ThreatDefend® Platform

See all products by this partner 

The Attivo ThreatDefend® Platform delivers unparalleled attack prevention, detection, and adversary intelligence collection based on cyber deception and data concealment technologies for an informed defense. The platform efficiently derails attacker discovery, lateral movement, privilege escalation, and collection activities early in the attack cycle across endpoints, Active Directory, and network devices on-premises, in clouds, and on specialized attack surfaces.

Request Information


  • down-arrow Citrix Virtual Apps
    1903, 1906, 1909, 1912 LTSR, 2003
  • down-arrow Citrix ADC
    10.5 VPX, 10.5 MPX, 11.1 VPX, 11.1 MPX, 12.0 VPX, 12.0 MPX, 12.1 VPX, 12.1 MPX, 13.0 VPX, 13.0 MPX
  • down-arrow Citrix DaaS
    Citrix DaaS
  • down-arrow Citrix Gateway
    10.5, 11.1, 12.0, 12.1, 13.0
  • down-arrow Citrix Virtual Desktops
    1903, 1906, 1909, 1912 LTSR, 2003

Product Details

The ThreatDefend Platform creates an active defense against attackers and is modular in design for easy expansion. The ADAssessor solution identifies Active Directory exposures and alerts on attacks targeting the AD controllers, offloading analysis, alerting, and management to a cloud-based console.

The Endpoint Detection Net suite includes the following modules:

  • ThreatStrike® for credential theft detection
  • ThreatPath® for attack path visibility
  • ADSecure for Active Directory defense - also available as a standalone solution
  • DataCloak function to hide and deny access to data
  • Deflect function to redirect malicious connection attempts to decoys for engagement

The IDEntitleX solution provides cloud identity and entitlements visibility as part of the Attivo Identity Security Offerings (with ThreatStrike, ThreatPath, ADSecure, and ADAssessor), reducing the attack surface and limiting exposures across the enterprise.

The Attivo BOTsink® deception servers provide decoys, a high-interaction engagement environment, the Informer dashboard for displaying gathered threat intelligence, and ThreatOps® incident response orchestration playbooks that facilitate automated incident response. It also offers ThreatDirect deception forwarders to support remote and segmented networks.

The Attivo Central Manager (ACM) for BOTsink and the EDN Manager for standalone EDN deployments add enterprise-wide deception fabric management.


The Attivo Networks ThreatDefend® Platform provides a superior solution for assessing exposures, detecting lateral movement, and preventing privilege escalation. It delivers visibility to exposures that create attack paths and risks and detecting in-network threats, regardless of attack method or surface. It identifies vulnerabilities within AD and at the endpoints that enable lateral movement. Additionally, it conceals sensitive or critical data to prevent attackers from exploiting them during an attack. The security industry recognizes the ThreatDefend platform for its comprehensive in-network detection, which extends coverage from the endpoint to the cloud. The platform disrupts discovery activities and effectively detects threats from virtually any vector such as APTs, stolen credentials, Man-in-the-Middle, Active Directory, ransomware, port and service discovery, and more. It also scalably deploys across all types of networks, including endpoints, user networks, servers, data centers, remote worksites, cloud, and specialty environments such as IoT, SCADA, POS, SWIFT, infrastructure, and telecommunications.


Defend identities across the entire enterprise with identity-based, least-privilege access programs and defenses capable of detecting attack escalation and lateral movement on-premises and in the cloud. The ThreatStrike, ThreatPath, ADSecure, ADAssessor, and IDEntitleX solutions implement identity-first security, providing visibility to exposures, reducing the addressable attack surface, and preventing and detecting attacks at endpoints, in Active Directory, and the cloud.

The EDN suite provides effortless and highly effective redirection of attacks seeking to harvest credentials or execute a ransomware attack. Additionally, the solution hides local files, folders, removable drives, and mapped network and cloud shares, while high interaction deceptions slow and occupy a ransomware attack, providing the time to stop it before it can cause extensive damage.

Fake credential lures and decoy systems work together to attract and detect attackers in real-time, raising evidence-based alerts while actively engaging with them so that the platform can safely analyze their attack activities. The decoy systems mirror-match production assets by running real operating systems, services, and applications. Machine learning prepares and deploys the decoys and lures, making initial deployment and ongoing maintenance easy. The platform can also customize the organization’s decoy environment by importing golden images and applications for more authenticity.

With the rapid migration to the cloud, the detection fabric scales seamlessly anywhere the enterprise network sits. The ThreatDefend platform offers extensive support for AWS, Azure, Google, and Oracle cloud environments, including decoys and lures for containers, storage buckets, and other native cloud technologies. The ThreatDefend platform capabilities include support for serverless functions, access keys, reconnaissance, credential harvesting, and verifying the efficacy of security controls, along with CloudWatch/SIEM monitoring for finding attempted use of deception credentials.

The ThreatDefend platform protects VPN infrastructure and credentials for VPN, cloud PaaS, IaaS, and SaaS. The solution can deploy decoys within the VPN network segment to identify network discovery and AD reconnaissance activities that indicate lateral movement. It seeds fake VPN credentials at remote endpoints that alert on theft and reuse and integrates with cloud services to identify unauthorized use.

The solution disrupts network discovery attempts by detecting and alerting on ping sweeps and redirects any port scans that touch a closed port on a host to an open port on a decoy, making host fingerprinting difficult and forcing decoy engagement. This capability does not interfere with any production services while providing early lateral movement detection. The solution can natively isolate any inbound or outbound traffic on a host to connect only with the decoy environment.

ATTACK SURFACE REDUCTION                                                                                                                                     The ThreatPath solution reduces the endpoint attack surface and proactively increases security by identifying misconfigurations and credential exposures that create attack paths for attackers to use for lateral movement. A topographical visualization and attack path associations provide a straight-forward view of how attacks can reach their target. The IDEntitelX solution provides visibility to entitlements exposures that form attack paths in the cloud. When paired with the BOTsink server’s threat intelligence and attack time-lapsed replay and used in conjunction with the ADAssessor solution, defenders achieve unprecedented threat visibility levels and the information required to build a pre-emptive defense against their adversaries across endpoints, Active Directory, and the cloud.