In August 2025, Cayosoft proudly took the CISA Secure by Design Pledge. Ever since, the Cayosoft team has leaned into this program, taking a hard and honest look at some of the architectural practices across our software platforms and has made several key security posture advancements to Cayosoft Guardian, our identity monitoring, security, and resilience product.
One of the earliest and most impactful changes we made was to examine the accounts used by the software. Previously, the accounts for both Active Directory and Entra ID required permanent administrative privileges. This led to a redesign of the accounts and permissions used. The first change was rearchitecting the Active Directory service account used within the platform. This led to adopting a read-only gMSA service account, along with the ability for customers to use just-in-time elevation when needed for threat detection, change monitoring, and rollback.
Our goal when we set out on this journey was to move to read-only by default across the board. Achieving this end state required additional architectural changes. Although we supported read-only gMSA for threat detection and change monitoring, Instant Forest Recovery did not initially support this architecture, and customers using that capability still required a permanently elevated service account.
We are happy to share that we now support full read-only gMSA with just-in-time elevation across the platform. The default configuration now deploys with read-only gMSA, reducing the overall attack surface.
This major architectural shift addressed Active Directory permissions, but we knew there was more work to do with Entra ID integration. Our team reviewed the Entra ID configuration and began adopting a similar approach for Entra access. In early fall of 2025, Cayosoft moved to an Entra ID application model using certificate-based authentication, with read-only access by default and support for just-in-time elevation. This eliminated the use of privileged user credentials in the application.
These two architectural changes demonstrate how Cayosoft is applying Secure by Design principles, aligning directly with CISA Secure by Design guidance on least privilege by default.
Our team continued this work by improving delegation within the application. Earlier deployments only supported Global Administration or read-only access within the platform. The latest Cayosoft Guardian deployment now supports multiple delegation scenarios aligned to operational roles such as monitoring, threat and vulnerability detection, and recovery. This gives customers more control over what access users have within the platform.
Cayosoft now fully supports Write Once, Read Many (WORM) storage for backup and recovery. This is the recommended default storage option to ensure backups are tamper-resistant against malware and ransomware.
At Cayosoft, we believe that all organizations should have the ability to protect and monitor their most vulnerable identity resources. This is why we launched Guardian Protector, a free platform that allows organizations to detect threats, apply CISA Secure by Design concepts, receive alerts, and see real-time changes across the hybrid Microsoft identity ecosystem, including Active Directory, Entra ID, Microsoft 365, Teams, Exchange Online and Intune.
In addition to the launch of Guardian Protector, Cayosoft built a dedicated subreddit and comprehensive threat directory to support the IT community and encourage shared learning around identity systems.
Since late August 2025, Cayosoft has made deliberate changes to reduce standing privilege and shift how access is granted and managed by default. These changes include adopting read‑only access models, introducing just‑in‑time elevation, strengthening delegation, protecting recovery data with immutable storage, and expanding access to identity monitoring through the launch of Guardian Protector.
Cayosoft will continue to take this approach going forward. We will keep looking inward across our solutions, challenging assumptions, and designing new functionality with the mindset that secure defaults, least privilege, and resilience are not optional. That is what Secure by Design means to us, and it is how we intend to keep earning our customers’ trust.
Cayosoft is recognized by Gartner as an ITDR solution provider and provides solutions that make identities more resilient to attacks and guarantee a fast forest recovery, if needed. Learn how Cayosoft Guardian facilitates granular change tracking, post-breach analysis, and long-term AD security improvements. Schedule a demo to see the capabilities in depth.