recovery. Excellent. Now checking in with the AD team. Hampton, how’s everything in your world? AD team is good to go, man. Green light. Excellent. Glad to hear that. So it looks like we’re ready to go ahead and flip our DNS over to the restored and cleaned environment. I’m gonna go ahead and do that now. Alright. And it looks like we are in. Woo hoo. Let me update the boss. Hey, Dan. What’s up, man? Tell me you got some good news for me. Hey, boss. We do have some good news. Identity is back online. You should be able to log in and resume business now. Yeah. I’m really proud of the team. They’re all ready, and it shows. I’ll get it started on the the PIR and set up review meetings. Dude, I’m gonna get started on your promotion, man. That’s awesome news. Thanks a lot. Thank you, sir.
Here’s how the solution comes together:
- ADFR is Semperis’ flagship solution for fast, malware-free AD recovery, reducing downtime by 90%.
- DRET recovers critical Entra ID resources with flexible restore options and secure, customizable storage.
- Ready1—introduced in spring 2025—is a command-and-control crisis management platform that facilitates seamless crisis response through preparation, collaboration, and enterprise-wide communications.
Ready1 for Identity Crisis Management adds critical crisis response capabilities to ADFR and DRET—capabilities that are fully independent of the identity systems you are trying to recover. Ready1 for Identity Crisis Management includes identity-specific crisis management playbooks, out-of-band communications, crisis task management, team bridge capabilities, recovery and response training, and more to help organizations:
- Orchestrate response with a command-and-control console that streamlines team-building, incident analysis, and status reporting
- Communicate with the team using out-of-band communications during an identity outage
- Recover the identity system with fast, malware-free hybrid AD/Entra ID recovery to a known trusted environment
- Conduct post-attack forensics to remove persistence and close backdoors, preventing follow-on attacks
Ready1 for Crisis Management is available now to current Semperis ADFR and DRET customers
If you’re curious about how this solution works, reach out to our team to start the conversation.
The ability to quickly recover the identity system to a trusted environment is table stakes in a cyberattack. The ability to recover the identity system while effectively managing the surrounding chaos inherent to a cyberattack is what separates a well-managed incident from a full-blown disaster. We are delighted to leverage our deep experience responding to some of the largest identity attacks in the world by providing our customers with a complete, integrated identity crisis management solution.
More resources
