AUSTIN, Texas – June 11, 2026 – SpyCloud, the leader in identity threat protection, today announced a deepened partnership with Okta, the leader in identity management, through two complementary integrations that give enterprises automated detection and response for identity-based threats across the full identity lifecycle. Built on SpyCloud’s repository of more than one trillion recaptured identity assets – continuously collected from infostealer malware logs, phishing campaigns, combolists, and breaches – the Okta Workforce Identity and Okta Identity Threat Protection (ITP) integrations allow security teams to close the window between user exposure and remediation from days to sub-five minutes.
Stolen credentials and hijacked sessions are among the most dangerous – and most underestimated – threats facing enterprises today. When an employee’s Okta credentials are captured through infostealer malware, a phishing campaign, combolist, or a third-party breach, attackers can bypass MFA, hijack live sessions, and move silently through critical SaaS environments well before security teams detect anything is wrong. The problem is compounded by the fact that most organizations only see a fraction of their employees’ actual exposure – missing credentials reused from personal accounts and infections on shared devices that live outside the corporate perimeter.
“Identity-based attacks succeed because there’s a gap between when an authorized user is compromised and when security teams can act on it. Our partnership with Okta eliminates that gap across the full identity lifecycle to stop compromised identities before they authenticate; and detects and responds to exposures once a session is live. Together, the integrations give enterprises something they haven’t had before: continuous identity defense that revokes sessions, resets credentials, and locks down access the moment a compromised identity surfaces in the criminal underground.”
SpyCloud Okta Workforce Guardian: Continuous Monitoring and Automated Remediation
SpyCloud Okta Workforce Guardian continuously validates employee identities against recaptured data from the criminal underground, updated in near-real time. When a stolen session cookie or credential surfaces in SpyCloud’s database, Okta Workforce Guardian executes automated, policy-driven remediations before an attacker can authenticate. Purpose-built for Okta Workforce Identity, it gives security teams full control over remediation logic through modular, customizable workflow templates, including:
- Universal Logout to revoke active session cookies in real time and terminate attacker access mid-session
- Password reuse enforcement checks if previously exposed credentials are actively in use with an Okta account, to flag and notify the user, or automatically reset the password
- Targeted scanning with full reporting across the entire environment or specific user groups, with visibility into every scan result, match rate, and remediation taken
SpyCloud + Okta Identity Threat Protection: Risk Signals for Post-Authentication Response
For organizations running Okta Identity Threat Protection (ITP), SpyCloud feeds enriched identity exposure signals directly into Okta’s adaptive risk engine via the standards-based OpenID Shared Signals Framework (SSF). Each signal automatically updates user entity risk levels and triggers policy-based responses in real time – without manual intervention. Once a user’s session is authenticated, SpyCloud continuously monitors for new exposures and delivers the following default risk signals based on exposure type and severity that can be set by the Okta admin:
- High Risk – When SpyCloud detects credentials that include an organization's specific Okta tenant URL captured by infostealer malware or a targeted phish, Okta ITP can be configured to immediately revoke active sessions, enforce a password reset, and step up authentication.
- Medium Risk – Infostealer malware infections and phished credentials both carry significant follow-on risk, exposing not just passwords but active session cookies and tokens that enable authentication bypass. Either exposure type triggers immediate MFA challenges, session revocation, and SOC alerts.
- Low Risk – When corporate credentials appear in a third-party breach, Okta ITP notifies the affected user and prompts a password update at next login – with optional MFA step-up enforcement. While lower in immediate severity, these exposures are frequently the starting point for credential stuffing and account takeover attempts if left unaddressed.
- Holistic Exposure – SpyCloud’s proprietary holistic identity matching technology, IDLink further amplifies coverage by mapping exposed credentials across both corporate and personal identities, surfacing up to 14 times more exposures per user. Because this exposure often reflects complex, cross-account risk that automated policy alone cannot fully resolve, IDLink exposure signals are designed to prompt investigation rather than trigger a predetermined response – giving security teams the full picture of what's exposed before they act.
Both integrations are fully configurable by risk level and organizational policy, and maintain centralized audit logs to support NIST 800-63B, ISO, and Zero Trust compliance requirements.
About SpyCloud
SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions use advanced analytics and AI to accelerate investigations and protect workforce, consumer, and supplier identities from the threats that matter most: authentication bypass, session hijacking, malicious insiders, account takeover, ransomware, and fraud. Its data from malware-infected devices, successful phishes, combolists, and third-party breaches also powers many popular dark web monitoring and identity theft protection offerings. Customers include 7 of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 250 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.
To learn more and see insights on your company’s exposed data, visit spycloud.com.