Sean Deuby | Principal Technologist

How long could your organization go without access to applications and services because of an identity-related cyberattack? That’s the question we often ask security and IT ops leaders when we’re discussing the importance of protecting Active Directory and Entra ID from threat actors. The question seems hypothetical because it assumes a worst-case scenario.

But for far too many organizations—MGM Resorts, Change Healthcare, and countless others every week—the answer comes when an attack takes down business operations for hours, days, or weeks while teams scramble to respond. In fact, 84% of organizations experienced an identity-related breach in the last year, costing $3.5 million per incident on average.

The new Forrester Total Economic Impact (TEI) Report of Semperis gives organizations quantifiable metrics they can use to prove the value of being able to:

  • Continuously monitor hybrid identity environments for emerging threats
  • Automatically roll back malicious or unintentional changes
  • Reduce Active Directory recovery time

“In the event of a ransomware attack, Semperis ensures we can easily recover our AD in hours versus weeks or months. … To know that we have a viable alternative when the worst of the worst happens allows us to sleep better at night.”

CISO, Healthcare

Download the report: Forrester Total Economic Impact of Semperis

Forrester’s TEI team spent hours interviewing five Semperis customers from various sectors—including consulting, healthcare, energy, and financial services—with annual revenue ranging from $5B to $60B. The team asked these customers to discern the business outcomes they achieved after implementing Semperis’ comprehensive identity resilience platform. Those quantifiable benefits include:

  • Reducing by 90% the time to recover the AD forest after an attack with Active Directory Forest Recovery (ADFR)
  • Reducing by 90% the time spent in day-to-day operational security management activities such as object- and group-level recovery with Directory Services Protector (DSP)
  • Reducing by 25% the likelihood of a successful AD attack with DSP’s continuous monitoring for indicators of exposure (IOEs) and compromise (IOCs) and automated remediation
  • Reducing by 40% the time spent monitoring the hybrid AD environment

For years, we’ve been collecting evidence in customer POCs of reduced time to recover an AD forest with ADFR. So, we were not surprised that Forrester’s findings validated a 90% time savings in forest recovery. Here’s a visual Forrester includes in the TEI report, showing the scope of the massive recovery challenge and potential downtime risk our customers experienced before investing in Semperis.

Forrester Total Economic Impact of Semperis recovery time
Time to recover Active Directory (Source: Forrester Total Economic Impact of Semperis)

Other resource savings the Forrester team uncovered on the operational benefits of using DSP to manage object- and group-level recovery confirmed positive outcomes that we’ve seen in the field but haven’t yet been able to measure. For example, the study reported reduced time to manage operational security and monitor the identity system. These time savings point to the significant resources organizations invest in simply keeping up with the day-to-day changes in a large, complex hybrid AD environment.

We were having frequent group- and object-level incidents where we would have to spend hours trying to restore objects before Semperis. Now, we know how to fix the issue within minutes. It’s night and day.”

Network Systems Analyst, Healthcare

Quantified benefits of Semperis: $9.5M over three years

All up, the Forrester study reported quantified benefits of using Semperis products at $9.5M in present value (PV) terms. Those benefits include:

  • Improved business continuity due to faster AD attack recovery at $3.9 million in savings
  • Improved business continuity through a reduction in the likelihood of a successful hybrid AD attack, worth $1.2 million
  • Object- and group-level remediation savings worth $4.3 million
  • Hybrid AD environment monitoring efficiencies that save $109,000
Forrester Total Economic Impact of Semperis quantifiable benefits
Source: Forrester Total Economic Impact of Semperis

Beyond the measurable benefits, interviewees also talked about the unquantified benefits of using Semperis, which included:

  • Improved brand credibility: Any organization could experience the misfortune of being the victim of a cyberattack. But for some companies, the reputational damage can take years to repair, especially in industries like healthcare, where public safety is at stake. With Semperis DSP, organizations can continuously monitor and improve their overall security posture, building credibility and paving the way for business expansion.
  • Improved visibility of the hybrid AD environment: The SolarWinds attack drove awareness of the increasing number of attacks that start in the cloud and move to the on-premises identity system, or vice versa. These attacks are notoriously difficult to detect and contain. Semperis DSP provides a Hybrid Identities view that helps IT and security teams see and respond to changes across both on-prem AD and Entra ID.

What organizations are looking for in an ITDR solution

The Forrester study participants discussed their buying criteria for an ITDR solution, focusing on key challenges that the Semperis team has seen in our years of managing hybrid AD systems. Most large organizations have legacy AD environments with years of accumulated security misconfigurations. The requirements the interviewees listed form the core capabilities of the Semperis identity resilience platform.

  • Shift from a reactive approach to responding to hybrid AD-related ransomware attacks to a proactive one. One of the assets customers mentioned in the study was the expert guidance provided by the Semperis team. With more than 150 years of collective Microsoft MVP awards and 25 former Microsoft field engineers on staff, we have direct experience successfully conducting AD- and Entra ID-related incident response for global organizations. The knowledge we gather about how identity-related attacks work goes directly into our product development strategy.
  • Improve business continuity by reducing the AD attack recovery time. Cyberattacks disrupt business operations for days, weeks, or months. For smaller companies such as Lincoln College and UK-based telemarketing firm The Heritage Company, a cyberattack can be a business-ending event. The single biggest factor in successfully restoring business operations after a cyberattack is the time to recover the identity system, which is Active Directory for 90% of organizations worldwide. Without AD, business operations come to a halt. We’ve demonstrated time and again in POCs that ADFR can cut recovery time by up to 90%. The Forrester study provided another independent proof point. As a healthcare CISO who participated in the Forrester study said, “In the event of a ransomware attack, [Semperis] ensures we can easily recover our AD in hours versus weeks or months. … To know that we have a viable alternative when the worst of the worst happens allows us to sleep better at night.”
  • Ensure a fully malware-proof recovery to avoid further disruption and data loss. The only thing worse than a cyberattack is a repeat cyberattack that uses the same techniques to bring the business down again. CPO Magazine reported that 67% of businesses that experienced a cyberattack suffered a repeat attack within a year after the first incident. Our patented technology in ADFR decouples the OS from the AD backup, ensuring a malware-free recovery.
  • Use post-breach forensics capabilities to close back doors and eliminate persistence following an attack. Based on our experience in incident response engagements with some of the largest organizations in the world, we’ve seen that discovering and removing malware left in the environment after an attack can be a tricky and time-consuming process. Our post-breach forensics in ADFR help isolate changes that occurred during an attack window to eradicate persistence and restore AD to a trusted, malware-free environment.
  • Reduce end-user downtime during hybrid AD-related ransomware attacks and object- and group-level incidents. Anyone in the AD trenches can attest that managing the changes that occur hourly in Active Directory is both time consuming and error prone. With just one wrong click, you could wipe out several critical privileged groups, bringing operations to a standstill. DSP helps IT and security teams find and fix operational misconfigurations, saving significant time, especially for organizations with large, complex AD environments.
  • Improve visibility into the hybrid AD environment to mitigate potential risks and reduce IT team effort. Attackers increasingly target hybrid environments, gaining entry into the cloud identity system and then moving to the on-prem system, or vice versa. Semperis DSP offers a Hybrid Identities view so you can track changes between Entra ID and on-prem AD. In the Forrester study, a technical architect of AD in professional services said: “We were unaware of what was going on in our AD environment before Semperis. It was difficult to track all of the changes that were being made across the organization on a daily basis and make sure that nothing suspicious was happening.”
  • Elevate the IT team’s reputation across the organization by enabling proven recoverability of the business-critical identity system. After years of media coverage about high-profile breaches, the fact that AD is the #1 target for cyberattackers is now common knowledge among most business leaders. IT ops teams are taking a more prominent role in developing and implementing overall security strategy.   

The Forrester study found overall that Semperis provided solutions that directly addressed organizations’ key challenges in securing the identity environment. A senior manager of server architecture in the energy sector said, “We were recommended Semperis and after doing our research, it became clear that it’s an amazing tool. When we looked at their competitors, feature to feature, no one came close. Once we met with the Semperis team and ran through the demo, I was very impressed — it was not a hard sell.”

We were unaware of what was going on in our AD environment before Semperis. It was difficult to track all of the changes that were being made across the organization on a daily basis and make sure that nothing suspicious was happening.

Technical Architect of AD | Global Consulting Company

Quantifying the benefits of strong identity system security and recovery

Beyond the highlights I’ve captured here, the full report contains:

  • Information about how Forrester analysts conducted the study
  • First-hand accounts from the participants about the results they’ve seen from implementing Semperis solutions
  • A breakdown of the economic benefits of using our platform

Business leaders have many competing priorities for their security budgets, and the cybersecurity industry has exploded with new offerings for preventing, remediating, and recovering from cyberattacks. The Forrester Total Economic Impact study conducted with Semperis customers brings a critical and sorely needed quantifiable benefits analysis that will help CISOs, CIOs, and CEOs choose and implement the solutions that will improve overall security posture and ensure that they have a solid identity system disaster recovery plan in place.  

More resources