SpyCloud Guides
spycloud.comGet a demo

Identity Guardians

Identity Guardians automate the remediation of compromised workforce identities — without requiring manual intervention. When SpyCloud detects that an employee or contractor identity has been exposed through infostealer malware, a successful phishing attack, or data from breaches and combolists, Identity Guardians respond immediately: revoking active sessions, resetting compromised credentials, enforcing policy controls, and pushing exposure signals to your SSO provider.

This covers the full range of identity-based attack threats, including authentication bypass scenarios where valid session cookies give attackers access to corporate applications without a password. Identity Guardians integrate natively with Active Directory, Microsoft Entra ID, and Okta Workforce.

🔍 Why Identity Guardians?

Most organizations today rely on directories like:

  • Active Directory (AD) – Microsoft’s on-premises directory
  • Entra ID (formerly Azure AD) – Microsoft’s cloud-based directory
  • Okta – Cloud identity provider (can leverage AD or run standalone)

Traditionally, security teams had to:

  1. Log in to a portal,
  2. Pull records with exposed passwords,
  3. Manually check those passwords against directory accounts.

✅ This works for small-scale exposure.

❌ But it doesn’t scale, misses older credentials, ignores authentication bypass, and burns analyst hours.

⚡ What Identity Guardians Do

Identity Guardians close this gap by continuously and automatically:

  • Checking all credentials (fresh and historical) against live directories
  • Running specialized checks (ADG only) like:
    • NIST compliance
    • IDLink-powered matches
    • Banned password lists
    • Fuzzy variations
    • Shared password detection

The result: better coverage, less manual toil, faster remediation.

🧰 The Identity Guardians Lineup

🛡️

ACTIVE DIRECTORY GUARDIAN

Automatically remediatest exposed identities or disable high-risk accounts – acting on malware exposures in as little as 5 minutes from discovery. ADG offers the most flexible scanning and remediation options.

🛡️

ENTRA ID GUARDIAN

Extend automated identity threat protection to Microsoft’s cloud-based directory services. Runs natively in Azure. Perfect for cloud-first orgs, supports continuous scanning & password reset automation.

🛡️

OKTA WORKFORCE GUARDIAN

Integrates with Okta Workforce Identity to enforce password hygiene and prevent follow-on attacks. Ideal if you run Okta Directory or LDAP.

💡 Key Benefits

SpyCloud Identity Guardians empower Identity and Access Management (IAM) teams to prevent identity threats by acting on exposed identity data from malware, phished, breach, or combolists. Instead of relying on outdated password policies or manual resets, Identity Guardians deliver continuous monitoring and automated remediation of verified exposures – aligned with NIST 800-63B and Zero Trust principles.

  • Continuous defense against identity threats
  • Coverage across on-prem, cloud, and hybrid setups
  • Automated remediation (reset, disable, notify)
  • Session revokation
  • Proven customer results:
    • 90% reduction in employee ATO cases (Global Airline)
    • 1,000+ analyst hours saved (EBSCO Industries)
    • 3,400 employees notified of password reuse in 3 months (Top Travel Company)

🧭 Choosing the Right Identity Guardian

With multiple Identity Guardians available, the right fit depends on your directory setup. Use this guide to match your environment to the right Identity Guardian.

🗂️ Identity Guardian Decision Matrix

EnvironmentRecommended Guardian(s)Why?
AD OnlyActive Directory Guardian (ADG)Simplest use case. Full feature set (Exact, Fuzzy, IDLink, NIST, Shared).
AD + Entra ID (Hybrid) – All Accounts SyncedADGPasswords replicate between AD & Entra, so ADG gives max control.
AD + Entra ID (Hybrid) – Some Cloud Only AccountsADG + Entra ID GuardianADG covers synced users; Entra covers cloud-only users.
Entra ID OnlyEntra ID GuardianCloud-native, continuous scanning in Azure.
Okta with AD as DirectoryADG + Okta Reset OptionPasswords live in AD; ADG scans them. Use Okta reset for smooth user experience.
Okta with Okta Directory/LDAPOkta Workforce GuardianSimplest Okta-native use case.

🌐 Hybrid Environments: Best Practices

Hybrid is the new normal — and our Identity Guardians play well together.

  • AD + Entra ID

    • Use ADG for its broader scan types (fuzzy, banned, NIST, shared).
    • Add Entra ID Guardian if you have cloud-only accounts.
    • Bonus: Entra ID Guardian replaces legacy “Azure scanning” in ADG (v7.3).

  • AD + Okta

    • Passwords still sit in AD → scan with ADG.
    • For remediation, leverage Okta password reset integration.

  • Multi-cloud directory mix

    • Deploy the right Identity Guardian in each directory.
    • Centralize reporting for visibility across environments.

✅ Pro Tips

  • Run scans daily (or continuously where supported).
  • Use as many password check types as possible (fuzzy, IDLink, banned).
  • Push for automated remediation at least for exact matches.
  • Right-size quota and scope for your environment.
  • For ADG, enable Shared Password Audit for maximum insight.

🚀 Bottom Line

No matter your mix of on-prem, cloud, or hybrid, there’s a Identity Guardian to match. The key is to deploy where your passwords live, then automate remediation to shut down ATO risk before attackers get a chance.

Updated 8 days ago