Protect Your Workforce at Scale

with Automated Identity Threat Protection

NIST SP 800-63B Section 5.1.1.2 requires that organizations check user credentials against a frequently updated list of known-compromised credentials and force an automatic reset when a match is found. SpyCloud Identity Guardians satisfy each element: the SpyCloud dataset is continuously updated as new breach records, infostealer logs, and phishing captures are processed; Identity Guardians check credentials on a configurable continuous or scheduled basis; and automatic forced resets trigger within 5 minutes of a confirmed match. SpyCloud provides exportable audit logs and remediation documentation suitable for NIST 800-63B assessments and SOC 2 Type II evidence packages.

All three continuously monitor employee credentials against SpyCloud’s recaptured data and automatically trigger remediation, but they integrate into different environments. Active Directory Guardian runs locally on a domain controller or AD member server for on-premises deployments. Entra ID Guardian runs in an Azure container for cloud-native and hybrid Entra ID environments and integrates with Microsoft Defender and Sentinel. Okta Workforce Guardian integrates with the Okta Workflows engine and supports password resets, active session revocation, account disabling, and adaptive authentication policy changes. For hybrid or multi-directory environments, the Guardians can operate in parallel.

Native IdP tools operate exclusively on internal signals. Okta ThreatInsight detects anomalous login patterns within the Okta environment. Azure AD Password Protection blocks weak passwords at creation. Neither tool has visibility into credentials stolen from personal devices, unmanaged endpoints, or third-party applications outside the corporate perimeter. SpyCloud Identity Guardians monitor against recaptured criminal data including breach records, infostealer malware logs, and phishing data. IDLink analytics extend monitoring to personal identity footprints, producing 14 times more plaintext passwords per user compared to exact-match monitoring against the corporate domain alone.

Standard directory scanning checks whether an employee’s work password appears in a breach record tied to their work email. It misses the most common initial access path: a personal account breach where the same password is reused at work. The breach exposed a personal email, not the work one, so exact-match scans return nothing. Identity Guardians with IDLink analytics correlate the employee’s work identity against their personal identity footprint, surfacing exposures tied to personal email addresses and personal accounts that share password patterns with corporate accounts. This is what produces the 14x difference in passwords found compared to exact-match scanning.

SpyCloud’s dataset is updated continuously with new data typically appearing within days of surfacing in criminal markets, well before it reaches breach notification services or public indexes. Identity Guardians run automatic scans against newly published SpyCloud data as it arrives. When a match is confirmed, the configured remediation action triggers automatically without manual intervention. The window from detection to completed remediation is under five minutes for standard deployments. For Okta Workforce Guardian deployments, session revocation is immediate and cascades to every downstream application in the SSO instance.