Skip to content
/ platform / itdr
ITDR

Identity, Threat, Detection & Response

Real-time monitoring of every sign-in, audit event, and risk signal across every Microsoft 365 tenant you manage, with detection rules tuned for the kinds of attacks that actually hit MSP customers.

control-plane / itdr / response
OPEN INCIDENTS9across 47 tenants
AUTO-CONTAINED18past 24h
MTTR11m↓ from 22m
  • Privilege escalation containedauto-rollback
    ACME2m
  • Impossible travel — session killedadmin@globex.com
    GLOBEX14m
  • MFA fatigue suspected — challengedops@stark.com
    STARK38m
  • Token theft fingerprintrevoked + re-auth
    WAYNE1h
  • Risky sign-in (UK→VN)CA policy enforced
    INITECH2h
WHAT IT DOES

Surfacing risk with AI powered summaries and suggested actions.

Working when your support desk is not.

01

Real-time event ingestion

Continuous collection of sign-in, audit, and risk events from Microsoft Graph, normalised across every tenant.

02

Built-in detection rules out the box

Impossible travel, brute force, privilege escalation, MFA bypass, suspicious mailbox rules, abnormal admin activity, token theft indicators, and more.

03

Custom rule authoring

Build tenant-specific or customer-specific detection rules with a visual editor.

04

Centralised alert dashboard

Filter alerts by severity, status, tenant, or time range. One pane of glass across the fleet.

05

Alert lifecycle management

Assign alerts, change status, escalate, bulk-action across multiple alerts.

06

Cross-tenant aggregate view

See identity threat trends across every customer simultaneously.

07

Timeline visualisation

Per-event timeline with risk breakdown and context.

08

Email security signals

Phishing, malware, suspicious-mailbox-rule, and external-sharing alerts folded into the same dashboard.

09

Anomaly detection

Behavioural baselines per user. Deviation alerts on unusual sign-ins or data movement.

10

Conditional Access monitoring

Inventory and monitor CA policies. Detect when high-risk users bypass policies.

11

App Consent governance

Enterprise-app inventory. Over-privileged-permission flags. Suspicious API-usage detection. Revocation tools.

12

Incident management

Promote alerts to incidents with severity, assignment, SLA tracking, timeline, and post-mortems.

13

Disaster Recovery playbooks

Pre-built runbooks for credential reset, MFA reset, account disable, and token revocation — executable at scale.

14

Multiple integrations

Forward alerts to Splunk, ArcSight, ELK, or download as CSV.

AT A GLANCE

The shape of the work.

Live console, side panel, the work in flight. Not a screenshot. The signal you'd see across your tenants.

control-plane / itdr / response
OPEN INCIDENTS9across 47 tenants
AUTO-CONTAINED18past 24h
MTTR11m↓ from 22m
  • Privilege escalation containedauto-rollback
    ACME2m
  • Impossible travel — session killedadmin@globex.com
    GLOBEX14m
  • MFA fatigue suspected — challengedops@stark.com
    STARK38m
  • Token theft fingerprintrevoked + re-auth
    WAYNE1h
  • Risky sign-in (UK→VN)CA policy enforced
    INITECH2h
Activity · last 24hlive
↑ 12%peak 14:42
By tenant
  • ACME
    24
  • GLOBEX
    18
  • WAYNE
    12
  • STARK
    8
  • INITECH
    5
Recent actions
  • 1mSession killed · admin@globex.com
  • 4mCA bypass denied · ops@stark.com
  • 11mToken revoked · svc@umbrella
  • 24mMFA challenge sent · 4 users
  • 41mMailbox rule rolled back · sales@initech
FAQ

Things you'll ask next.

No. ITDR consumes Defender and Entra ID Protection signals, ranks them across every tenant you manage, and gives you the workflow to act. Defender stays where it is.

Entra ID P1 minimum. P2 unlocks the full risk signal set. Tenants without P1 still appear in the dashboard with the subset of signals their licence supports.

Stop bouncing between admin centres.

Book a 30-minute call. We'll talk through your tenant shape and what to turn on first.