u/subscriber-goal
Identity security engineer at a mid-size org, about 4k hybrid identities across AD and Entra ID. We don't have a dedicated SOC, just two of us handling posture work alongside everything else.
Constraints are real: limited budget, no time for a months-long deployment, and our SIEM is already drowning in noise so adding more raw alerts isn't an option.
We ran PingCastle for AD misconfig scanning and tried Defender for Identity for a few months, but PingCastle is point-in-time and Defender kept firing on things that weren't actionable without serious tuning. Also looked briefly at Netwrix ISPM tooling and found the severity scoring approach more useful than raw alert volume, but haven't gone deep on it yet.
We care most about continuous drift detection, attack-path visualization that's readable by non-specialists, low setup overhead, and something that doesn't require a full-time analyst to maintain.
For teams running lean with hybrid identity environments, what actually held up past the first 90 days and what ended up creating more work than it saved?
