Managed ISPM now support additional security controls to better protect Microsoft 365 organizations.

Exchange controls have been expanded to include

The foundation for Microsoft Teams controls has been added to Managed ISPM, and today marks the first control in place. With this foundation set, you'll see us add more controls as we move toward GA on July 1.

The foundation for SharePoint Online and OneDrive for Business has also been added to Managed ISPM. Today marks the first two controls in this space, adding protection to business information stored in Microsoft 365.

We're simplifying and automating the entire experience of deploying Conditional Access policies. ISPM Learning Mode monitors the impact analysis each day and clearly identifies individual identities who would be impacted by deploying the policy.

At the end of the 14-day learning period, we'll provide detailed guidance on any remediations. Or, If it's clear, you can go ahead and safely deploy the policy.

This feature requires each organization to be on v6 of the application. Please upgrade your app to v6 to benefit from Learning Mode.

As we continue our drive to General Availability on July 1, the Managed ISPM product has some great new controls and features.

We heard you! Our Early Access partners let us know that not every policy is relevant to organizations. You asked for the option to exclude that policy so that you don't have a non-compliant flag AND so that you don't receive escalations for those items. This is now available.

Thanks again to our amazing early access partners for their feedback, we have smoothed the experience around flagging drift, non-compliant items and other platform updates. These are now consolidated into . You no longer need to acknowledge or resolve these updates as you did with the we were sending before this update.

We've updated table filters, improved search, and added more tooltips and descriptions throughout the product to improve the overall experience and make it even easier to use Managed ISPM.

The GET Organization API endpoint now returns fields that cleanly separates statistics by product (SIEM, EDR, SAT, and ITDR), removing any ambiguity previously experienced. This update also provides data that used to require copying and pasting data out of the Platform portal, such as SIEM storage usage, EDR agent counts for unresponsive, outdated, and isolated agents, and per-tenant ITDR identity counts. The new data exposed via API enables you to more easily build dashboards and reports in your preferred tools. Please see the Organizations API documentation for further details.

Account admins can now configure any of the four Notification categories to be delivered to ServiceNow. Check out this support doc to learn more about the integration and how to configure it.

Webhooks are available to all Huntress accounts. This enables you to receive real-time event notifications without the need to poll the API. It also supports signature verification for payload authenticity. The benefits include faster ticketing, alerting, and automation of workflows by pushing notifications and status changes directly into tools like PSAs, automation tools, and collaborative tools like Slack. To learn about more webhooks please read this support doc.

Partners and Customers can now generate a PDF report of ITDR incidents with a timeline, data exfiltration and report summary to hand over to end-clients, auditors, and other third parties.

Head over to the Incident report --> Timeline tab --> Click on "Export Timeline". A PDF will generate and be downloaded. Learn more about ITDR's Incident Report Timeline here.

Huntress Managed EDR now detects macOS Infostealers, malware that tricks users into bypassing Gatekeeper to steal credentials and sensitive data. Throughout 2024 and 2025, these have emerged as the most prevalent macOS threat family.

The Huntress macOS agent stops these attacks at the front door by scanning files the moment you open them. By "reading" the screen, the agent spots the deceptive icons and fake instructions hackers use to trick users, alerting the Huntress SOC to triage and neutralize the threat.

The Huntress EDR portal now surfaces successful logon events, providing a clear audit trail of who accessed an endpoint and how. In addition, the logon events show the type of logon (interactive, remote interactive, unlocked), user name, domain, and security identifier (SID).

This visibility exposes "living off the land" tactics, in which attackers use valid credentials to fly under the radar. Surfacing these events directly in the dashboard helps distinguish standard local logins from suspicious remote sessions, allowing Managed EDR to shut down unauthorized access before it escalates.

The Unwanted Access Rules API is now available, exposing endpoints to list, create, update, and delete rules that govern how Huntress responds to identity access attempts by country or VPN. Rules can be scoped to the account, an organization, or a specific identity with expected or unauthorized determinations and optional starts_at / expires_at schedules. This allows API users to automate managing ITDR unexpected access rules. See the API docs: https://api.huntress.io/docs#tag/unwanted-access-rules