top of page

Semperis Expands Active Directory Cyberattack Recovery Capabilities

Semperis, the pioneer of identity-driven cyber resilience for enterprises, today announced innovations in its Active Directory Forest Recovery (ADFR) product that extend the company’s offerings to help organizations rapidly conduct post-attack forensics capabilities and recover Active Directory to a trusted, malware-free environment following a cyber disaster.

Expanding on Semperis’ mission of cyber-first Active Directory (AD) disaster recovery, the enhancements help organizations detect and remove backdoors and persistence that might remain in AD itself after a cyberattack and provide a new OS provisioning tool that speeds the AD recovery process. The new capabilities help cyberattack victims rapidly conduct reconnaissance efforts when every minute counts during post-attack incident response.

“When an organization’s Active Directory environment is hit by a cyberattack, the clock is ticking to root out all traces of the compromise and completely recover AD,” said Semperis CEO Mickey Bresman.

“We partner with some of the world’s largest incident response and consulting companies to conduct incident response for multinational corporations that have suffered cyberattacks. Following an attack, organizations are understandably anxious to resume business operations as quickly as possible. But without thoroughly scanning the environment for any remaining trace of post-attack persistence, the victim organization is in danger of reintroducing infection, which prolongs the business disruption. The recent ADFR innovations provide essential solutions for rapidly conducting thorough incident response to recover the business and minimize damage.”

A cyber-first disaster recovery strategy is an essential part of broader business continuity planning. In a recent report, Gartner predicted that by 2025, at least 75% of IT organizations will face one or more attacks. To accelerate recovery from attacks, Gartner recommends adding a dedicated tool for backup and recovery of Microsoft Active Directory. The report concludes that “organizations without a useful backup system will be left with few options but to pay the ransom.”

The new ADFR capabilities address the increasingly frequent types of attacks in which the environment is penetrated weeks or months before the final malware payload is executed. ADFR’s post-recovery forensics allow incident response teams to identify changes made by adversaries within a defined attack window, speeding the investigation. ADFR helps organizations determine whether an attack was in progress when an environment backup was taken. Following an AD recovery, response teams can use ADFR’s post-recovery forensics to find and remediate vulnerabilities before bringing the recovered environment back into production.

The new OS provisioning tool in ADFR addresses the challenge of quickly building an isolated recovery environment, which is the first step in an AD forest recovery. Response teams can use the standalone PowerShell-based tool for setting up a test environment to validate a recovery plan and for conducting remediation efforts without tipping off malicious actors who might be lurking in the environment, ready to deploy additional malware.

“Semperis pioneered clean Active Directory recovery with the introduction of ADFR,” said Darren Mar-Elia, Semperis VP of Products. “With the new capabilities in ADFR, we are pioneering the ability to find the needle in the haystack following a cyberattack—the persistent, potentially devastating security backdoors that can keep business operations at a standstill. Building on our singular foundation of cyber-first AD recovery, the innovations in ADFR give cyberattack victims peace of mind that they can fully recover critical business systems into a verifiably trusted environment.”

For more information about the new capabilities in ADFR, visit

Gartner, Inc., “How to Protect Backup Systems from Ransomware Attacks,” Nik Simpson, September 21, 2021.



bottom of page