Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.petrasecurity.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

When you onboard a tenant to Petra:
  1. Petra Scan investigates the last 6 months of activity to uncover active attackers and leftover persistence. You receive a white-labeled Scan Report PDF, sharable with the client, within 24 to 48 hours. See Petra Scan for the full breakdown.
  2. Active Monitoring begins immediately. Petra monitors the tenant 24/7. The first 14 days are included for new tenants.
  1. Connect Partner Center. This lets you onboard every tenant in your Partner Center at once instead of adding them one at a time. See Via Partner Center below.
  2. Scan all tenants. Every connected tenant gets a Scan and starts monitoring automatically. The more tenants you scan, the more likely Petra is to surface active attackers or leftover persistence that other tools missed.
  3. Check back in 24 hours. You will see reports of any compromises found, including the attacker’s activity, a timeline, and the Petra team’s recommendations for remediation.

Onboarding methods

When you click Add Tenant from the navbar, Petra gives you two options.

Partner Center

Connect your CSP account and onboard tenants in bulk through your existing GDAP relationships. No client action required.

Add Individually

Add a single tenant by signing in as (or sending a link to) the tenant’s Global Admin.
If you manage client tenants through Microsoft Partner Center, the Partner Center method is recommended. It lets you see all your managed tenants in one table and onboard them without needing each client’s Global Admin to approve individually.

Via Partner Center

Partner Center integration connects Petra to your CSP account so you can discover, onboard, and manage all of your GDAP-managed tenants from a single page.
Sign in with your Partner Center-enabled account that holds your active GDAP relationships (and is in the AdminAgents security group). This is not the place to sign in with a client tenant’s Global Admin account. If you want to sign in using a tenant’s Global Admin, use Add Individually instead.
  1. Click Add Tenant and choose Continue with Partner Center (or go directly to app.petrasecurity.com/portal).
  2. If this is your first time, click Connect Microsoft Partner Center and sign in with your MSP tenant credentials.
  3. After connecting, your managed tenants appear in a table. Click Onboard next to the tenant you want to add.
  4. Configure the Add Tenant modal and click Onboard Tenant.
Petra installs the application and grants permissions automatically using your GDAP relationship. No action is required from the client. You can also onboard multiple tenants at once. Select tenants using the checkboxes, then click Onboard to open the Add Tenant modal for the batch. The modal shows how many tenants are selected, with an expandable list of tenant names. For prerequisites, the managed tenants table, GDAP permission details, and FAQs, see the full Partner Center guide.

Add Individually

Use this method when you do not have a Partner Center account, or when you need to add a single tenant outside of a GDAP relationship.

Step 1: Sign in to Petra

Go to app.petrasecurity.com and sign in.

Step 2: Click Add Tenant

Click Add Tenant from the navbar and choose Add tenants individually.
Add Tenant

Step 3: Configure the onboarding

The Add Tenant modal opens. Review the defaults, adjust if needed (Petra Response, Scan-only), and check the onboarding summary.

Step 4: Add the Azure app

Click Onboard to proceed. You can either approve the app yourself (if you are a Global Admin on the tenant) or send the approval link to the tenant’s Global Admin.
Add Azure App
Due to a known bug on Microsoft’s side, you may need to add the Azure app twice.
After you add the tenant, it will appear in the tenants table on the homepage. Click on the tenant and you will see logs start flowing in. As findings emerge, they show up in the top panel.

What Petra Scan covers

Scan is included with every onboarded tenant and runs automatically.
  • Analyzes the last 6 months of activity across Entra, Exchange, SharePoint, Teams, Apps, and more.
  • Surfaces active attackers still in the environment and persistence mechanisms like malicious inbox rules and app consents.
  • Highlights previously remediated compromises that our SOC team believes warrant attention.
  • Identifies frequently targeted accounts based on observed failed-attack patterns, so you can advise those users to harden.
  • Produces a white-labeled Scan Report PDF (your logo, name, and contact email) that you can share with clients or use in sales meetings. Update branding in Settings > Branding.
When the Scan finishes, the org’s notification recipients receive a “Petra Scan Complete” email with a summary of findings, the Scan Report attached, and links into the Petra dashboard. See Petra Scan for the full breakdown of what’s in the email and report.
Petra Scan can only analyze logs that Microsoft was actively recording. If audit logs were recently enabled, the lookback only covers the period since they were turned on. See Audit Logs for details.

What Active Monitoring does

Every onboarded tenant gets 14 days of active monitoring that begins after the Scan completes. During that window, the tenant is monitored exactly like a paying tenant.
  • Monitors activity in real time across Entra, Exchange, SharePoint, Teams, app registrations, and more.
  • Detects compromises as they happen using behavioral analysis.
  • Stops attacks automatically if Petra Response is enabled (locks compromised accounts, revokes sessions, removes inbox rules).
  • Delivers full incident detail (signals, remediation steps, forensic timeline) for any compromise caught during the trial window.
After 14 days, billing starts only if you keep the tenant on monitoring. To skip the trial window and go straight to paid monitoring, uncheck Scan-only at onboarding. To auto-pause at the end of the window with zero billing risk, use Scan-only.

Scan-only option

Scan-only lets you run a 6-month lookback for active attackers and get 14 days of monitoring, without the risk of being billed for usage before the client decides to sign up.
  • Scan: 6-month lookback to uncover active attackers and leftover persistence (inbox rules, apps, etc.).
  • 14 days of monitoring: during this window, Petra monitors the tenant just like any other. If a compromise happens, you get the full incident with signals, remediation steps, and forensic detail.
  • Auto-pause after 14 days: the tenant pauses automatically. Billing stops. No action needed. Resume any time from Settings > Usage.
To use Scan-only, check Scan-only in the Add Tenant modal. You can also toggle Petra Response on or off for the window.
Scan-only is a great way to enroll prospects: run the Scan, surface real findings, then decide which tenants to keep on monitoring after the 14 days.

Scan vs. Autopsy

  • Scan surfaces active attackers and leftover persistence. It is not guaranteed to pull every previously remediated compromise.
  • Autopsy pulls every previously remediated compromise with full forensic detail. It is a paid service for IR firms and deep investigations where everything is remediated but you still want to know everything that happened.
See Autopsy Mode below.

Autopsy Mode

Autopsy Mode is for incident response firms and special cases. Most users do not need it.
Autopsy Mode is a full 6-month forensic pull that surfaces every past incident, including compromises that were already fully remediated. It is available upon request and has additional cost. Contact support@petrasecurity.com for pricing. The standard Petra Scan already surfaces active attackers, persistence, and notable past compromises. Autopsy goes further by pulling every incident with complete forensic detail, and produces a Prospecting Report designed for client meetings.

When Autopsy makes sense

  • Incident response: A client has been compromised and you need a complete forensic record of everything that happened.
  • Prospecting: You want to demonstrate the full scope of security gaps to a prospect with a detailed report.

What you get

  • A “Petra Autopsy Complete” email summarizing findings.
  • A white-labeled Prospecting Report PDF with full forensics, incident details, blast radius analysis, and a “What Should Have Happened” timeline. See Prospecting Report for details.
  • Per-incident Threat Remediation Reports for each discovered incident.
  • Access to all findings in the Petra dashboard.

FAQs

Can I onboard a tenant that is managed through GoDaddy / Go Daddy?

Not at this time. Petra does not currently support M365 tenants managed through GoDaddy. To onboard these tenants, you’ll need to defederate them from Go Daddy first.