Why We Built inforcer Threat Detection and Response

Summary

At Pax8 Beyond, inforcer announced the upcoming launch of their new product, inforcer TDR (Threat Detection and Response). This launch makes inforcer a complete Microsoft 365 security platform, unifying left and right of boom. inforcer's Chief Product Officer, Matthé Smit, reflects on the decision to move into right of boom security, the challenges MSPs are currently facing, and how inforcer TDR is different. 

Why did we build inforcer TDR?

There are already threat detection and response solutions for MSPs in the market. We built one anyway. Not because the market is empty, but because it is under-served. The problems MSPs face just aren’t being solved by the solutions currently available. Three problems, specifically.

Breaches are common and invisible

The attack types hitting M365 today all share one thing: they are designed to look normal. Impossible travel, token theft, adversary-in-the-middle, business email compromise. These aren’t brute force attacks that trigger obvious alerts. They abuse legitimate sessions, hijack valid tokens, and impersonate trusted users. They blend in.

That’s the problem with relying purely on prevention. Policies are essential, and we believe deeply in them. But policies can’t stop everything. Tokens get stolen before Conditional Access ever sees a suspicious sign-in. A compromised account operating within expected hours and locations will pass every policy check you have configured.

So, the question becomes: what do you do when your defences fail? Most MSPs don’t have a good answer to that yet. The attacker moves slowly, learns the environment, and acts when ready. By the time anyone notices, the dwell time is already measured in months.

Microsoft 365 security monitoring is essential but noisy

There are solutions in the market for this. We know that. The problem is that most of them generate more noise than signal. When every alert looks urgent, none of them are. MSPs stop looking or spend so much time triaging false positives that real threats get missed.

The opportunity we saw was to build something smarter. Not just another alerting layer, but a detection engine that can use the policy and configuration context we already have across thousands of tenants to separate real threats from noise. Technologies have moved on. The tooling that’s been in the market for years was built before we had the AI and data processing capabilities we have now. We can be more precise, respond faster, and do it at a scale that works for how MSPs operate.

Prevention and detection are two separate worlds

Prevention is also hard to prove. MSPs invest heavily in hardening tenants: Conditional Access policies, Intune configurations, secure baselines, and more. But that work is largely invisible to the customer. They don’t see the attacks that didn’t succeed.

What we’re building closes that loop. By combining prevention and detection in a single platform, we can show what was stopped and why. When an attack pattern matches something your policies would have blocked, we can surface that. With deep reporting going back six months, MSPs can demonstrate to a customer: this attack happened, your configuration would have prevented it, and here is the evidence. That turns prevention from an assumed value into a proven one. 

Why inforcer?

inforcer does one thing: Microsoft 365 management for MSPs. We don’t support other platforms. We don’t serve enterprise IT teams. We don’t have an agent to deploy or a separate product for a different market. Every decision we make is about the problems MSPs face managing Microsoft 365 at scale across their customers.

That narrow focus is the reason we can do this better. We already sit between MSPs and their Microsoft 365 tenants. We see policy states, configuration drift, and security baselines across thousands of environments. A sign-in anomaly means something very different in a well-hardened tenant than in one that never had Conditional Access configured properly. A general-purpose detection tool doesn’t have that context. We do, because it’s all we do.

How does this compare to other ITDR products?

Most ITDR tools watch a slice of the stack and fire an alert when something looks off. inforcer Threat Detection and Response collects logs and context across the whole M365 stack, so it can cut the noise, contain the real threats, and then explain what actually happened.

When an account is breached and contained, you don’t just get an alert. You get the story. You can show your customer how the attack unfolded, why it was stopped, and why your service is worth paying for.

Here’s what that story can look like:

• Phishing email received
• Phishing link clicked
• Malicious app consented
• Impossible travel detected
• Files and email read by Copilot

Why MSPs should care

If you run an MSP today, you’re likely already accountable for security at your customers in practice, even if the SLA doesn’t say it in those words. When something goes wrong, you’re the first call.

Closing these three gaps protects your customers, and it protects your business. It’s also a commercial opportunity. Security services carry strong margins and address a pressing need that your customers already understand. 

Be among the first to try inforcer TDR

We’re opening early access to inforcer Threat Detection and Response now. If you want to be among the first MSPs to try it, join the waitlist today.

Matthé Smit

Chief Product Officer