Hybrid identity response for public sector teams: what changes now?

TL;DR: Hybrid identity defence is shifting from periodic oversight to continuous operational coverage as Semperis and Forsyte IT Solutions pair ITDR software with a managed SOC to give education and public sector teams faster detection, response, and recovery across Active Directory and Entra ID, according to Semperis.

NHIMG editorial — based on content published by Semperis: the partnership with Forsyte IT Solutions for hybrid identity detection and response

By the numbers:

• Semperis says its technology protects over 100 million identities from cyberattacks, data breaches, and operational errors.

Questions worth separating out

Q: How should security teams manage hybrid identity attacks across Active Directory and Entra ID?

A: They should treat the two directories as one attack surface for detection and containment, while keeping recovery steps explicit for each control plane.

Q: Why do hybrid identity environments increase the impact of compromise?

A: Hybrid environments widen the number of trust relationships an attacker can abuse once identity is compromised.

Q: What breaks when identity response is separated from recovery authority?

A: Detection alone is not enough if the team that sees the alert cannot revoke access, validate impact, or restore trust.

Practitioner guidance

• Define hybrid identity incident authority Assign explicit decision rights for disabling accounts, revoking privileged access, and approving recovery actions across Active Directory and Entra ID.
• Link identity alerts to containment playbooks Tie directory alerts, privilege changes, and anomalous sign-ins to pre-approved containment steps so analysts can act before attacker activity spreads across trust boundaries.
• Test identity recovery under compromise Run recovery exercises that validate trust relationships, privileged group membership, and federation integrity after a simulated identity attack, not only system availability.

What's in the full analysis

Semperis' full announcement covers the operational detail this post intentionally leaves for the source:

• The partnership framing for public sector and education buyers that need identity-specific detection and response.
• The combined service model around Guardian 365 and Lightning for hybrid identity monitoring and recovery.
• The vendor's own description of how managed SOC coverage supports identity incident handling.
• The public-sector positioning and customer context that this post intentionally leaves out.

👉 Read Semperis' announcement on hybrid identity response for public sector agencies →

Hybrid identity response for public sector teams: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →