member badge
Rich Mozeleski
## Problem
When a new M365 tenant connects to Managed ITDR, Huntress starts with a blank slate. Today we only run two narrow historic checks at onboarding — inbox rules and rogue applications — then wait for forward-looking detections to fire. If a tenant is already compromised when it onboards, nobody knows until the attacker makes their next move.
This leaves a critical gap at the moment of first impression. Tenants frequently onboard while actively compromised, or carrying artifacts from prior incidents that were never fully remediated. Partners have no retrospective story to share with their clients showing what was happening before Huntress arrived.
## What We'''re Doing About It
At the moment a tenant completes onboarding, Huntress will automatically look back across up to 180 days of historical activity and run our full identity detection suite against it — credential theft, token theft, adversary-in-the-middle, suspicious browsers, datacenter logins, and more.
  • Active compromises
    (still ongoing, no remediation taken) generate critical incident reports and trigger identity lockdown, just like a real-time detection would.
  • Previously remediated compromises
    are added to the ITDR Security Assessment as forensic context, so you can share the full picture with your client.
The Security Assessment becomes a comprehensive retrospective rather than a blank report followed by piecemeal findings.