Petra ITDR Review: The Identity Layer Microsoft 365 Doesn't Give You

Why we’re talking about ITDR right now

We came back from Pax8 Beyond genuinely energized about a category most small businesses have never heard of: ITDR, or Identity Threat Detection and Response. One of the tools that stood out was Petra, and it crystallized something we already believed at Brivy IT — for the average Utah small or mid-sized business, the single most likely attack you will face is not ransomware dropped on a server or malware on a laptop. It’s an identity attack against one of your users.

The numbers are not subtle. Microsoft now tracks more than 600 million identity attacks every day, and in 2024 it observed an average of over 7,000 password attacks per second — more than double the year before. The FBI’s Internet Crime Complaint Center attributed roughly $2.8 billion in losses to Business Email Compromise (BEC) in 2024 alone, and nearly $8.5 billion over the prior three years. Adversary-in-the-middle (AiTM) phishing — the kind that defeats multi-factor authentication — jumped 146% year over year. The modern attacker doesn’t break in. They log in.

What ITDR actually is — and why MFA and EDR aren’t enough

Most businesses we talk to have two security layers they’re proud of: multi-factor authentication on the front door, and endpoint protection (EDR/antivirus) on their devices. Both are essential. Neither is built to catch what ITDR catches.

Endpoint protection watches the device. Email security filters the inbox. ITDR watches the identity — the account, the session, and what someone does once they’re authenticated. That distinction matters because of how identity attacks actually unfold today. In an AiTM or token-theft attack, the criminal phishes a user, captures the live session token after MFA has already been satisfied, and then rides that valid, already-trusted session. To Microsoft 365, nothing looks wrong: the user passed MFA, the session is legitimate, the login may even come from a residential IP that doesn’t trip a geo rule. MFA did its job and the attacker is still inside. That’s the gap ITDR exists to close.

Where Microsoft 365 Business Premium leaves gaps

We deploy and harden Microsoft 365 Business Premium every week, and we think it’s one of the best security values in the SMB market. It includes Entra ID P1, Conditional Access, and sign-in risk policies — real, useful controls that we configure for every client. With good Conditional Access, MFA, and monitoring in place, you genuinely raise the bar.

But Business Premium’s native detection leans heavily on where and how a sign-in happens — location, device state, impossible-travel, risk scoring. That model misses the attacks that use residential proxies, hijacked-but-valid sessions, and credentials that have already cleared MFA and Conditional Access. On top of that, the native alerting is noisy, the response is largely manual, and almost no small business has a security analyst watching Entra ID sign-in logs at two in the morning. The gap isn’t the front door — Microsoft secures that well. The gap is detecting malicious behavior after a legitimate-looking login, and responding to it automatically and fast. That’s exactly the gap a dedicated ITDR tool is designed to fill.

What Petra is and how it works

Petra is a purpose-built ITDR platform for Microsoft 365. What makes it easy to like, operationally, is how little it asks of you to get started. There’s no agent to deploy. It installs as an enterprise OAuth application that an admin approves in two clicks, and MSPs like us can roll it out across client tenants through Microsoft Partner Center. It works with Microsoft 365 Business Basic and above, so it fits down-market where the risk is just as real.

Once approved with read access to your audit data, Petra pulls raw signals and logs from across your environment — Entra ID, Exchange, SharePoint, and OneDrive — and runs machine-learning models that evaluate roughly 20 to 30 behavioral signals per user. The key design idea, in Petra’s own words, is that it reads what an attacker is doing across logins, mail, and files — their intent — rather than only where they came from. That’s how it catches the residential-proxy, post-MFA, valid-session attacks that location-based detection waves through. It also retains 12 months of searchable Microsoft 365 telemetry, and the platform is SOC 2 Type II certified and HIPAA compliant — both of which matter for our healthcare and regulated clients here in Utah.

What it actually catches

Petra is laser-focused on the M365 identity kill chain: Business Email Compromise, token theft, AiTM phishing, session hijacking, and password-spray attacks. More importantly, it catches the things attackers do to establish persistence once they’re in — malicious inbox rules, sneaky auto-forwarding, rogue OAuth app grants, and attacker-registered MFA methods. These are the quiet footholds that turn a single phished login into months of silent mailbox access and a fraudulent-invoice payout. If you’ve ever seen a BEC case, it almost always traces back to one of these artifacts.

Automatic response is where ITDR earns its keep

Detection without response is just a louder alarm. For an SMB without a 24/7 security operations center, the response half of ITDR is the part that actually changes outcomes — and it’s where Petra is strong. When it confirms a compromise, it can automatically disable malicious inbox rules and forwarding, kill rogue OAuth apps, reverse attacker-added MFA methods and device registrations, retract phishing emails fleet-wide in a single action, and even roll back attacker activity in SharePoint to return the environment to its pre-attack state. Petra reports mean-time-to-contain measured in seconds to a few minutes — the difference between a contained non-event and a wire-fraud headline.

The forensics are equally practical: Petra auto-identifies the root-cause phishing email, reconstructs a full attacker timeline across logins, mail, files, and Teams, and generates a client-ready, white-labeled PDF report for each incident. For a business owner who just wants to know “what happened, is it over, and what do I tell my clients,” that reporting is worth a lot.

We scanned our entire client base — here’s what we found

We don’t write about tools we haven’t put our hands on. So before forming an opinion, we ran identity-threat scans across every one of our clients. And honestly? We were pleased with the results. Our existing layers — Business Premium hardening, Conditional Access, MFA enforcement, and ongoing monitoring — were holding up. We didn’t uncover a smoking-gun compromise sitting in someone’s tenant. That’s the outcome you want, and it’s a credit to doing the fundamentals well.

So why are we still excited about adding an ITDR layer? Because a scan is a point-in-time snapshot, and good telemetry today does nothing for you at 2 a.m. next Tuesday. The value of ITDR isn’t that it finds a mess you already have — it’s that it stands watch continuously and contains the next attack automatically, faster than any human on call could. Even when your signals, sign-in data, and conditional-access posture all look great, an always-on identity sentinel that auto-remediates is a layer worth having. That’s defense in depth, applied to the attack surface you’re most likely to be hit on.

Petra vs. Huntress vs. Blumira: our honest take

We want to be straight with you: we don’t lock clients into one ITDR tool. There are three we like most — Huntress, Blumira, and Petra. They’re genuinely different animals, and the right answer depends on what you already run and what you’re trying to solve.

Huntress Managed ITDR is the choice when you want humans in the loop. It’s backed by a 24/7 security operations center, so detections are triaged and acted on by Huntress analysts, not just automation — and it lives inside the broader Huntress platform alongside their EDR and security-awareness training. If you’d rather hand the watching to someone else entirely, Huntress is compelling.

Blumira approaches the problem from a SIEM-and-detection angle with a refreshingly simple experience. It ingests logs well beyond Microsoft 365, which makes it strong for broader visibility and compliance reporting across your whole environment, and it pairs detections with guided response playbooks and famously responsive support. If your need is “see and prove what’s happening across everything,” Blumira is a great fit.

Petra is the surgical specialist. It does one thing — Microsoft 365 identity threat detection and response — and does it exceptionally well, with the fastest automated remediation of the three, an MSP-first design, slick forensics, and a two-click deployment. If your priority is fast, automated containment of M365 identity attacks specifically, Petra is best-in-class at that job.

None of these is “the loser.” Plenty of mature security programs run more than one layer — for example, a managed SOC service alongside a focused identity tool. The point isn’t the logo on the dashboard; it’s that you have some ITDR coverage and that it fits your stack, your compliance needs, and your budget.

The verdict for Utah businesses

Identity is the battleground, and it will be for the foreseeable future. If your business runs on Microsoft 365 — and almost every business we serve does — ITDR belongs on your security roadmap, not your someday list. But please don’t buy it off a slide deck or a single review (including this one). The smart move is to evaluate the options against your actual environment, then ask your IT provider which one fits. If that provider is Brivy IT, we’ll run an identity assessment with you, show you where your real gaps are, and recommend the right layer — Petra, Huntress, Blumira, or the combination that makes sense. No pressure, and no one-size-fits-all answer.