u/belkezo

Oort raising $15M across their seed and series A got me thinking about where the ITDR category actually stands right now. Investor money is clearly flowing in, but I'm trying to figure out whether that's a signal the, space is maturing into something defensible or just VCs chasing a hot label before consolidation shakes things out.

Context on my situation: we're a mid-size org with a hybrid AD and Entra ID setup, about 4,000 identities, and we're, actively evaluating whether to commit to a dedicated ITDR platform or keep relying on Defender for Identity plus some manual BloodHound runs. Defender for Identity catches some basics but the false positive rate on lateral movement alerts has been painful, and customization is basically nonexistent. We've also looked at Netwrix ITDR as one option, which handles the hybrid AD/Entra side reasonably well, but I'm, not sure if we need something more identity-provider-agnostic as we might bring Okta in for a subset of users.

What I can't figure out is whether startups like Oort are building something genuinely differentiated, or whether they'll get acqui-hired into a larger platform in 18 months and leave customers mid-migration. The ITDR space already has Microsoft, CrowdStrike, and a handful of converged platform vendors all claiming coverage. A $15M startup entering that is either very confident in a niche or betting on getting bought.

So the specific question: for teams that have actually deployed a standalone ITDR tool in a hybrid environment, did you find the detection fidelity meaningfully, better than what you'd get from stitching together Defender for Identity plus Entra ID Protection, or is the delta mostly in response automation and recovery? Trying to understand if the core detection is the differentiator or if it's really the workflow layer where these tools earn their keep.

so I compiled a PowerShell script into an exe using PS2EXE and want to associate, a custom file extension with it so double-clicking the file just opens it with the exe. tried assoc and ftype first which seemed like the obvious path, but ran into issues where it works fine when you run the, exe directly or drag a file onto it, but the args don't come through properly when you open via Explorer or right-click "open with". from what I can tell this is partly a Windows 11 problem where per-user file type associations are protected by a, hash stored under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts, so assoc and ftype either get silently ignored or only apply system-wide under HKLM if you're running elevated. they were never great for custom exe associations but they're even less reliable now. the registry route writing directly to HKCR and setting up shell\open\command seems more consistent, but I've seen it still break when the command string isn't quoted properly. if the path to the exe or the file being opened has spaces in it, and you don't wrap both in quotes like "C:\path\to\myapp.exe" "%1" Explorer just chokes on it silently. no error, just nothing happens. has anyone actually gotten this working end to end on Windows 11? curious whether there's a clean PowerShell script approach to register the ProgID and set the association properly without it getting stomped by, UserChoice protections, or if the registry method with a versioned ProgID and quoted args is just the way to go at this point.

so I saw the thread about self-defense tools and it got me thinking about something adjacent that I've actually wondered about from an enterprise security angle. the question of whether physical security hardware can integrate with things like Active Directory, PAM solutions, or even something like Entra ID for conditional access. not stun guns talking to LDAP obviously, but like. door controllers, badge readers, physical access systems. because right now in most orgs I've worked with, physical and logical identity are completely siloed and it creates some genuinely weird gaps. the closest thing I've seen in practice is PACS (physical access control systems) that can pull from AD groups to determine who gets badge access to server rooms. this is actually a solved problem at the vendor level now - things like HID SAFE, Genetec ClearID, Verkada, with JumpCloud or Duo integration, and Alert Enterprise all have connectors that go well beyond a basic one-way sync. some of them do full lifecycle automation, so joiner/mover/leaver flows cover physical access alongside logical accounts. but in practice, most orgs I've touched still aren't using any of that. the sync is janky, one-directional, and nobody owns it properly, so you end up with terminated, employees who still have building access because the offboarding runbook only covers AD and maybe the VPN. I've also seen setups where a PAM solution triggers a physical alert when privileged sessions hit certain thresholds, but that's more SIEM-adjacent than true integration. what I'm genuinely curious about is whether anyone here has actually built out a setup where physical access events feed back into identity risk scoring. like, a user badging into a restricted area outside business hours bumping their risk level in something like Microsoft Entra ID Protection or an ITDR platform. the data exists on both sides. the PIAM vendors are starting to talk about this kind of cyber-physical convergence and some are claiming real-time behavioral analysis, feeding into access decisions, but I haven't seen it cleanly wired into an actual identity risk pipeline in the wild. has anyone actually pulled that off or is it still a PowerShell duct-tape situation on the integration side?

been going through a bunch of Intune training lately trying to get more structured with how I approach device compliance and policy enforcement. the hands-on stuff for core MDM is actually pretty solid, labs covering app deployment, compliance policies, Autopilot, that kind of thing. but the moment you get into hybrid identity scenarios or zero trust integration it feels like the content just. thins out really fast. most of it treats Entra integration as a checkbox rather than actually walking through how Intune feeds, compliance signals into Conditional Access decisions, or how that flows into access policy enforcement end to end. the gap that bothers me most is the zero trust side. Intune is supposed to be acting as a policy engine and signal provider, not just an MDM tool, but I've, yet to find training that actually maps that out in a way that reflects what a real hybrid environment looks like. stuff like how device compliance posture flows into risk-based access decisions, how EPM fits into least-privilege for endpoints, or how you'd handle a scenario where you've got Cisco ISE querying Intune compliance for wired access control. the Microsoft Learn paths cover the theory fine but the practical hybrid scenarios feel like afterthoughts. sandbox tenant trial and error has honestly taught me more than most structured content. curious if anyone's found training that actually goes deep on the Intune plus Entra plus zero trust integration side rather than treating them as separate tracks. or are most of you just piecing it together from docs, community posts, and painful prod incidents?