Thor
Identity Threat Detection and Response
Detect every attack your current tools stopped looking for.
Thor is a real-time ITDR platform that detects identity threats across your full activity history, not just the last 90 days. When a threat fires, it delivers a full timeline, a causality graph, and direct response actions. No pivoting between tools.
From detection to response, in one workflow.
Most tools alert on individual events. Thor builds signals, correlates them across time, and only fires when a real kill chain emerges. One alert. Full story. Already reconstructed.
Detections you can understand, control, and build.
Ready-to-use coverage you can extend with your own detections. Every detection is transparent in scope and behavior, mapped to MITRE ATT&CK, and aligned to the OCSF schema. Written in a readable detection language your team can audit, customize, and trust.
One alert per attack, not one per signal.
Less noise, faster prioritization, full attack picture from the start. When multiple signals belong to the same attack, your analysts see one alert with the complete narrative, not a dozen fragments to piece together.
Built for investigation, not just notification.
From alert to understanding in seconds, not hours. Every alert opens with the full story already reconstructed and the context you'd otherwise spend the morning assembling across tools.
Hunt the way attackers move.
Find what no detection rule has caught yet. Explore your full identity history in plain language, test hypotheses against months of activity, and turn what you discover into permanent coverage. The threats you cannot describe today become the detections protecting you tomorrow.
Every entity, fully profiled.
The context you need to make a call, ready before you ask for it. Every identity, every session, every IP comes with the full picture: who they are, what they touch, how they behave, and what's known about them externally. Decisions that used to require pivoting across multiple tools happen in one panel.
Respond where you investigate.
Containment in the same screen as the investigation. Stop attacks the moment you understand them, with response actions that take effect immediately and operational metrics that show your team where the cycle still breaks down.
Stronger on its own. Better inside the platform.
Every investigation arrives with posture, compliance, and business context already attached. Analysts don’t just know an attack is happening — they know how exposed the affected identity was, which compliance controls are at risk, and how critical the business impact is, before deciding how to respond.
Everything you need to detect and respond across the identity layer.
Detection that learns each identity
Anomalies surface against each identity's own behavior, not generic thresholds. The result: fewer false alerts, more real threats caught.
Attack paths, not isolated alerts
Lateral movement, privilege escalation, and credential abuse become visible as connected paths. Analysts see how the attack moved, not fragments of activity to assemble manually.
Beyond authentication: what identities actually do
Thor correlates not just logins and permission changes, but what each identity touches: access to sensitive resources, mailbox rule modifications, configuration changes, and other actions that reveal compromise long before traditional alerts fire.
Containment built into the workflow
Stop attacks the moment you understand them, with response actions that take effect immediately. High-confidence threats trigger automated containment without analyst intervention.
Detection without time limits
What other tools forget after 30 or 90 days, Thor remembers. Slow-burn attacks that unfold over weeks or months get caught, because correlation has no architectural ceiling.
Context that flows between modules
Identity risk scores from Octagon, compliance gaps from Compass, and threat signals from Thor all reference the same identity inventory. Findings in one module become context in another, with no manual export and no waiting.
See a real threat investigation in action.
Book a demo and watch Thor surface a lateral movement chain from alert to full causality graph in under 60 seconds.