STOP THREATS. STAY IN CONTROL.

Deepwatch Active Response

Deepwatch Active Response gives your MDR real force. Precision containment across identities and endpoints—automated where you want it, human-approved where you don't.

Talk to an Expert
Artwork for active response timing section

Attackers Don't Wait for Business Hours. Your Response Shouldn't Either.

Modern attacks don't follow a 9-to-5 schedule. Identity abuse, phishing, and lateral movement happen fast—and the gap between alert and action is exactly where breaches escalate. Your MDR provider shouldn't just tell you something happened. They should help you stop it.

Artwork for active response trust section

Active Response, Built for Trust

Deepwatch Active Response for Identities and Endpoints is designed to balance speed and safety in how threats are contained.

Instead of one-size-fits-all automation, Deepwatch applies response actions based on customer-defined intent, risk context, and expert oversight.

Active Response is:

  • Opt-in by design: You decide when and how response is activated—nothing happens without your say-so
  • Governed by intent: Responses reflect your risk tolerance, not a vendor's defaults
  • Expert-guided: Every automated action is backed by human analyst judgment
  • Iterative: Start in monitor mode for visibility, add automation as your confidence grows
Artwork for detection to containment section

From Detection to Containment

A controlled, expert-guided process—not “set and forget” automation

  1. Detect
    High-fidelity detections identify suspicious or malicious activity.

  2. Decide
    A customer-defined Response Intent Matrix determines if and how a response should occur.

  3. Respond
    Actions are executed automatically, with analyst approval, or in monitor-only mode.

  4. Evolve
    Response policies adapt as your environment and confidence grow. You're always in control of what comes next.

Artwork for response intent section

Precision Response, Defined by You

The Response Intent Matrix is a collaborative framework that puts decision-making in your hands. You define:

  • Which detections are eligible for response
  • What actions may be taken
  • Under what conditions (identity, endpoint, risk, time, context)
  • How actions are approved or automated

This allows different identities and scenarios to be treated appropriately - for example, employees vs. executives, business hours vs. off-hours, identity vs. endpoint-based threats.

Targets
Conditions
Execution Mode
Action
Identity: Employees
  • User type: Human
  • User group: Non leadership
  • Not privileged
  • Risk score: High
  • Event count ≥ 1 in 5 mins
  • Business Hours: Analyst approved
  • Off Hours: Autonomous
  • Weekends: Autonomous
  • Password Reset
  • Session Revocation
Identity: Execs
  • User group: ELT
  • Risk score: High
All Times: Monitor Only
None (Monitor Mode - Observe Only)
Asset: Employee workstations
  • Endpoint detections triggered
  • Risk score: High
Business Hours: Analyst approved

Off Hours: Autonomous

Weekends: Autonomous
  • Process Kill
  • Host Isolation
Asset: Company Servers
  • Endpoint detections triggered
  • Risk score: High
All Times: Monitor Only
None (Monitor Mode - Observe Only)
Artwork for coverage section

Coverage Across Identities and Endpoints—Where Attacks Begin

Active Response is delivered as part of the Deepwatch Guardian MDR Platform™ and is applied selectively based on supported technologies and customer scope.

Identity Response

Focused on identity-based threats such as account compromise, session abuse, and lateral movement.

Identity Actions:

  • Session Revocation
  • Password Reset
  • Account Control Actions

Endpoint Response

Focused on endpoint-based threats including malware, exploit activity, and suspicious process behavior.

Endpoint Actions:

  • Process Termination
  • Host Isolation

Additional response domains will be supported over time as part of the broader Deepwatch platform.

Artwork for rollout section

Start Where You're Comfortable. Expand When You're Ready.

Active Response supports multiple execution models aligned to your risk tolerance:

  • Opt-in by design
  • Monitor-only mode for safe validation
  • Approval-based or fully automated execution
  • Time-based policies (business hours vs. off-hours)
  • Scoped permissions aligned to approved actions
  • Response execution aligned to defined access and integrations
Artwork for MDR section

MDR That Goes Further—Without Going Rogue

Active Response is integrated into Deepwatch MDR from the ground up—not bolted on as an afterthought. Here's what that means for you:

  • Human expertise behind every response
    Analysts validate, oversee, and can intervene at any point—so you always have an expert in the loop.
  • Works with your existing security stack
    No rip and replace. Active Response leverages your current investments across identities and endpoints.
  • No single-vendor lock-in
    Deepwatch works across your ecosystem. You stay flexible as your stack evolves.
  • You always know what ran, when, and why
    Complete transparency into every action taken—no black boxes, no surprises.
  • Tailored to your environment—not a template
    Responses are defined around your organization’s users, systems, and risk tolerance. Nothing generic.
  • Built into Deepwatch MDR—not bolted on
    Active Response is a core part of the Deepwatch Guardian MDR Platform, not a separate product you have to manage.

Your Next Breach Won't Wait. Neither Should Your Response.

Talk to a Deepwatch Expert
Explore the Deepwatch Guardian MDR Platform

Let's Talk

Ready for Guardians You Can Trust?

Meet with us to discuss your threats, vulnerabilities, and challenges and discover how Deepwatch can stand watch over what matters most.

Get Started