Continuously monitors AD using directory synchronization data and Windows event logs to detect suspicious or unauthorized changes as they occur. The service tracks activities such as privilege escalation, additions to privileged groups, changes to GPOs, modification of Tier 0 accounts, authentication policy changes, creation of rogue users, and attempts to weaken security settings.

Each event is correlated into a timeline so administrators can quickly distinguish routine administration from the opening moves of an identity attack. When malicious or accidental changes are identified, the platform is designed to support rapid, one-click rollback to help restore the previous trusted state.