Inside Semperis: Response and recovery after identity system attacks

Almost every enterprise in the world relies on identity systems to operate.

Without digital IDs, biometric verification, and decentralized systems that enable secure authentication, employees can’t log in, security teams can’t coordinate, and even basic tools like email and collaboration platforms become inaccessible.

Identity infrastructure — often Microsoft’s Active Directory (AD) — controls access across every application, system, and workflow. But companies often treat it as just another piece of IT. Over decades of updates and ownership changes, most identity systems drift from their original configuration.

Attackers take advantage of this, says Mickey Bresman, cofounder and CEO of security and recovery platform Semperis, a leader in identity-driven cyber resilence and crisis response.

“Active Directory remains one of the main attack paths into the enterprise…I know you have it, I know it’s been misconfigured. That brings me to the conclusion that if I’m going after your enterprise, that’s what I should be going after.”

When identity fails

Cybersecurity strategies are built around prevention. Firewalls, identity layers, and monitoring layers are designed to stop attackers before they get in.

These approaches are based on the assumption that if something goes wrong, systems can be recovered — but that isn’t true of identity systems.

“All of my customers have the same identity system…None of them has a real answer to what happens when the system goes down.”

“When identity systems go down, all of a sudden, the tools that the organizations use [are] no longer available to them during the time of crisis,” Bresman explains. And without access to the very tools they rely on to investigate and coordinate a response, security teams are paralyzed.

“How do I communicate with the responders? How do I bring the teams together?” says Bresman. Most organizations don’t plan for this kind of scenario until it happens.

The idea for Semperis came from seeing these failures firsthand. Bresman and his team were brought in to investigate when the AD system of a large telecommunications company was compromised. The system went down, and restoring it was a manual, time-intensive process.

“By the end of it, you’re completely exhausted,” says Bresman. “Your brain is partially working at this point, but we are high-fiving, and we’re happy we’re going home. Less than six hours after, we get a call that it went down again.” Although the system had been restored, it wasn’t secured, and the attackers hadn’t been fully removed.

Around the same time, the team ran a simulation with a major bank where it took them five days to fully recover AD in a controlled environment. “The question was,” says Bresman, “can the bank survive more than five days without login authentication?”

That was the catalyst for Semperis, a solution that could both protect organizations from attacks and solve for what happens after, when identity systems are compromised and need to be restored quickly and safely.

‘R’ is for recovery

Semperis’ three cofounders had been on the frontlines of multiple crises. Bresman and Guy Teverovsky shared extensive experience in the IT disaster recovery and consulting space, while Matan Liberman led a government software development team.

After being accepted into Microsoft’s accelerator program, they launched Semperis in 2015, initially focusing on identity system recovery. At the time, identity threat detection and response (ITDR) was an emerging category, but the team saw a critical gap.

“One of the things that we were constantly telling the market is that ITDR actually has…two Rs,” says Bresman. “The second R [is] for recovery.”

That insight has shaped their approach. Rather than focusing on responding to attacks, the cofounders rethought how identity systems could be restored without introducing risk.

One of the key innovations was separating AD from the underlying operating system (OS) to allow organizations to rebuild clean identity environments. “If we recover to a clean OS, we are not bringing [malware] with us,” Bresman explains.

The centaur that became a unicorn

Product-market fit issues almost caused the company to fold in 2016. But the following year, one of the most destructive AD-related malware attacks in history, NotPetya, shed some light on how vulnerable enterprise AD environments are and validated Semperis’ focus.

In 2019, the company introduced its patented Active Directory Forest Recovery solution, which automates the recovery process to eliminate malware reinfection and reduces the downtime after a cyberattack by up to 90%.

By the end of that year, Semperis was operating at just above $3M ARR, having generated the majority of its revenue that year. In March 2020, the company announced a $40M Series B, led by Insight Partners, to fuel expansion and hiring.

Post-Series B, Semperis entered a period of rapid expansion. The company hit $100M ARR in 2025, morphing from an early-stage business into both unicorn and centaur status. That growth was underpinned by a $200M Series C in 2022, which cemented its position as a category leader.

During this time, Semperis grew from around 25 employees to over 600 and expanded its customer base from 50 to over 1,200. In June 2024, it raised an additional $125M in growth financing to accelerate that momentum.

Identity vs. autonomous Agents

Today, Semperis is a full-fledged identity resilience platform.

As enterprises have grown increasingly dependent on identity to operate across cloud systems and support remote work, Semperis has shifted from protecting a single system — AD — to supporting cloud-based enterprise security platforms like Entra ID, Okta, and Ping Identity.

But as identity infrastructure grows in popularity, so does the pace and scale of attacks. Last year saw a 800% surge in identity-based attacks, with 1.8 billion logins stolen from 5.8M infected hosts.

New AI tools enable attackers to discover vulnerabilities faster and move more quickly through systems, explains Bresman.

“Whatever you did not find before…in terms of different attack paths, genAI is going to help the bad actor to find. So you’d better find it before they do.”

Agentic AI brings other challenges. As businesses introduce autonomous Agents to workflows, the environment becomes more complicated and the opportunity for human error — or malicious interference — grows.

“How do I secure and protect the Agents?” says Bresman. “On one hand, making sure that only the right people can give them commands, or the right Agents, because we’re already seeing Agents commanding other Agents. On the other hand, how fast can I detect if an Agent is…doing something that it should not be doing?”

From Bresman’s perspective, the future of cybersecurity will rely less on manual responses and more on automation. “You will need to get to a point where it’s bots fighting bots and no humans in the middle,” he says.

In that future, recovery is as critical as prevention. Attacks are inevitable, but they don’t have to be catastrophic. Resilience — being able to restore identity quickly, regain control, and keep operating as usual — will be the difference between a disruption and a crisis.

*Note: Insight Partners has invested in Semperis.