As we continue our drive to General Availability on July 1, the Managed ISPM product has some great new controls and features.

We heard you! Our Early Access partners let us know that not every policy is relevant to organizations. You asked for the option to exclude that policy so that you don't have a non-compliant flag AND so that you don't receive escalations for those items. This is now available.

Thanks again to our amazing early access partners for their feedback, we have smoothed the experience around flagging drift, non-compliant items and other platform updates. These are now consolidated into . You no longer need to acknowledge or resolve these updates as you did with the we were sending before this update.

We've updated table filters, improved search, and added more tooltips and descriptions throughout the product to improve the overall experience and make it even easier to use Managed ISPM.

The GET Organization API endpoint now returns fields that cleanly separates statistics by product (SIEM, EDR, SAT, and ITDR), removing any ambiguity previously experienced. This update also provides data that used to require copying and pasting data out of the Platform portal, such as SIEM storage usage, EDR agent counts for unresponsive, outdated, and isolated agents, and per-tenant ITDR identity counts. The new data exposed via API enables you to more easily build dashboards and reports in your preferred tools. Please see the Organizations API documentation for further details.

Account admins can now configure any of the four Notification categories to be delivered to ServiceNow. Check out this support doc to learn more about the integration and how to configure it.

Webhooks are available to all Huntress accounts. This enables you to receive real-time event notifications without the need to poll the API. It also supports signature verification for payload authenticity. The benefits include faster ticketing, alerting, and automation of workflows by pushing notifications and status changes directly into tools like PSAs, automation tools, and collaborative tools like Slack. To learn about more webhooks please read this support doc.

Partners and Customers can now generate a PDF report of ITDR incidents with a timeline, data exfiltration and report summary to hand over to end-clients, auditors, and other third parties.

Head over to the Incident report --> Timeline tab --> Click on "Export Timeline". A PDF will generate and be downloaded. Learn more about ITDR's Incident Report Timeline here.

Huntress Managed EDR now detects macOS Infostealers, malware that tricks users into bypassing Gatekeeper to steal credentials and sensitive data. Throughout 2024 and 2025, these have emerged as the most prevalent macOS threat family.

The Huntress macOS agent stops these attacks at the front door by scanning files the moment you open them. By "reading" the screen, the agent spots the deceptive icons and fake instructions hackers use to trick users, alerting the Huntress SOC to triage and neutralize the threat.

The Huntress EDR portal now surfaces successful logon events, providing a clear audit trail of who accessed an endpoint and how. In addition, the logon events show the type of logon (interactive, remote interactive, unlocked), user name, domain, and security identifier (SID).

This visibility exposes "living off the land" tactics, in which attackers use valid credentials to fly under the radar. Surfacing these events directly in the dashboard helps distinguish standard local logins from suspicious remote sessions, allowing Managed EDR to shut down unauthorized access before it escalates.

The Unwanted Access Rules API is now available, exposing endpoints to list, create, update, and delete rules that govern how Huntress responds to identity access attempts by country or VPN. Rules can be scoped to the account, an organization, or a specific identity with expected or unauthorized determinations and optional starts_at / expires_at schedules. This allows API users to automate managing ITDR unexpected access rules. See the API docs: https://api.huntress.io/docs#tag/unwanted-access-rules

We’re excited to share that we now provide EDR/ITDR Correlations for Huntress Managed EDR and Managed ITDR customers. EDR/ITDR Correlations is a capability that only Huntress can deliver because it requires both an endpoint agent and an identity detection platform operating on the same customer base.

So, how does it work? When Huntress Managed EDR detects an attack, like an infostealer, on a Windows endpoint, the platform automatically resolves that compromised machine to the Microsoft 365 cloud identities that were logged in on it. That context isn’t surfaced hours later in a separate tool or buried in logs. It appears directly inside the EDR Incident Report, alongside the endpoint findings.

From there, Managed ITDR does what it’s designed to do: it enables immediate, guided remediation of those identities. Revoke sessions. Disable accounts. Contain the blast radius before stolen credentials can be used.

Crucially, this approach bypasses one of the biggest bottlenecks in identity security: log latency. Rather than waiting for audit logs to be generated, ingested, normalized, and analyzed, EDR/ITDR Correlations use direct endpoint evidence to infer identity risk almost instantly. Read more here: https://www.huntress.com/blog/edr-itdr-correlations

A new role has been introduced in the Platform that allows account admins to create users with permissions limited to onboarding and offboarding organizations. This role is designed for partner staff and API keys used in managing the lifecycle of organizations. The role ensures specific tasks can be done while limiting the scope of required access.