ML-Powered Attack Pattern Detection

Detect and Prevent Identity-Based Attacks

Use ML-based attack detection with a specialized identity risk focus to cut through the noise and accelerate incident response for the most widespread and successful attacks.

Request a demo

Lightning IRP brings critical identity context to attack pattern and anomaly detection

Many cyberattacks go undetected until the damage is done. Tried-and-true identity attack techniques like password spraying continue to be extremely successful because of the difficulty in detecting and responding to the sheer signal volume and noise. Lightning Identity Runtime Protection (IRP) uses machine learning models developed by identity security experts to detect widespread and successful attack patterns such as password spray, credential stuffing, other brute force attacks, and risky anomalies.

31%

of initial attack vectors are brute force attacks

90 days

average time to detect a brute force attack

1/3

of all account compromises are password spray attacks

86%

of cyberattacks involve stolen credentials

Catch attacks traditional ML solutions miss

Using trained algorithms based on Semperis’ real-world experiences responding to identity attacks in the wild and supporting the world’s largest enterprises and government agencies, Lightning IRP detects sophisticated identity attacks traditional ML solutions miss. Lightning IRP focuses on the most critical identity attack alerts and reduces noise by layering an identity-risk fabric, which draws insights from multiple sources.

IDENTITY DATA

Directory change tracking data across hybrid Active Directory and Entra ID environments

SECURITY INDICATORS

Hundreds of IOEs and IOCs, regularly updated by Semperis’ identity threat research team

ATTACK PATHS

Tier 0 attack path analysis to map risky relationships to privileged groups with access to sensitive data

ML-powered attack pattern detection built by identity security experts

Lightning IRP captures, analyzes, and correlates authentication activities with Semperis’ identity threat intelligence to detect known attack patterns and signal malicious behavior.

Password spray attacks: Monitors logon attempts to detect patterns indicative of a password spray attack
Brute force attacks: Monitors repeated and rapid logon attempts against a single user to detect potential brute force attacks
Anomalous logons: Looks for user logon anomalies that indicate an anomalous AD logon
Anomalous resource access: Monitors a user’s activity and any interaction with services that indicate an attack on AD services
Service ticket anomalies: Looks for suspicious service ticket requirements that indicate a Kerberoasting attack on AD

Learn More

Semperis Lightning Identity Runtime Protection (IRP) attack pattern detection

Save time and reduce risk in detecting and responding to high-risk identity attacks

Lightning IRP uses machine learning models developed by identity security experts to detect widespread and successful attack patterns—such as brute force attacks and identity system logon anomalies—and incorporates those ﬁndings into an overall security posture score.

Learn more

Our mission resonates with industry leaders

Detecting an anomaly is relatively easy. Putting it into context is where the challenge is. We’ve combined deep machine learning expertise with our first-hand knowledge of how real-life identity system attacks work to provide meaningful context that helps organizations isolate and address high-risk threats.
Mickey Bresman Semperis CEO

IRP uses a growing threat library of exposures, compromises, and attack patterns in parallel with a continuous stream of identity security data to significantly accelerate an effective response to identity system threats. Identity Runtime Protection focuses on several use cases, including anomalous logons and service ticket anomalies, that have been problematic for years because they are hard to detect and respond to at scale.
Igor Baikalov Semperis Chief Scientist

Lightning IRP builds on our current offerings of pre-attack scanning for indicators of exposure and compromise and our ability to see changes happening across on-premises Active Directory and Entra ID. We’re extending our live attack pattern detection capabilities, changing the way the industry applies machine learning to detect cyberattacks.
Darren Mar-Elia Semperis VP of Products

Purple Knight is the first utility I’ve used that digs this deep into Active Directory. It works so well, I didn’t need to find anything else.
Learn more Micah Clark IT Manager, Central Utah Emergency Communications

Frequently asked questions about ML-powered attack pattern detection

What is different about Semperis’ approach to detecting attack patterns?

Lightning IRP combines our team’s deep expertise in building machine learning models for threat intelligence and our real-world incident response experience to detect the most widespread and problematic identity attack patterns. Lightning IRP focuses defenders on the most critical identity attack alerts and reduces noise by layering in an identity-risk fabric that draws insights from multiple sources:

Directory change tracking data across hybrid Active Directory and Entra ID environments
Hundreds of security indicators of exposure and compromise, regularly updated by Semperis’ identity threat research team
Tier 0 attack path analysis to map out risky relationships to privileged groups with access to sensitive data

What attack patterns does Lightning IRP address?

Lightning Identity Runtime Protection (IRP) focuses on some of the most widespread and problematic attacks, including:

Password spray attacks: Monitors logon attempts to detect patterns indicative of a password spray attack
Brute force attacks: Monitors repeated and rapid logon attempts against a single user to detect potential brute force attacks
Anomalous logons: Looks for user logon anomalies that indicate an anomalous AD logon
Anomalous resource access: Monitors a user’s activity and any interaction with services that indicate an attack on AD services
Service ticket anomalies: Looks for suspicious service ticket requirements that indicate a Kerberoasting attack on AD

Password spray and brute force attacks have been around for years, so why are they still a problem?

Tried-and-true attack techniques such as password spray and brute force attacks still work because the sheer volume of noise they generate makes them hard to detect. About 31% of initial attack vectors are brute force attacks, and nearly one-third of all account compromises are password spray attacks.

In a password spray attack, an adversary repeatedly attempts to log in to a large number of target accounts using a limited set of passwords until they breach the target authentication system to gain account and system access. In a brute-force attack, an attacker repeatedly attempts to log in using different passwords until they breach the target authentication system to gain account and system access.

In both cases, these techniques generate a high volume of data, making analysis time-consuming and tedious.

Why is it important to detect anomalous behavior to prevent identity attacks?

Anomalous behavior could signal an impending attack. As an example, an anomalous logon could signal unauthorized access to the identity system. Service ticket anomalies flag suspicious service ticket requests that could indicate an attempt to abuse the Active Directory ticketing mechanism as part of a cyberattack, such as Kerberoasting. Such abnormal requests include requesting a ticket for rarely used services or requesting a ticket with downgraded cryptographic algorithm.