News

Rubrik-Microsoft Defender Integration Targets Identity Attack Recovery Across Hybrid Environments

• By David Ramel
• 03/23/2026

Rubrik announced a new integration with Microsoft Defender at RSAC 2026 that connects real-time identity threat detection with automated identity rollback and recovery.

The integration is designed to compress the detection-to-recovery timeline from days to hours, the company said.

Identity systems have become the primary target for modern cyberattacks. According to Rubrik Zero Labs research, 90% of IT and security leaders say identity-driven cyberattacks are their organization's top concern. Most security tools stop at detection, Rubrik said, leaving organizations to manually investigate and restore compromised identity systems.

"Detection is only half of the battle," said Anneka Gupta, chief product officer at Rubrik. "Organizations need the ability to quickly and surgically reverse malicious identity changes and completely restore their infrastructure. By combining Microsoft Defender's threat detection with Rubrik Identity Resilience, we give security and IAM teams the power to move from a detected compromise to a trusted, recovered state in hours, instead of days."

For organizations running hybrid identity infrastructure -- a common reality in cloud and virtualization environments -- the integration is particularly relevant. It maintains visibility across both on-premises Active Directory and cloud-based Entra ID, allowing teams to investigate incidents and reverse malicious identity changes across the full hybrid estate from a single workflow.

Joint Rubrik and Microsoft Defender customers can now correlate threat alerts with identity changes for faster impact analysis, reverse malicious identity modifications without performing full domain restores, and restore trusted identity states using immutable recovery points. The ability to surgically roll back specific compromised objects rather than rebuilding entire directory services is central to the time savings Rubrik claims.

The Defender integration builds on 15 months of identity-focused expansion at Rubrik. The company has introduced recovery for Active Directory and Entra ID, extended protection to multi-identity provider environments including Okta, and launched what it calls Identity Resilience capabilities for incident investigation and malicious change reversal. On the ecosystem side, the company previously integrated with CrowdStrike Falcon Identity Protection, and the Microsoft Defender integration now adds another major security platform to its detection-to-recovery pipeline.

The broader pattern here reflects a shift in data protection strategy: as more organizations operate across on-premises and cloud identity providers, the attack surface for identity compromise spans both worlds. Recovery tooling that can operate across that hybrid boundary -- rather than requiring separate processes for Active Directory and Entra ID -- addresses a gap that has historically slowed incident response.

RSAC 2026 is the annual cybersecurity industry conference, running March 23-26 at the Moscone Center in San Francisco.