Skip to main content
Petra Scan is a 6-month forensic lookback on a Microsoft 365 tenant. Onboard a tenant, and within 24 to 48 hours you receive a “Petra Scan Complete” email with a summary of findings and a white-labeled Scan Report PDF. After the Scan, the tenant gets 14 days of active monitoring before billing starts. Scan is the fastest way to find out whether a tenant has an active attacker, leftover inbox rules from a past BEC, or a malicious OAuth app sitting in the environment. It runs on real Microsoft 365 logs, not a questionnaire.

What Scan does

Scan analyzes the last 6 months of Microsoft 365 activity for a tenant and surfaces:
  • Active attackers still operating in the environment.
  • Persistence mechanisms left behind by past compromises, including malicious inbox rules, forwarding rules, and consented OAuth apps.
  • Targeted accounts that attackers are actively trying to break into, based on observed failed-attack patterns (for example, Hornet toolkit attempts).
Scan covers logs from Entra ID (sign-ins, audit), Exchange Online (mailbox activity, inbox rules, message trace), SharePoint and OneDrive, Teams, and app registrations and consents.
Scan can only analyze logs that Microsoft was actively recording. If audit logs were recently enabled on a tenant, the lookback only covers the period since they were turned on. See Audit Logs for details.

What you receive

When the Scan finishes, the organization’s notification recipients (and org admins during trial) get an email with the subject “Petra Scan Complete”. The email includes:
  • A status line showing how many tenants Petra scanned and how many are still in progress.
  • A bulleted summary of the highest-priority incidents found, with tenant names.
  • The Scan Report PDF attached for the most relevant tenant.
  • A list of frequently targeted accounts (when no incidents were found) so you can advise those users to harden.
  • Links to view full incident detail in the Petra dashboard.

The Scan Report

The Scan Report is a white-labeled PDF you can share with the client or use in a sales meeting. It uses your organization’s logo, name, and contact email. You can generate one for any tenant on demand from the incident page (click Download Report) or from the Reporting tab.
Scan Report cover page
The report covers the threat hunting Petra performed, the incidents found with full forensics (blast radius, persistence mechanisms, phishing evidence, time to detection), and context on why M365 protection matters. For the full breakdown of report contents, see Prospecting Report. The Scan Report uses the same template, focused on the incidents Scan surfaced.

How to run a Scan

A Scan runs automatically on every tenant you onboard. There are two ways to onboard. If you manage tenants through Microsoft Partner Center, this is the fastest path. Connect once, then scan all of your GDAP-managed tenants in bulk.
  1. Sign in at app.petrasecurity.com and click Add Tenant.
  2. Choose Continue with Partner Center and connect your CSP account (sign in with your Microsoft Partner Center account that holds your active GDAP relationships and is in the AdminAgents security group, not a client tenant’s Global Admin account).
  3. Your managed tenants appear in a table. Select the tenants you want, then click Onboard.
  4. Confirm the onboarding settings and click Onboard Tenant.
Petra installs the application across the selected tenants automatically using your GDAP relationship. No client action required. For full setup, GDAP requirements, and FAQs, see Partner Center.

Add a single tenant

Use this when you do not have Partner Center, or when you want to scan a single tenant outside of GDAP.
  1. Click Add Tenant from the navbar and choose Add tenants individually.
  2. Either approve the Azure app yourself (if you are a Global Admin on the tenant) or send the approval link to the tenant’s Global Admin.
  3. The Scan kicks off as soon as Petra has permissions.
See Onboard a Tenant for the full walkthrough.

Learn more about how to onboard

Cost

Scan is included with every onboarded tenant. Each scanned tenant also gets 14 days of active monitoring that begins after the Scan completes. During that window, Petra monitors the tenant in real time and you get the same incidents, signals, and remediation steps as a paying tenant. If you want to avoid any billing risk, check Scan-only when you onboard. The tenant will auto-pause after the 14-day window so it never moves into billable monitoring without you opting in. You can resume it any time from Settings > Usage. See Onboard a Tenant for the full breakdown of Scan-only vs. standard onboarding.

FAQs

Does Scan install an enterprise application in the tenant?

Yes. Petra installs the Petra M365 Security Analyzer Azure application in the tenant. The app is granted the Microsoft Graph, Exchange, and Office 365 Management permissions Petra needs to read audit logs and act on findings. Through Partner Center, the install happens via your existing GDAP relationship and no client action is required. Through the single-tenant flow, a Global Admin consents to the app.

How long does a Scan take?

Usually 24 to 48 hours. Some tenants take longer depending on the speed of Microsoft’s APIs. Petra publishes results as they come out, so you may receive progress emails before the final completion email.

Does Scan cost anything?

No. There is no charge for the Scan or the 14 days of active monitoring that follow it. You only get billed if you keep the tenant on monitoring after the 14-day window.

What happens after 14 days?

The tenant pauses automatically. Billing does not start. You can resume monitoring at any time from Settings > Usage. If you want to skip the auto-pause and roll directly into paid monitoring, uncheck Scan-only when you onboard.

Can I run a Scan on a tenant I already onboarded?

The Scan runs automatically the first time a tenant is onboarded. To regenerate the Scan Report PDF for a tenant later, go to the tenant’s incident page and click Download Report, or use the Reporting tab.

How is Scan different from Autopsy?

Scan surfaces active attackers, leftover persistence, and past compromises the Petra SOC team flags as worth reviewing. Autopsy is a paid, deeper investigation that pulls every past incident in the 6-month window with full forensic detail, including incidents that were already fully remediated. Most users only need Scan. See Autopsy Mode.

Can I scan a tenant managed through GoDaddy?

Not at this time. Petra does not currently support M365 tenants managed through GoDaddy. The tenant needs to be defederated from GoDaddy first.

Do audit logs need to be enabled?

Yes. Scan reads from Microsoft’s unified audit log. There is no cost to enable audit logs regardless of Microsoft licensing. If audit logs were only recently enabled, the lookback only covers the period since they were turned on. See Audit Logs.

Who receives the Scan Complete email?

The organization’s configured notification recipients for the tenant, plus organization admins during trial. To change recipients, see Update Incident Notification Methods.

Is the Scan Report white-labeled?

Yes. The PDF uses your organization’s logo, name, and contact email. Update branding in Settings > Branding.

What if Scan finds nothing?

That is a real result. The email lists the tenants scanned, confirms no incidents were found, and surfaces frequently targeted accounts so you can help those users harden. Active monitoring continues for the rest of the 14-day window, so a compromise that happens during that window will still be caught.

Can I share the Scan Report with the client?

Yes. The report is white-labeled and designed to be shared. Many MSPs use it directly in client meetings and QBRs. For sales talk tracks and additional collateral, see the Marketing Hub.