Founding Program · 4 of 5 slots remaining

Behavioral Identity Threat Detection

Microsoft identifies identity risk. AuthLokr extends that detection with tenant-specific behavioral baselines, post-authentication activity correlation, and explainable risk scoring.

A complementary layer for Microsoft 365 environments — surfacing insider risk, session anomalies, and attack-chain correlations that benefit from tenant-specific behavioral context.

  • Microsoft-native
  • Agentless
  • Read-only by default
  • Explainable AI
  • Designed to deploy in under an hour
6
Detection dimensions
30-day
Baseline learning
Explainable
AI reasoning per alert
High Risk2m ago

Impossible travel + unfamiliar device

alice.anderson@company.com

Finance · Global Admin · Baseline: 94 days

0.87
Risk
Impossible travel detected
Moscow, Russia → 5,309 mi from baseline (Denver, CO)
New device: macOS Safari
User always authenticates on Windows 11 Chrome
Time: 02:34 AM local
Outside normal pattern (08:12–18:47)
Dimension scores
0.00 – 1.00
Location0.94
Temporal0.81
Device0.88
Access0.63
Volume0.21
State0.35
Explainable AI

Location baseline for this user is Denver metro (98% of sign-ins, 90 days). Combined with a first-seen device and off-pattern time window, the correlated risk exceeds the compromise threshold.

Founding Customer Program

5 slots. 24-month price lock. Closes September 30, 2026.

A limited program for the first 5 qualifying customers. In exchange for reference rights and quarterly roadmap input, you get a locked founding rate for 24 months and a direct line into product prioritization.

Apply for a founding slot
4 of 5 slots remaining
  • Custom behavioral baselines for your tenant
  • Real-time identity, session, and privilege-escalation detection
  • 24-month price lock at the founding rate
  • Quarterly roadmap input sessions
  • Case-study and reference-call participation (required)
The gap other tools leave

Authentication succeeded. Is the identity still behaving like itself?

Microsoft Entra ID Protection and SIEM tooling identify identity risk at sign-in and across audit streams. AuthLokr adds a complementary layer: tenant-specific behavioral baselines and post-authentication correlation that helps surface insider risk, session anomalies, and attack chains with analyst-friendly, explainable reasoning.

  • Insider and post-auth activity benefits from user-level behavioral context.
  • Tenant-specific baselines complement native, global risk models.
  • Correlating sign-in, role, session, and data events shortens investigations.
Native tooling

Global identity risk model with strong sign-in and audit signals.

AuthLokr extends

Adds tenant-specific behavioral baselines per user across 6 dimensions.

Native tooling

Rich individual events across sign-in, role changes, and audit logs.

AuthLokr extends

Correlates those events into explainable attack-chain narratives.

Six detection dimensions

Baselines per user. Correlation across every dimension.

Every alert includes plain-English reasoning. You see why a score was assigned — not just a number.

Location Intelligence

Is this location normal for THIS user? Detects impossible travel and unusual geography.

  • Sign-in from Russia 4h after Denver login
  • First-time country access for a non-traveling role

Temporal Patterns

Does this match when this person normally authenticates?

  • Global Admin accessing systems at 02:00
  • Weekend privileged role activation for a M–F role

Device Fingerprinting

Does this user normally use this device/OS/browser combination?

  • macOS Safari sign-in on a Windows-only baseline
  • Unfamiliar TLS fingerprint on a corporate identity

Access Patterns

Does this user typically touch this resource?

  • Finance user accessing patient records for the first time
  • Engineer opening 42 SharePoint sites never touched in 90 days

Volume Analysis

Is this volume of activity normal for this user?

  • 10× normal file download volume before resignation
  • Bulk mailbox export at off-hours

Account State Monitoring

Detects privilege escalation, MFA tampering, and backdoor authentication.

  • Risky sign-in + Global Admin role granted + suspicious activity
  • MFA method changed inside a scored session

Session Hijacking Detection

Real-time mid-session IP and user-agent monitoring. Blocks continuation on suspicious transitions.

Privilege Escalation Correlation

Ties risky sign-ins to role grants and downstream access — one attack chain, not three isolated events.

AiTM / MitM Indicators

Session trust degradation, network-path anomalies, and browser stack deviation.

How it works

Three phases. No production changes required. Detection starts on day 31.

1. Connect your tenant

Read-only Microsoft Graph API access via OAuth 2.0 for the monitoring platform. Agentless. No production changes. Designed to deploy in under an hour.

2. SanctumOS AI learns baselines

30-day silent learning window per user: location, temporal, device, resource, volume, and account-state patterns — tenant-specific, not a global model.

3. Detect, score, respond

Real-time alerts with explainable AI reasoning. Optional response actions (revoke session, require MFA, disable account) require separately approved delegated permissions.

Procurement timing

Making a Microsoft licensing decision this quarter?

P1 → P2 upgrades. P2 annual renewals. E5 cost reviews. Each is a chance to evaluate how a behavioral analytics layer fits alongside your Microsoft identity stack — before the next 12-month commitment.

On P1 today
Evaluating upgrade to P2

Before you upgrade, see how AuthLokr complements native detection with tenant-specific baselines and explainable post-auth correlation.

On P2 today
Annual renewal this quarter

Renewing P2? A 30-day AuthLokr pilot can layer behavioral baselines and attack-chain analytics on top of your existing Entra investment.

On E5 today
Cost optimization review

Reviewing E5 spend? AuthLokr can help identify where behavioral analytics reduce reliance on higher-tier bundles — potentially lowering unnecessary licensing costs.

Transparent pricing

Transparent pricing. Predictable at scale.

Per-user under 2,500. Flat-fee tiers above. Designed to stay predictable whether you're 2,500 users or 50,000.

Per-user

Under 2,500 users
$8/user/month

Month-to-month. Annual prepay saves 10–15%. Positioned as a complementary layer to native identity tooling.

  • Tenant-specific behavioral baselines
  • Post-authentication risk scoring dashboard
  • Explainable AI reasoning on every alert
  • Standard support (24h SLA)

Growth

2,500 – 4,999 users
$28–30K/month base

Flat fee. Predictable as your user count grows.

  • Tenant-specific behavioral baselines
  • Attack-chain correlation workflows
  • Real-time anomaly detection
  • Standard support (included)
Most common

Scale

5,000 – 9,999 users
$40–42K/month base

Popular for healthcare and defense. Flat-fee pricing designed to reduce per-user cost as you scale.

  • Identity + Data Protection analytics
  • Email security monitoring
  • Insider threat scoring
  • Professional support option (+$5K/mo)

Enterprise

10,000+ users
Customfrom ~$55K/mo

Full platform + AI operations. Dedicated CSM available.

  • Full platform
  • AI-powered recommendations
  • Unlimited custom rules (Enterprise support)
  • Enterprise support option (+$10K/mo)
AuthLokr Scale
~$42K / mo

5,000 users · behavioral analytics layer that complements your Microsoft stack

Entra ID P2 (illustrative)
~$50K / mo

5,000 users at ~$10/user list · Microsoft's native identity protection tier

P2 + Defender for Identity + Sentinel
$100K+ / mo

Illustrative full identity + XDR stack at this size (varies by contract)

Illustrative list-price comparison. AuthLokr is designed to complement — not replace — Microsoft Entra, and can help organizations reduce unnecessary licensing spend across a broader identity stack.

Paid pilot
$15–25K fixed fee · ~60 days

30 days baseline learning + 30 days live detection. Fully credited toward your first month(s) of recurring on conversion.

Industry research consistently reports insider incidents in the hundreds of thousands to millions per event. A single detected incident can materially offset platform cost.
Built for

Regulated, understaffed, high-risk.

AuthLokr is tuned for mid-market Microsoft 365 environments (2,500–50,000 users) where a small security team owns a large blast radius.

Healthcare

Designed to support HIPAA-regulated environments. Insider-risk analytics tuned for patient-record access patterns, off-hours activity, and departing-employee risk windows.

Defense & CMMC

Designed to support CMMC-aligned deployments (Level 2/3 objectives). CUI access monitoring and behavioral correlation. Air-gap capable (Phase 3 roadmap).

Financial Services

SOX-aligned audit trails, fraud-pattern analytics, and privileged-user behavioral scoring for trading, treasury, and admin roles.

Security & Compliance

Built for regulated environments.

Patent pending

Behavioral threat detection methodology patent filed Q3 2026.

SOC 2 Type II

Roadmap objective. Targeted for Q4 2026; not yet certified.

HIPAA-ready

Designed to support HIPAA-regulated environments. Read-only audit-log access. No PHI stored.

CMMC-aligned

Designed to support CMMC-aligned deployments (Level 2/3 objectives). Air-gap capable on Phase 3 roadmap.

Data privacy

Customer data stored in customer region. No external telemetry.

Least-privilege access

Core monitoring uses read-only Microsoft Graph scopes via OAuth 2.0. Optional response actions require separately approved delegated permissions.

Ready to see what your baselines look like?

Start with a Founding Program application or a scoped demo. No auto-scheduler — John reads every submission personally and reaches out to book time that works.

The team behind AuthLokr

About BlackCert Labs

BlackCert Labs

BlackCert Labs was founded by engineers and architects who spent years implementing, securing, integrating, and responding inside real enterprise environments — not building marketing demos. Our work has spanned Fortune 500 enterprises, government, critical infrastructure, financial services, and healthcare — across Microsoft cloud, enterprise identity, Zero Trust programs, incident response, threat hunting, compliance, AI security, blockchain and cryptocurrency security, cloud architecture, and enterprise modernization.

After deploying nearly every major security platform available, one pattern became obvious: traditional products generate enormous amounts of alerts and telemetry, yet security teams still spend too much time determining whether authenticated users can actually be trusted. BlackCert Labs exists to close that gap.

AuthLokr was created because this problem appeared repeatedly during real customer engagements — not because it looked interesting on a whiteboard. BlackCert builds the products the team wished they had while defending production environments: focused, explainable, and useful in the middle of an incident.

BlackCert Labs builds security software for organizations that demand practical answers, explainable intelligence, and technology that earns trust in production — not just in demonstrations.