Thank you for all your feedback during the Huntress API Public Beta! We're excited that the API continues to be well received as we progress into General Availability.
What's changed since the public beta?
  • Updated route documentation
  • Plan to improve Mac /agents support
  • Improved support documentation e.g. Swagger
  • Mock server
Where can I continue to submit feedback?
To better track our partner feedback, we've broken out the remaining API-related feature requests as logically as possible at in the API Category. Some of these requests:
  • Expand API to Include Managed AV
  • Expand API to Include External Recon
  • Expand Report API capability
  • Create Incident Webhooks
If you have additional requests to add, we'd love to hear from you on our feedback page as we continue working on our product.
The Huntress API provides programmatic access to your data in the Huntress Managed Security Platform. Designed to improve mapping and integration between MSP services, assist billing reconciliation and support operational dashboards.
What data is available?
At this time, Huntress has made read-only data available across
  1. Account
  2. Organizations
  3. Agents
  4. Incident Reports
  5. Summary Reports
  6. Billing Reports
How do I access the Huntress API?
A new option, API Credentials, is now present under Account Settings in the Huntress Portal. A short wizard will help generate account credentials to authenticate requests for account data.
Where is the Huntress API documentation kept?
Huntress has produced two forms of documentation to help support external integration and development efforts.
General API Overview:
The Huntress API Private Beta was well received, with an average feedback score of
[/5]. Four key areas were highlighted for functionality expansion:
  • Ransomware Canaries
  • Incident Webhook
  • Managed Antivirus
  • Host Isolation
Huntress values partner feedback and, during Public Beta, will maintain a keen eye on feedback,huntress,com. If you'd like to share more, we're also making our original feedback survey available.
Microsoft released their new operating system in early October. Installation and management is identical to other Windows operating systems. All Huntress services are officially supported, including Managed Antivirus.
For more information on installing the Huntress agent, please visit:
August 18th
, multifactor authentication will be required to log into the Huntress platform. For information and instructions on enforcing MFA please visit our
Huntress Support
Why enforce Multifactor Authentication
Multifactor authentication provides an additional layer of security and scrutiny to your account. Not only will an attacker need to know your password, but they will also need to complete the second-factor check. Traditionally the second factor requires "something you have" to satisfy the check. This could be many things but is in most cases a mobile phone with a supported authentication app. Without this physical device, even an attacker who has your password won't be able to access your account.
What's changing
August 18
, Huntress will be requiring that all Huntress admin users will need a multifactor authentication mechanism set up and enabled in order to access the Huntress admin console.
Today, Huntress account administrators have the option of enforcing multifactor authentication across all users within their account, as is described in this support article. On August 18, this will no longer be optional for Huntress account administrators;
Huntress user accounts will be required to have multifactor authentication enabled.
For users who have not yet set up their multifactor authentication on or after August 18, they will be prompted to set up multifactor authentication upon logging in.
July 14
, all accounts will have Huntress Recommended Defaults enabled for Managed Antivirus (MAV). This will immediately apply for agents who are in
MAV Enforce mode
see more details below
Huntress Recommended Defaults simplifies configuration of best-practice Defender policies by automatically applying default settings recommended by Huntress.
What will change?
In the previous version of Managed AV configuration policy, all settings defaulted to
Use System Default
at the Account level, which adopts the existing Microsoft Defender default that applies to each endpoint.
With Huntress Recommended Defaults,
Use System Default
will now be replaced with the Huntress Recommended Default setting based on the AV best practice at the Account level.
What do I need to do now?
Check out our support article to understand what settings may change:
Any overrides (or a changes from Use System Default) that are already configured at the Account, Organization, or Host level will be preserved. If you would like to maintain your own settings for your Account, you can make those explicit settings in your portal now before this feature is enabled on July 14.
For partners who are in Audit Mode, this will only update the configuration policy for Managed AV but will not modify any agents.
For partners who are in Enforce Mode, Huntress Recommended Defaults will take the place of "Use System Default" at the Account level.
Ransomware Canaries will now be enabled by default for all partners, including those who have not previously opted-in for this service.
How do canaries work?
Ransomware Canaries are small files placed on the endpoint and monitored for changes. Enabling this service allows our agent to kickstart an investigation with our ThreatOps teams when a change is detected, giving them additional visibility to identify ransomware incidents.
What is the impact?
The impact is extremely minimal for this service. Each canary file is very lightweight at approximately ~150 KB each with about ~500KB used per user profile. Our Huntress agent then reports any changes to these files in its periodic survey to trigger an incident investigation by our ThreatOps teams.
You will only be notified with an incident report if our ThreatOps team validates suspicious behavior potentially related to a ransomware incident.
Why are we doing this now?
With the news around Microsoft Exchange vulnerabilities, especially with the latest reported information indicating that these vulnerabilities are being used to install a new ransomware variant called DEARCRY, we believe it is important for us to continue doing what we can to protect our partners and the businesses you serve.
We will begin our phased rollout on March 12 with partners who are currently running Microsoft Exchange.
Read more about Ransomware Canaries on our blog and our technical support page.
If you have any questions or concerns, please contact us at
If you would like to opt-out, please let us know by March 30th.
Join us for Tradecraft Tuesday on March 9 at 1pm ET where the Huntress team will uncover some major developments surrounding the Microsoft Exchange Server exploit—including newly discovered webshells and post-exploitation details.
We strongly encourage you to join us or sign up for the recording as we'll be going over:
  • Screenshots of newly discovered webshells
  • How the exploits bypassed most preventive security products
  • How the threat actors maintained persistence by hiding in Windows services
  • What the hackers dropped during the post-exploitation stage and what it means for future victims
Register here
On March 2, Microsoft disclosed multiple zero-day exploits being used to attack on-premise versions of Microsoft Exchange Server.
If you are running on-prem Microsoft Exchange,
it’s critical that you immediately identify and patch potentially at-risk systems.
Huntress is actively monitoring and sending incident reports for any impacted endpoints discovered, including providing assisted remediation support to remove any webshells deployed as part of this attack.
This does not replace patching;
to prevent re-exploitation, it is critical that you also patch vulnerable servers immediately.
As an additional step, we strongly encourage you to verify your own managed environments for potential vulnerabilities and indicators of compromise.
For the latest up-to-date details, keep checking our Huntress blog and reddit thread; or reach out to
Managed Antivirus offers centralized management and monitoring capabilities for Microsoft Defender Antivirus, an existing next-gen antivirus solution built into Windows.
To learn more, join us for our Managed AV Announcement Webinar on
January 27 at 11:30am ET
with our Huntress founders to discuss this service in more detail. Hope to see you there!
And to keep the conversation going, join a follow up Public Beta Managed AV Webinar on
February 19 at 11am ET
How does Managed AV work?
Managed AV starts out in Audit mode. In this mode, Huntress captures data about Microsoft Defender Antivirus on all endpoints deployed within your Account. You can then head over to the Managed AV service dashboard where you will find detailed status information for Microsoft Defender Antivirus running on each of your endpoints.
Managed AV starts out by default in Audit mode. In Audit Mode, we gather information about Microsoft Defender’s status and configuration and use the data to populate the dashboard only; no changes are made to Defender's configuration.
Screen Shot 2021-01-26 at 12
How can I start managing policies for Microsoft Defender Antivirus?
If you want to start managing Microsoft Defender Antivirus, you can choose to move from Audit Mode into Enforce Mode.
Our Managed AV product provides an intuitive way to manage policies (such as path exclusions) at the account, organization, and agent level. The settings you configure will be applied according to that hierarchy. After your policy is defined, you can push it down to your endpoints by moving from Audit to Enforce mode on a per agent basis or to multiple agents via a bulk action from the Managed AV dashboard..
How do I check it out?
Head over to your left hand side bar and click on the Managed AV icon on your bottom left sidebar and check it out for yourself!
  • To learn more about this new service, check out our Service Blog here
  • For technical details around Managed AV, check out our support article here and our technical FAQ here
  • To understand more about our beta process, check out our Redefining Beta blog here
Partner Enablement
We've just added a bunch of new marketing assets to the Partner Enablement Service!
You'll find new co-brandable datasheets and presentation materials to help bolster security conversations with your customers, as well as recommended reading lists and new educational information.
Check out our blog to learn more!
Partner Enablement
Expansion of Partner Enablement Service
We are expanding our educational and marketing assets! We're planning on adding new materials into our Partner Enablement Service. If you want a preview of what we have in store, go to the sidebar on the left hand side and click on the Partner Enablement icon:
You’ll see three primary sections for Partner Enablement:
Mastering Huntress
: This section will be packed with materials to become more knowledgeable with Huntress and ensure you’re maximizing your ROI. Check back for technical documentation and training, onboarding and configuration guides, and feature/benefit overviews—so your team can truly master the platform and effectively layer it into your security stack.
Growing Revenue
: Once you’ve got a working knowledge of the Huntress platform, it’s time to turn your attention toward your clients. The materials here will include co-branded datasheets, videos and client-facing presentations for you to up level your clients.
Gaining Knowledge
: Education, training and enablement are at the core of our business. Whether we’re exposing hackers’ tricks and methods or working with our partners to investigate active threats, our commitment to simplifying and improving SMB cybersecurity is unchanging. This section will focus on informational resources, recommended reading lists, demos and other materials to make you aware of emerging threats, provide frameworks for your security maturity journey, and more.
Keep checking back for new additions as we expand this part of our Huntress Platform!