Protect every identity path into your infrastructure.
Identity Agents monitor users, service accounts, privileged access, MFA flows, session behavior, and credential usage. They detect compromised identities, privilege escalation, impossible travel, token misuse, and suspicious access patterns before attackers pivot deeper.
Request early access →The Ollandi defense loop
Every agent follows the same cycle, producing auditable, coordinated response.
Observe
Ingest domain-specific signals in real time with full telemetry fidelity.
Reason
Correlate local evidence with the shared threat model and adjacent agents.
Validate
Check policy boundaries, blast radius, and consensus before acting.
Act
Execute bounded, reversible actions through approved control interfaces.
Evidence
Record every observation, decision, and action in an auditable bundle.
What it protects
- •Users and human identities
- •Service accounts and machine identities
- •Privileged access and admin roles
- •MFA flows and authentication sessions
- •Credentials, tokens, and API keys
What it monitors
- •Authentication events and login anomalies
- •Privilege usage and role changes
- •Session behavior and token lifecycle
- •Directory and IdP audit logs
- •SSO and federation events
What it detects
- •Compromised credentials and account takeover
- •Privilege escalation and role abuse
- •Impossible travel and anomalous access
- •Token theft and replay
- •Suspicious MFA bypass attempts
What it can do
- •Force step-up authentication or session re-verification
- •Revoke active sessions and tokens
- •Suspend compromised accounts pending review
- •Adjust risk scores and trigger peer-agent correlation
- •Notify security teams with contextual evidence
What evidence it generates
- •Identity timeline with login and privilege events
- •Risk score and anomaly reasoning trace
- •Session and token revocation log
- •Correlated signals from cloud and network agents
- •Audit-ready decision narrative
One working agent experience
See how an identity agent moves through the defense loop on a real incident.
Observe
Service account svc-deploy@prod triggered 47 API calls from two regions in 5 minutes.
Reason
Pattern matches known token replay: impossible travel for a service account, elevated API scope.
Validate
Cross-check with Cloud Agent: no approved CI pipeline active; Network Agent confirms unexpected egress.
Act
Rotate service account credential, revoke active tokens, flag pipeline for review.
Evidence
Identity timeline, token rotation record, and cross-agent consensus stored as evidence bundle.
Part of a coordinated defense
Identity Agents feed the shared state with authentication context so Cloud, Endpoint, and Network agents can validate lateral movement and privilege misuse across the environment.