Why Hansen Gress Replaced Two ITDRs with Petra

Hansen Gress is an MSP headquartered in Juneau, Alaska, with active expansion across the Pacific Northwest and the lower 48. The firm protects Microsoft 365 environments spanning healthcare, professional services, public sector, fisheries, transportation, and financial services.

The Challenge

With the BEC thread landscape shifting, Hansen Gress realized their existing ITDR stack had major blindspots.

Hansen Gress had built its M365 identity coverage on Huntress ITDR, with Guardz and SecureWorks Taegis XDR rounding out the stack. For a long time, the coverage held. As AiTM phishing kits and token-theft toolkits rewrote the BEC playbook, the gaps started to show.

At first, Huntress ITDR missed attacks. So they turned on VPN alerts and it began firing high volumes of benign VPN-detection lockouts, 15 to 20 a month per client at minimum, peaking at 45 in a single month. Neither approach was effective.

Guardz alerts arrived days late, with limited context on attacker activity, dwell time, or session details, and per-tenant help-desk licensing that made integration operationally expensive.

The XDR layer wasn't catching identity attacks reliably: at one recently onboarded client, a phishing link from a known compromised contact was logged as a 3-out-of-10 risk and surfaced more than a day later, after the sender had already reached out to warn recipients he was breached.

Even with the noisy VPN alerts on, the deeper problem was that attacks were still getting through entirely. A professional services client onboarded in November 2025 already had both Huntress and Guardz deployed. Neither had flagged anything. Petra found two active compromises, and a third that traced back to a wire fraud incident from June, with five months of attacker access that Huntress had never surfaced.

"It was eye-opening to go head to head, and see Petra catch things that both Huntress and Guardz didn't catch." - Jeff Wilson, CISO, Hansen Gress

Forensic Depth

Petra surfaced four previously uncaught compromises in a single overnight Scan.

The case that turned the team into vocal Petra advocates happened during a client onboarding.

The client, a professional services firm, had been hit by a phishing-led account compromise in mid-2025 under their previous internal IT lead. The internal team had noticed an anomalous sign-in and blocked the session, but no one had ever investigated what the attacker had touched, what they'd seen, or whether the foothold was really gone.

Hansen Gress onboarded the client in November. Huntress ITDR and Guardz were both deployed, but Petra had not yet been installed in the tenant. In December, an alert from Huntress prompted the team to check whether Petra was active in the environment. It wasn't.

Jeff installed Petra on a Friday night. By Saturday morning, Petra Scan had reconstructed the full picture, and four previously uncaught compromises were locked down by Petra, with full forensic reports ready to hand to client leadership.

"I spent Friday night trying to go through this and find this stuff in Purview, and the logs are absolutely terrible. By Saturday morning, I had a report [from Petra] that clearly showed me everything that I needed.

Typically a post-incident autopsy like that costs three to five thousand dollars. Our client got it as part of onboarding." - Jeff Wilson, CISO, Hansen Gress

Detection and Response Speed

In Hansen Gress's first 11 months with Petra, attackers haven't accessed a single email.

Across 11 real-time responses spanning Hansen Gress's M365 clients, attackers were locked out before they touched anything: no emails accessed, no documents read or modified, and a median time to respond of just 4 minutes, 1 second.

The incidents covered the full range of modern M365 attack patterns: AiTM phishing logins from data center IPs, compromises masked behind Cloudflare proxies, and phishing campaigns weaponizing OneDrive and SharePoint links. In every case, Petra caught the malicious login during the attacker's first authentication and ended the session before any data access could occur.

Operational Efficiency

Petra consolidated the identity stack and recovered help-desk capacity.

As the Hansen Gress team rebuilt the security catalog around the new threat model, Petra's role became clear quickly:

• The excessive 15-to-20 monthly VPN lockouts stopped
• No more conversations with company leadership about approving specific consumer VPN providers
• No more help-desk drag of pulling engineers off real work to unlock benign user accounts

"At one point [Huntress's] highest was 45 alerts in a month. It's a lot. It's a huge burden on us. We gotta stop what we're doing, get this person back up and running almost immediately, and research what this is." - Jeff Wilson, CISO, Hansen Gress

Petra as the Standard

Petra is now the anchor of the Hansen Gress identity stack.

After running side-by-side comparisons across the Hansen Gress stack, the team made Petra the firm's standard for identity threat detection.

"We have Cynet for EDR. We just sunsetted Huntress ITDR last month, so that's out of the mix. By the end of next month, Guardz is completely gone. The thing we're not touching is Petra. Petra is the anchor of our whole security stack." - Jeff Wilson, CISO, Hansen Gress

–

Hansen Gress is a fast-growing Alaska-based MSP with deep roots in Juneau, expanding into Anchorage and across the Pacific Northwest. Founded in 2005 by Jeremy Hansen and Tyler Gress, the firm specializes in managed IT, technical help desk, cybersecurity, and networking, with a culture built on relationships and operational clarity.

To get best-in-class M365 identity protection through a world-class MSP, visit hansengress.com.