Unmasking Threats Across the Network with Real-Time Identity Insights

In today's complex digital landscape, where hybrid networks, remote work, and SaaS growth are the norm, understanding "who" is behind network activity is paramount. Identity is no longer solely an IT concern; it's the cornerstone of modern security.

The Crucial Role of Identity

Identity is the new battleground, and attackers are having a field day. With so many user accounts, devices, and services in the cloud, there are endless opportunities for compromise. A user (customers, employees, partners, and vendors) can be a weak point for attackers to get in and move around, stealing data or spreading ransomware.

Built for the SOC Analyst

Connecting network activity to the people behind it is essential for faster, more accurate investigations and stronger security outcomes.

Here at ExtraHop, we are working closely with SOC analysts to provide an enriched identity-based approach to investigations, putting users and devices on equal footing within the platform. This means users are visible, searchable, and fully traceable, allowing analysts to follow the human element—who the user is, what they accessed, and how their behavior fits into the bigger picture. This added layer of context helps investigations move faster, surface the right insights sooner, and ultimately drive better, more confident decisions.

Track Suspicious User Behavior and Understand the Blast Radius

Analysts can quickly trace suspicious behavior by starting with a user, viewing their device interactions, protocol usage, and triggered detections—all within a single interface. The ExtraHop RevealX platform excels at detecting lateral movement, tracking accounts across internal systems via protocols like SMB, RDP, NTLM, or Kerberos.

Filtering by user helps prioritize investigations, allowing teams to focus on high-risk accounts and reduce noise from less critical service accounts, leading to faster, more confident resolutions.

For suspected compromises, users can rapidly assess the "blast radius" by identifying accessed systems, associated devices, and exposed data.

Enhancing Identity-Based Investigations

We continue to strengthen our modern network detection and response (NDR) platform to make identity a seamless and powerful part of every investigation, enabling analysts to quickly gather information regarding potentially malicious user activity on the network.

Streamlined workflows built into the ExtraHop platform empower security teams to leverage this enriched user data as a central pivot point for investigations, so they can:

• Achieve centralized visibility: View all discovered users and their metadata in one place.
• Streamline user identification: Find users by searching on key metadata attributes including username and protocols.
• Uncover device and protocol associations: Discover all the devices a user has interacted with and associated protocols (Kerberos, NTLM, SMB, etc.), helping to trace their network presence and understand the full impact of a compromised account.
• Accelerate investigations and response: Identify users involved in security detections, enabling faster triage of threats and confirmation of incidents.
• Enhance security detection efficacy: Filter and tune detections based on usernames, allowing for more focused analysis while reducing noise from benign or service accounts.

Our evolving identity capabilities provide security teams with the clarity and context needed to understand "who" is behind network activity, enabling faster, more confident investigations and stronger security outcomes.

Looking Ahead at the Future of Identity

ExtraHop is committed to evolving investigations to be even more user-aware and intuitive. We're focused on making identity a starting point, not just an attribute, allowing security teams to begin investigations with a user account and easily follow their trail across both on-prem and cloud environments and see activity tied to users regardless of where they authenticated. This will provide a fuller picture - highlighting unusual behavior and surfacing high-risk accounts - and reduce tool hopping, so analysts can focus on what matters most.

Visit us at Black Hat USA 2025 (booth #4346) to learn more.