Active Response for Identity Contain Threats Faster—With Automation You Control

Deepwatch Active Response for Identity extends MDR beyond alerting to deliver precision containment actions guided by human expertise and governed by customer-defined intent.

Talk to an Expert

Alerting Is No Longer Enough

Modern attacks move faster than alerts and manual response processes can't keep up. Identity abuse, phishing, and lateral movement often occur outside business hours, when response delays have the greatest impact.

Organizations increasingly expect their MDR provider not just to detect threats—but to help contain them quickly and safely, without sacrificing control or trust.

Active Response for Identity, Built for Trust

Deepwatch Active Response for Identity is designed to balance speed and safety.

Instead of one-size-fits-all automation, Deepwatch applies response actions based on customer-defined intent, risk context, and expert oversight.

Active Response for Identity is:

Opt-in by design — never enabled by default
Governed by intent — responses align to your risk tolerance
Expert-guided — analysts validate and oversee execution
Iterative — customers can start in monitor mode and progress over time

Enhance your SOC environment with a Splunk MDR integration. Deepwatch MDR for Splunk includes Dynamic Risk Scoring (DRS), a real-time, adaptive system that continuously assigns and updates risk scores to cybersecurity alerts, assets, and users.

From Detection to Containment

Simple 4-step flow

Detect High-fidelity detections identify suspicious or malicious activity.
Decide A customer-defined Response Intent Matrix determines if and how a response should occur.
Respond Actions are executed automatically, with analyst approval, or in monitor-only mode.
Learn & Improve Response policies evolve as confidence and maturity increase.

This is not “set and forget” automation — it's a controlled, contextual response.

Customer-Controlled Response Intent

At the core of Active Response for Identity is the Response Intent Matrix—a collaborative framework that defines:

Which detections are eligible for response
What actions may be taken
Under what conditions (identity, risk, time, context)
How actions are approved or automated

This allows different identities and scenarios to be treated appropriately—for example, employees vs. executives, business hours vs. off-hours.

Applied Where It Matters Most

Active Response is delivered as part of the Deepwatch Guardian MDR Platform™ and is applied selectively based on supported technologies and customer scope.

Initial implementations focus on identity-based threats, with response actions such as session revocation, password reset, and account control—executed only when customer-defined conditions are met.

Additional response domains will be supported over time as part of the broader Deepwatch platform.

Automation With Control

Opt-in by design
Monitor-only mode to validate behavior
Approval-based or fully automated execution
Time-based policies (business hours vs. off-hours)
Scoped permissions aligned to approved actions

Why Deepwatch Active Response for Identity

No single-vendor lock-in
Leverages existing security investments
Designed for real-world risk tolerance
Integrated into MDR, not bolted on
Human expertise guiding every response

Ready to Move Beyond Alerting?

Stop identity-based attacks before they compromise your network. Deepwatch Active Response for Identity shifts your defense from simple detection to precision containment, ensuring you stay ahead of lateral movement and account takeovers.

Read the Solutions Brief

Let's Talk

Ready for Guardians You Can Trust?

Meet with us to discuss your threats, vulnerabilities, and challenges and discover how Deepwatch can stand watch over what matters most.

Get Started

Advancing the SOC

Cultivating Cyber Resilience Experts

Get access to all the critical information you need to be successful.

Empowering CISOs: Seven Strategies to Outmaneuver Threats for Organizational Resilience