Semperis and Forsyte partnership raises the bar for hybrid identity response

At a glance

What this is: Semperis and Forsyte IT Solutions are aligning ITDR software with managed SOC coverage for hybrid identity protection across Active Directory and Entra ID.

Why it matters: That matters because public sector and education identity programmes now need faster identity-centric detection, response, and recovery across both human and machine access paths.

By the numbers:

• Semperis says its technology protects over 100 million identities from cyberattacks, data breaches, and operational errors.

👉 Read Semperis' announcement on hybrid identity response for public sector agencies

Context

Hybrid identity environments combine on-premises directories and cloud identity services, which means attackers can move from one control plane to another if monitoring and response are fragmented. For public sector and education teams, the problem is not only initial compromise but how quickly identity abuse is detected, contained, and recovered across Active Directory and Entra ID.

This is an identity governance problem as much as a security operations problem. When identity services underpin citizen access, staff access, and administrative privilege, delays in detection or recovery can affect mission continuity, not just account hygiene.

Key questions

Q: How should security teams manage hybrid identity attacks across Active Directory and Entra ID?

A: They should treat the two directories as one attack surface for detection and containment, while keeping recovery steps explicit for each control plane. The priority is to connect identity telemetry, privilege changes, and account disablement into a single response model so compromise cannot move unchecked between on-prem and cloud trust paths.

Q: Why do hybrid identity environments increase the impact of compromise?

A: Hybrid environments widen the number of trust relationships an attacker can abuse once identity is compromised. If monitoring, privilege control, and recovery are split across teams or platforms, attackers can exploit the gaps to move laterally, persist longer, and disrupt services that depend on directory integrity.

Q: What breaks when identity response is separated from recovery authority?

A: Detection alone is not enough if the team that sees the alert cannot revoke access, validate impact, or restore trust. In that case, response becomes advisory rather than operational, and the attacker keeps the advantage while teams wait for the right approvals.

Q: Who should own hybrid identity resilience in a public sector programme?

A: Ownership should sit jointly with IAM, security operations, and infrastructure leaders, because the attack and the recovery span all three. The most effective model assigns clear decision rights before an incident, so containment and restoration do not stall during escalation.

Technical breakdown

Why hybrid identity attack paths stay hard to contain

Hybrid identity attack paths are difficult because Active Directory and Entra ID often operate with different visibility, response, and recovery assumptions. Attackers commonly target identity systems first because they can unlock broad access, persistence, and lateral movement without immediately triggering endpoint-centric controls. In practice, ITDR works by correlating identity events, privileged changes, abnormal sign-ins, and directory tampering across both environments. The weak point is usually not lack of telemetry, but the absence of a single operational model for triage and containment across the hybrid estate.

Practical implication: map which identity events must trigger containment across both directory planes before the next incident review.

What managed SOC coverage changes in identity response

A managed SOC changes the operating model by moving identity detection and response from ad hoc escalation to continuous monitoring and structured incident handling. That matters in hybrid identity because the response steps are rarely just technical. They also include evidence preservation, account disablement, privilege review, and recovery sequencing. When the service is paired with ITDR, the goal is to reduce dwell time in the identity layer and keep response actions aligned with the way attackers actually abuse directory trust, administrative permissions, and federation paths.

Practical implication: define who can revoke identity access, who validates impact, and who leads recovery before incident pressure forces the decision.

Why identity recovery is part of resilience, not cleanup

Recovery in hybrid identity is not limited to restoring a domain controller or re-enabling an account. It includes rebuilding trust in the identity plane after compromise, verifying privileged relationships, and checking whether persistence mechanisms survived the initial response. That makes identity recovery a resilience function, not a cleanup task. For institutions that depend on uninterrupted access, the question is whether the identity programme can prove integrity after attack, not simply whether systems are back online.

Practical implication: include identity integrity validation and privilege re-baselining in recovery runbooks, not only system restoration steps.

NHI Mgmt Group analysis

Hybrid identity defence is becoming an operations problem, not just a control problem. When attackers target Active Directory and Entra ID together, traditional split ownership between infrastructure teams and IAM teams creates blind spots. A hybrid identity stack needs shared detection, response, and recovery ownership because the attack surface spans both directory planes. Practitioners should treat this as a governance design issue, not a tooling swap.

Identity threat detection and response only works when it is tied to recovery authority. Detection without the ability to disable access, invalidate trust, and verify restoration leaves the programme reactive. In public sector and education environments, the security objective is not only to spot compromise but to preserve mission continuity while identity services are under attack. Teams should align ITDR with explicit recovery decision rights.

Hybrid identity resilience depends on closing the gap between alerting and action. Many programmes can observe suspicious identity behaviour, but few can move from signal to containment quickly enough across both on-prem and cloud directories. That lag is where attackers gain leverage. Practitioners need a response model that assumes the identity plane is both a control point and a target.

Identity blast radius is the right concept for public sector hybrid environments. The issue is not simply whether an account is compromised, but how far that compromise can propagate through delegated access, administrative trust, and federated identity relationships. Semperis and Forsyte are responding to that reality at the operational layer, but the underlying lesson is broader: identity governance must be built around blast-radius reduction across directory boundaries.

Public sector identity programmes should be judged by recoverability, not just hardening. A hardened directory that cannot be restored with confidence after compromise still leaves agencies exposed to prolonged disruption. That is the difference between control coverage and operational resilience. The practitioner test is whether identity systems can be trusted again quickly after attack, not whether they were configured correctly on paper.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Our research also found: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, a gap that widens identity attack surfaces and complicates governance.
• For a broader control baseline: Review Ultimate Guide to NHIs , Key Challenges and Risks alongside NHI Lifecycle Management Guide to map visibility and lifecycle gaps before attackers do.

What this signals

The most important signal for practitioners is that identity security is moving from product ownership to operational accountability. When identity incidents cross directory boundaries, the programme needs a response model that can prove containment and restoration, not just detect anomalies.

Identity blast radius: agencies should start measuring how far a compromise can travel through delegated trust, administrative role chains, and federation links. That metric is more useful than raw alert volume because it shows whether the programme can actually limit mission disruption.

For teams aligning to broader control baselines, the NIST Cybersecurity Framework 2.0 remains a useful way to structure govern, protect, detect, respond, and recover across identity systems, especially where hybrid directories sit at the centre of business continuity.

For practitioners

• Define hybrid identity incident authority Assign explicit decision rights for disabling accounts, revoking privileged access, and approving recovery actions across Active Directory and Entra ID. Without that authority map, response slows at the exact moment identity containment needs to be immediate.
• Link identity alerts to containment playbooks Tie directory alerts, privilege changes, and anomalous sign-ins to pre-approved containment steps so analysts can act before attacker activity spreads across trust boundaries.
• Test identity recovery under compromise Run recovery exercises that validate trust relationships, privileged group membership, and federation integrity after a simulated identity attack, not only system availability.
• Measure identity blast radius Map which service accounts, admin roles, and federated links can expand a compromise from one directory to another, then reduce the number of paths that can be abused.

Key takeaways

• Hybrid identity attacks become harder to contain when detection, containment, and recovery sit in separate operating silos.
• The practical risk is not only compromise but loss of trust in the identity plane, which can delay service restoration and widen disruption.
• Agencies should measure identity blast radius and recovery authority together, because resilience depends on both.

Key terms

• Hybrid Identity: A hybrid identity environment combines on-premises and cloud identity systems, usually so the same user or service can authenticate across both. The operational challenge is that trust, privilege, and recovery may be split across platforms, which creates gaps attackers can exploit if governance is inconsistent.
• Identity Threat Detection and Response: Identity threat detection and response, or ITDR, is the practice of spotting malicious activity in identity systems and taking containment actions quickly. In hybrid environments, it focuses on directories, privileged accounts, federation, and recovery steps that limit attacker movement and restore trust after compromise.
• Identity Blast Radius: Identity blast radius is the amount of damage a compromised account or trust relationship can create across an identity estate. It is shaped by privilege depth, delegated access, directory trust chains, and recovery speed, making it a practical measure of how far an identity incident can spread.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Semperis: the partnership with Forsyte IT Solutions for hybrid identity detection and response. Read the original.