Behavioral Identity
Threat Detection
Microsoft identifies identity risk. AuthLokr extends that detection with tenant-specific behavioral baselines, post-authentication activity correlation, and explainable risk scoring.
A complementary layer for Microsoft 365 environments — surfacing insider risk, session anomalies, and attack-chain correlations that benefit from tenant-specific behavioral context.
- ✓Microsoft-native
- ✓Agentless
- ✓Read-only by default
- ✓Explainable AI
- ✓Designed to deploy in under an hour
Impossible travel + unfamiliar device
alice.anderson@company.com
Finance · Global Admin · Baseline: 94 days
Location baseline for this user is Denver metro (98% of sign-ins, 90 days). Combined with a first-seen device and off-pattern time window, the correlated risk exceeds the compromise threshold.
5 slots. 24-month price lock. Closes September 30, 2026.
A limited program for the first 5 qualifying customers. In exchange for reference rights and quarterly roadmap input, you get a locked founding rate for 24 months and a direct line into product prioritization.
- Custom behavioral baselines for your tenant
- Real-time identity, session, and privilege-escalation detection
- 24-month price lock at the founding rate
- Quarterly roadmap input sessions
- Case-study and reference-call participation (required)
Authentication succeeded. Is the identity still behaving like itself?
Microsoft Entra ID Protection and SIEM tooling identify identity risk at sign-in and across audit streams. AuthLokr adds a complementary layer: tenant-specific behavioral baselines and post-authentication correlation that helps surface insider risk, session anomalies, and attack chains with analyst-friendly, explainable reasoning.
- Insider and post-auth activity benefits from user-level behavioral context.
- Tenant-specific baselines complement native, global risk models.
- Correlating sign-in, role, session, and data events shortens investigations.
Global identity risk model with strong sign-in and audit signals.
Adds tenant-specific behavioral baselines per user across 6 dimensions.
Rich individual events across sign-in, role changes, and audit logs.
Correlates those events into explainable attack-chain narratives.
Baselines per user. Correlation across every dimension.
Every alert includes plain-English reasoning. You see why a score was assigned — not just a number.
Location Intelligence
Is this location normal for THIS user? Detects impossible travel and unusual geography.
- Sign-in from Russia 4h after Denver login
- First-time country access for a non-traveling role
Temporal Patterns
Does this match when this person normally authenticates?
- Global Admin accessing systems at 02:00
- Weekend privileged role activation for a M–F role
Device Fingerprinting
Does this user normally use this device/OS/browser combination?
- macOS Safari sign-in on a Windows-only baseline
- Unfamiliar TLS fingerprint on a corporate identity
Access Patterns
Does this user typically touch this resource?
- Finance user accessing patient records for the first time
- Engineer opening 42 SharePoint sites never touched in 90 days
Volume Analysis
Is this volume of activity normal for this user?
- 10× normal file download volume before resignation
- Bulk mailbox export at off-hours
Account State Monitoring
Detects privilege escalation, MFA tampering, and backdoor authentication.
- Risky sign-in + Global Admin role granted + suspicious activity
- MFA method changed inside a scored session
Session Hijacking Detection
Real-time mid-session IP and user-agent monitoring. Blocks continuation on suspicious transitions.
Privilege Escalation Correlation
Ties risky sign-ins to role grants and downstream access — one attack chain, not three isolated events.
AiTM / MitM Indicators
Session trust degradation, network-path anomalies, and browser stack deviation.
How it works
Three phases. No production changes required. Detection starts on day 31.
1. Connect your tenant
Read-only Microsoft Graph API access via OAuth 2.0 for the monitoring platform. Agentless. No production changes. Designed to deploy in under an hour.
2. SanctumOS AI learns baselines
30-day silent learning window per user: location, temporal, device, resource, volume, and account-state patterns — tenant-specific, not a global model.
3. Detect, score, respond
Real-time alerts with explainable AI reasoning. Optional response actions (revoke session, require MFA, disable account) require separately approved delegated permissions.
Making a Microsoft licensing decision this quarter?
P1 → P2 upgrades. P2 annual renewals. E5 cost reviews. Each is a chance to evaluate how a behavioral analytics layer fits alongside your Microsoft identity stack — before the next 12-month commitment.
Before you upgrade, see how AuthLokr complements native detection with tenant-specific baselines and explainable post-auth correlation.
Renewing P2? A 30-day AuthLokr pilot can layer behavioral baselines and attack-chain analytics on top of your existing Entra investment.
Reviewing E5 spend? AuthLokr can help identify where behavioral analytics reduce reliance on higher-tier bundles — potentially lowering unnecessary licensing costs.
Transparent pricing. Predictable at scale.
Per-user under 2,500. Flat-fee tiers above. Designed to stay predictable whether you're 2,500 users or 50,000.
Per-user
Month-to-month. Annual prepay saves 10–15%. Positioned as a complementary layer to native identity tooling.
- Tenant-specific behavioral baselines
- Post-authentication risk scoring dashboard
- Explainable AI reasoning on every alert
- Standard support (24h SLA)
Growth
Flat fee. Predictable as your user count grows.
- Tenant-specific behavioral baselines
- Attack-chain correlation workflows
- Real-time anomaly detection
- Standard support (included)
Scale
Popular for healthcare and defense. Flat-fee pricing designed to reduce per-user cost as you scale.
- Identity + Data Protection analytics
- Email security monitoring
- Insider threat scoring
- Professional support option (+$5K/mo)
Enterprise
Full platform + AI operations. Dedicated CSM available.
- Full platform
- AI-powered recommendations
- Unlimited custom rules (Enterprise support)
- Enterprise support option (+$10K/mo)
5,000 users · behavioral analytics layer that complements your Microsoft stack
5,000 users at ~$10/user list · Microsoft's native identity protection tier
Illustrative full identity + XDR stack at this size (varies by contract)
Illustrative list-price comparison. AuthLokr is designed to complement — not replace — Microsoft Entra, and can help organizations reduce unnecessary licensing spend across a broader identity stack.
30 days baseline learning + 30 days live detection. Fully credited toward your first month(s) of recurring on conversion.
Regulated, understaffed, high-risk.
AuthLokr is tuned for mid-market Microsoft 365 environments (2,500–50,000 users) where a small security team owns a large blast radius.
Healthcare
Designed to support HIPAA-regulated environments. Insider-risk analytics tuned for patient-record access patterns, off-hours activity, and departing-employee risk windows.
Defense & CMMC
Designed to support CMMC-aligned deployments (Level 2/3 objectives). CUI access monitoring and behavioral correlation. Air-gap capable (Phase 3 roadmap).
Financial Services
SOX-aligned audit trails, fraud-pattern analytics, and privileged-user behavioral scoring for trading, treasury, and admin roles.
Built for regulated environments.
Patent pending
Behavioral threat detection methodology patent filed Q3 2026.
SOC 2 Type II
Roadmap objective. Targeted for Q4 2026; not yet certified.
HIPAA-ready
Designed to support HIPAA-regulated environments. Read-only audit-log access. No PHI stored.
CMMC-aligned
Designed to support CMMC-aligned deployments (Level 2/3 objectives). Air-gap capable on Phase 3 roadmap.
Data privacy
Customer data stored in customer region. No external telemetry.
Least-privilege access
Core monitoring uses read-only Microsoft Graph scopes via OAuth 2.0. Optional response actions require separately approved delegated permissions.
Ready to see what your baselines look like?
Start with a Founding Program application or a scoped demo. No auto-scheduler — John reads every submission personally and reaches out to book time that works.
About BlackCert Labs

BlackCert Labs was founded by engineers and architects who spent years implementing, securing, integrating, and responding inside real enterprise environments — not building marketing demos. Our work has spanned Fortune 500 enterprises, government, critical infrastructure, financial services, and healthcare — across Microsoft cloud, enterprise identity, Zero Trust programs, incident response, threat hunting, compliance, AI security, blockchain and cryptocurrency security, cloud architecture, and enterprise modernization.
After deploying nearly every major security platform available, one pattern became obvious: traditional products generate enormous amounts of alerts and telemetry, yet security teams still spend too much time determining whether authenticated users can actually be trusted. BlackCert Labs exists to close that gap.
AuthLokr was created because this problem appeared repeatedly during real customer engagements — not because it looked interesting on a whiteboard. BlackCert builds the products the team wished they had while defending production environments: focused, explainable, and useful in the middle of an incident.
BlackCert Labs builds security software for organizations that demand practical answers, explainable intelligence, and technology that earns trust in production — not just in demonstrations.
