Managed SAT

Once you're in the SAT admin dashboard, there's no link back to the Huntress IO. A link back to IO within the SAT dashboard would create a more unified experience.

core message gets lost in unnecessary stories and questions, and is too long to complete

Huntress… genuinely… what in the actual hell were you thinking with this month’s “Incident Response” training? These trainings are primarily targeted to end users, which is why I have so many questions. First off, why on earth would an end user ever get a giant, flashing “CYBER INCIDENT” popup on their machine? Haven’t we spent the last decade drilling into people’s heads that big scary popups demanding action are literally the calling card of a scam? But sure, let’s undo all that. Then we jump straight into “If you can’t reach IT immediately, feel free to sprint around the office in a full-blown panic.” Excellent advice. But wait, there’s more. Since IT is apparently unreachable (probably because they’re off sipping piña coladas on a beach somewhere), the user should just go ahead and fix the cyber incident themselves. I mean, why not? They helped set up Grandma’s Roku in 2019. They’re basically a Tier 3 analyst. And miraculously, they do resolve the incident. Incredible. Truly inspiring. Meanwhile, IT is still horizontal on a lounge chair. Now that the crisis is over, it’s time for the pièce de résistance: dragging out that dusty USB stick they used to back up their department’s files sometime during the Obama administration and restoring those outdated files right back onto the company drive. Because that’s what they were taught. Time to restore. Boom. Done. Easy. This video seems far better suited for targeted training within specific IT groups. Anything beyond that feels out of scope. Even providing it to middle management introduces confusion. Are they expected to test system availability? Should they be copying backups or moving files? These are not appropriate responsibilities for non technical staff, and presenting them as such encourages practices that are risky at best. This becomes especially concerning in small businesses where safeguards and separation of duties may not be as robust. A scenario where an office manager like Stan watches this video, decides “Facebook isn’t loading, we must be under attack,” and then starts powering off equipment because he once saw IT do something similar is not far fetched. The training encourages users to “take action,” which can easily be misinterpreted without proper context. While the video initially frames the character as part of IT, that distinction is lost almost immediately. Within seconds, his role becomes ambiguous, and it’s never clearly reinforced that this training is intended for IT personnel. Without that clarity, the message risks being misunderstood and applied in ways that could create more problems than it solves.

SAT Training - More concise & professional training module. Less animation and time to complete training.

I recently completed the Phishing 2 Assignment, and got two questions wrong due to them having poorly worded questions or nebulous answers. Question 1: What characteristic of QR codes allows bad actors to bypass email security filters in phishing attacks? Answer: They hide malicious links Feedback: The fact that QR codes hide malicious links is not what allows them to bypass email security. So this question is not relevant to the answer. Question 2: If you suspect you've entered your login credentials on a phishing site, changing that one compromised password is enough to secure your accounts. Answer: It depends Feedback: This answer is seriously nebulous and generally doesn't align with a recommended approach of scrutinising all other passwords & updating those too. With no further context, "it depends" is not a valid answer for this question. The explanation behind the answer does give more context, but that's too late if you've already selected the wrong answer. The info in the previous slide also doesn't make it all that clear.

Partner request for an MSP level dashboard on SAT similar to the Command Center on the Huntress .io. Also for SAT, an MSP level Report, rather than just each Customer. This would allow the MSP with lots of customers to be able to see at high level which customers need more attention and help, and then they could share how other customers are doing comparatively.

I just wanted to provide the input that the Google Workspace UI has changed from what is documented in the page https://support.huntress.io/hc/en-us/articles/10962619872787-Allow-list-Managed-SAT-Emails-in-Google I was just going through it with my client today, and the Advanced settings is now no longer present. I would recommend you update the docs to keep them current, which I know is not easy, but I know Huntress has very high standards.

We are seeing more clients that need FWA and also would be good to have an episode for insider threat as well

Currently, the Threat Simulator is tied to the OSINT episode and cannot be assigned as a standalone module. It would be beneficial to have the option to create the Threat Simulator as an independent assignment, allowing learners to access it directly without completing the OSINT episode first. This flexibility would enhance training customization and meet specific client needs.

After reviewing Huntress SAT: Allow listing guidance for M365, it appears that two of the required policies are in conflict. Both Allowlist Phish Emails in Microsoft 365 EAC and Exchange EOP & the Allowlist Phish Emails in Microsoft Active Threat Protection (Safelinks) require the creation of a mail flow (transport) rule. The Allowlist Phish Emails in Microsoft 365 EAC guide however indicates you should "stop processing rules". The issue here is that means the Allowlist Phish Emails in Microsoft Active Threat Protection rule which modifies the message header never actually applies. This can be seen in implementation in the attached image where only one of the rules actually applies. Are both these rules actually required? If so, since both are set to "Apply this rule if…" the IP address matches Huntress IPs, couldn't they just be a single rule?