Changelog
Follow up on the latest improvements and updates.
RSS
improved
Managed EDR
macOS EDR Agent Installation Improvements
The Huntress Configuration Wizard on macOS has been redesigned with a clearer, faster setup flow to make installation quicker and easier. All required setup steps in sequence - system extension approval, Full Disk Access, network filter - are now shown on a single scrollable page with guidance. You no longer have to navigate through a series of individual screens. You can see where you are, what's left, and which steps are completed at a glance.
MDM-managed endpoints get a dedicated view. The Configuration Wizard now shows a focused summary of any pending steps, with clear visual indicators, rather than the full manual setup flow.
improved
Managed EDR
Managed EDR improvements with our Defender for Endpoint integration
Comprehensive coverage of EDR, and MDE when used, is critically important to protect every endpoint. To give better visibility into the state of EDR and MDE coverage, Huntress has updated the Command Center in the Platform portal to make it easier to see MDE tenant health, configuration errors, and gaps where the Huntress agent or MDE is not installed.
What’s new:
- A new widget shows the percentage of endpoints running MDE that lack the Huntress agent, using color coding to highlight at-risk environments.
- An Account-level view summarizes the health of all MDE tenants at once, rather than requiring them to be checked individually.
- If data stops flowing from Microsoft to Huntress, a new alert icon and clearer language indicates an issue.
- Simplified filters and click-through paths help you jump directly from a "warning" to the specific endpoint that needs a fix.
Partners can now exclude Google Workspace student organizational units from ITDR billing and detection, ensuring K-12 and higher education partners only pay for and monitor staff and faculty identities.
- Student OU Exclusions– Contact your account manager with your student organizational unit information to exclude student identities from billing and detection.
- Billing & Signal Filtering– Excluded identities are automatically removed from both billing calculations and signal generation, so you only pay for the identities that matter.
- Audit Trail– All exclusion changes are logged for compliance and visibility.
Huntress Managed Identity Security Posture Management (ISPM) is now in free Early Access for qualifying Huntress partners and customers using Managed ITDR in Microsoft 365. Managed ISPM continuously hardens your Microsoft 365 environment so attackers have fewer chances to abuse misconfigurations and over-permissioned users.
Eligible admins will see a new Managed ISPM Early Access experience in the Huntress portal and can self-enroll there.
During Early Access, you get:
- Huntress-managed identity controls for Microsoft Entra ID. Protecting settings for MFA, admin accounts, passwords, standard users and guests.
- Conditional Access policy management along with recommended templates.
- Drift detection within minutes and Continuous Enforcement, so you stay aligned with best practices.
- The ability to quickly rollback changes if needed.
We’re focusing first on the misconfigurations attackers exploit most, using SOC insights from millions of identities so you can strengthen Microsoft 365 posture without building and maintaining your own baselines.
Your feedback shapes what we build. Add requests in Canny for Managed ISPM or provide feedback to your Huntress Account Manager.
new
Managed ITDR
Managed ITDR for Google Workspace GA Released
We’re excited to announce that Managed ITDR for Google Workspace is now generally available! Managed ITDR for GWS extends Huntress’ 24/7, human-led identity threat detection and response into GWS environments, delivering the same outcome-driven protection our customers rely upon in their Microsoft 365 environments. Some high-value detections available today:
- Unexpected Login Activity -we watch for authentication patterns that don’t fit - risky networks, unusual geographies, or infrastructure commonly abused by threat actors. When those signals appear, our analysts quickly revoke sessions and remove attacker access.
- Shady Inbox Rules -we detect Gmail rule changes, and our analysts remove them, shutting down one of the most common persistence techniques attackers rely on.
- Malicious Datacenter Infrastructure -we track login activity tied to datacenter providers and ASNs commonly used in attacks, surfacing suspicious access earlier in the attack chain.
And this is just the beginning. We’ll continue to update you with expanding detection coverage and response capabilities across GWS as they’re released.
Please see our new and updated KB articles on ITDR for GWS:
- https://support.huntress.io/hc/en-us/articles/49300628099859-Understanding-the-Differences-Between-ITDR-for-Microsoft-365-and-ITDR-for-Google-Workspace
- https://support.huntress.io/hc/en-us/articles/19133104595475-Billable-and-Non-billable-Identities
- https://support.huntress.io/hc/en-us/articles/49463229642771--Google-Workspace-Huntress-Identity-Isolation-for-ITDR-for-Google-Workspace
Account admins can now configure one or more email recipients to automatically receive monthly and quarterly reports for the account. To enable emails, the report page for the account in the Platform portal now has a "Manage Recipients" button like the one for an organization.
To make it easier to filter and use automations, email and PSA subject lines now include the Huntress product and organization name.
Huntress [Product - EDR, ITDR, SIEM, ISPM, ESPM, SAT] [Severity] [Category] | [Description] ([Organization])
Example: Huntress EDR Critical Escalation | Suspicious Process on HOST01 (Acme Corp)
- The product name applies to all notification categories (i.e., Incident Reports, Escalations, Platform Actions, and Account Notices). The name is omitted when the product cannot be determined.
- Organization name is new for Escalations and Platform Actions, matching the existing Incident Report convention. The organization name is omitted when the notification spans multiple organizations or has no organization association.
- Both changes affect email subject lines and PSA ticket titles across all supported integrations. If you parse notification subjects for routing or using automation, please update your rules to account for the new format.
improved
API
External Recon data is now available via API
External Recon in Managed EDR provides visibility into an organization’s external attack surface by identifying open ports and services exposed to the Internet. We have released two new API endpoints for querying data from External Recon. Each record includes the IP address, port, protocol, detected service, and a risky_service flag. Details are available in the API docs:
Resellers can now programmatically manage product subscriptions for their managed accounts via the new /v1/reseller/subscriptions endpoints. This endpoint supports creating, retrieving, updating, and upgrading subscriptions for Managed EDR, ITDR, SAT, and SIEM with standard terms and pricing. Please see the API docs for more details.
improved
Platform
Email integrations users can now opt out of resolved emails
Email integration destinations now include a "Send Resolved notifications" toggle that lets you stop receiving resolved emails for Incidents, Escalations, and Platform Actions notifications. The setting works at both the global and per-category level — disable it globally to suppress all resolved emails, or use per-category overrides for more granular control. Existing integrations are unaffected and will continue sending resolved emails unless a user explicitly opts out.
Load More
→