The Unwanted Access Rules API is now available, exposing endpoints to list, create, update, and delete rules that govern how Huntress responds to identity access attempts by country or VPN. Rules can be scoped to the account, an organization, or a specific identity with expected or unauthorized determinations and optional starts_at / expires_at schedules. This allows API users to automate managing ITDR unexpected access rules. See the API docs: https://api.huntress.io/docs#tag/unwanted-access-rules

We’re excited to share that we now provide EDR/ITDR Correlations for Huntress Managed EDR and Managed ITDR customers. EDR/ITDR Correlations is a capability that only Huntress can deliver because it requires both an endpoint agent and an identity detection platform operating on the same customer base.

So, how does it work? When Huntress Managed EDR detects an attack, like an infostealer, on a Windows endpoint, the platform automatically resolves that compromised machine to the Microsoft 365 cloud identities that were logged in on it. That context isn’t surfaced hours later in a separate tool or buried in logs. It appears directly inside the EDR Incident Report, alongside the endpoint findings.

From there, Managed ITDR does what it’s designed to do: it enables immediate, guided remediation of those identities. Revoke sessions. Disable accounts. Contain the blast radius before stolen credentials can be used.

Crucially, this approach bypasses one of the biggest bottlenecks in identity security: log latency. Rather than waiting for audit logs to be generated, ingested, normalized, and analyzed, EDR/ITDR Correlations use direct endpoint evidence to infer identity risk almost instantly. Read more here: https://www.huntress.com/blog/edr-itdr-correlations

A new role has been introduced in the Platform that allows account admins to create users with permissions limited to onboarding and offboarding organizations. This role is designed for partner staff and API keys used in managing the lifecycle of organizations. The role ensures specific tasks can be done while limiting the scope of required access.

The MCP server provides read-only access account information about agents, organizations, signals, incident reports, escalations, remediations, invoices, reports, and external recon to AI assistants like Claude and ChatGPT. This allows for Huntress Platform data to be seamlessly integrated into AI tools to make it faster and easier for users to access and get value from that data. See the following support article on configuring access to MCP.

This new API endpoint enables users to programmatically list identities associated with Managed ITDR and ISPM (Early Access) in the Platform. The endpoint returns details for each identity enabling automated internal billing reconciliation, mapping identity coverage across integrated tenants, and reporting on identities, removing the need for manual effort in the Platform. See the API docs for more details.

Huntress Managed EDR now detects when Windows blocks a known vulnerable driver, giving earlier visibility into threat actors using Bring Your Own Vulnerable Driver (BYOVD) tradecraft. This technique is commonly used to disable endpoint security tools like EDR and antivirus, and is typically a precursor to lateral movement, data theft, and ransomware deployment.

We're excited to share our latest update to Managed ITDR for Google Workspace (GWS): GWS logs can now be stored in the Huntress SIEM.

Similar to our Microsoft 365 log storage in SIEM, GWS logs can be stored in our SIEM - at no extra cost - for a period of up to one year. Data ingested includes all GWS login events, such as successful logins, failed logins, logouts, verifications, etc.

All GWS-relevant KBs (ITDR FAQ and Understanding the Differences Between ITDR for Microsoft 365 and GWS) have been updated to reflect that ITDR GWS logs are now ingested by our SIEM.

The Huntress Configuration Wizard on macOS has been redesigned with a clearer, faster setup flow to make installation quicker and easier. All required setup steps in sequence - system extension approval, Full Disk Access, network filter - are now shown on a single scrollable page with guidance. You no longer have to navigate through a series of individual screens. You can see where you are, what's left, and which steps are completed at a glance.

MDM-managed endpoints get a dedicated view. The Configuration Wizard now shows a focused summary of any pending steps, with clear visual indicators, rather than the full manual setup flow.

Comprehensive coverage of EDR, and MDE when used, is critically important to protect every endpoint. To give better visibility into the state of EDR and MDE coverage, Huntress has updated the Command Center in the Platform portal to make it easier to see MDE tenant health, configuration errors, and gaps where the Huntress agent or MDE is not installed.

What’s new:

Partners can now exclude Google Workspace student organizational units from ITDR billing and detection, ensuring K-12 and higher education partners only pay for and monitor staff and faculty identities.