April 2026
Identity Threat Detection & Response (ITDR)
RAIDEN now automatically ingests risky user signals from Microsoft Entra ID Identity Protection and Microsoft Defender and creates investigation cases from them — without any manual setup.- Entra ID Identity Protection risk events (leaked credentials, risky sign-ins, suspicious IPs) now generate RAIDEN cases automatically
- Microsoft Defender identity alerts are ingested and merged with RAIDEN’s own detection findings for the same user
- New ITDR view in the main navigation shows all identity-sourced cases in one place
- RAIDEN can dismiss Entra ID risk flags on confirmed false positives, keeping your tenant risk state clean
- E5 and Entra ID P1/P2 licences unlock additional signal coverage — RAIDEN works at all licence tiers
MSSP: Bulk customer onboarding via CSV
MSSP partners can now onboard multiple customer tenants in a single batch import using a CSV file in the onboarding wizard. Up to 50 customers per batch.MSSP: Portfolio dashboard improvements
The MSSP portfolio dashboard now shows aggregated finding counts by severity across your entire customer base, with direct links to any customer’s environment.Activity Explorer
New Activity Explorer view showing detection rule activity, MITRE tactic distribution, and finding volume trends over time. Available in the main navigation.Required Actions dashboard panel
The dashboard now includes a Required Actions panel — a prioritised list of open cases that need attention, derived from active High and Critical findings, with direct links to each investigation.Microsoft Defender: Vulnerability Management
RAIDEN now surfaces Microsoft Defender Vulnerability Management data in the case investigation view, giving analysts additional endpoint context when reviewing identity-related cases.Detection improvements
- AITM_PHISHING: improved compound detection logic reduces false positives on legitimate conditional access redirects
- BASELINE_ANOMALY: statistical comparison now uses datetime-safe comparisons — no more missed anomalies from timestamp type mismatches
- DEVICE_CODE_PHISHING: detection logic updated to handle pandas-based enrichment loaded at import time, preventing first-poll latency
Security hardening
- Added authentication guards (
require_auth) to all API routes as defence-in-depth — no more unauthenticated access to admin and hunt endpoints, even if middleware is bypassed - Session token validation tightened across the investigation API
March 2026
MSSP: One-click impersonation
MSSP partners can now enter any customer’s RAIDEN environment with one click from the portfolio dashboard. Impersonation sessions are 4 hours, rate-limited to 60/hour, and fully audit-logged.AI investigation engine
RAIDEN now runs an automated AI investigation on every new High or Critical case. The investigation report includes a plain-language verdict, confidence level, recommended actions, and a summary of all supporting evidence.Multi-tenant polling (parallel)
Tenant polling is now parallelised using a thread pool. Previously, tenants were polled sequentially — a slow or unhealthy tenant could delay polling for all others. Each tenant now polls independently.Response Actions: Re-enable account
The Disable Account action now has a paired Re-enable Account action, so you can restore access from RAIDEN after a compromise is resolved without going to the Entra ID portal.Cases: Chain detection
Related cases involving the same user across multiple attack phases are now linked into a Chain Case — a single investigation covering the full attack sequence from initial access to persistence.February 2026
Initial release
RAIDEN launched into early access with:- Continuous Microsoft 365 audit log monitoring (5-minute poll cycles)
- 15+ detection rules covering device code phishing, token theft, AiTM phishing, impossible travel, OAuth abuse, mailbox manipulation, and SharePoint exfiltration
- AI-generated investigation cases with plain-language reports
- Response actions: revoke sessions, disable account, Conditional Access block, inbox rule deletion
- Role-based team access: Owner, Admin, Analyst, Viewer
- Multi-tenant architecture with full schema isolation
- Microsoft Defender alert ingestion
- Email notifications for High and Critical cases
For questions about any update or to report unexpected behaviour, email support@raidenhq.com. For active security incidents, include URGENT in the subject line.