Administrator
Zero Blind Spots. Zero Cost.
Cayosoft Guardian Protector™
Real-time threat detection and change monitoring for unrivaled visibility across AD and Entra ID.
Always On. Always Ready. Always Free.
Cayosoft Threat Directory
Our continuously updated hub of intelligence on hybrid identity attack techniques and detection patterns.
Free. Deployed and Ready In Minutes.
Why Guardian Protector
Real-time threat detection – Catch identity-layer risks as they occur: privilege escalations, dormant account reactivation, GPO tampering, dangerous policy edits, and more.
Automatic Alerts – Instantly flags changes detected across hybrid environments. Provides who, what, when, and where context for faster triage.
Harden Identity Posture – Identify and remediate existing misconfigurations and attack pathways that can lead to tenant or domain compromise.
Hybrid change monitoring – One stream of truth across AD + Entra ID and key Microsoft 365 services for complete context.
Continuous visibility—not snapshots – Ditch static point-in-time scans. Guardian Protector watches continuously, so you don’t miss what happens after the report is made.
Agentless deployment – Nothing to install on domain controllers or endpoints. Get value fast, keep overhead low.
Zero-cost, zero-hassle – Our free forever tier is designed for security-conscious IT pros who need coverage now.
Audit-ready – Centralized logs and built-in reporting to satisfy auditors and streamline investigations.
What You Get (Free)
Live change feed – across AD and Entra ID with who/what/where/when context
Policy & config risk detection – (e.g., indicators of exposure, indicators of compromise, and indicators of attack)
Suspicious activity alerts – (e.g., privilege escalation, mass group changes, risky delegation)
Prebuilt dashboards & reports – for visibility and compliance basics
Hybrid scope: – AD, Entra ID, Teams, Intune, Exchange Online (core signals)
Automatic Threat Intelligence Updates – to spot and stop evolving threats without manual downloads and scripts
Strength Through Support
Guardian Protector isn’t just free—it’s our way of strengthening the IT security community.
Introducing two new identity security resources for everyone:
Cayosoft Threat Directory
Need instant rollback or forest-wide disaster recovery?
Upgrade path:
Cayosoft Guardian™
Cayosoft Guardian Protector™
Real-time threat detection and change monitoring for unrivaled visibility across AD and Entra ID.
How Guardian Protector Compares and Stands Out
Cayosoft Guardian Protector redefines what a “free” identity security tool can deliver. Unlike limited-use scanners of other free tools or feature-capped trialware, Guardian Protector provides continuous, real-time monitoring, unlimited object coverage, and actionable hybrid visibility—at no cost and no strings attached.
- Alerts on identity-layer threats across both on-prem AD and Microsoft Entra ID the moment they occur.
- Continuous change tracking across AD, Entra ID, Microsoft 365, Teams, Exchange Online, and Intune—without log scraping or point-in-time scans.
- Unlimited Microsoft identity objects, enabling full enterprise-scale visibility without hidden quotas, dashboard throttling, or surprise paywalls.
- Automatic threat detection intelligence updates so you stay protected against evolving threats without having to manually tweak rules or build custom scripts or re-download the tool.
- The easy opportunity to rollback unwanted changes with license upgrade – nothing to install or reconfigure
Where others offer snapshot reports or complex enterprise overhead, Cayosoft delivers a frictionless, powerful platform that deploys in minutes, requires no agents, and supports security teams with real, scalable protection across the entire Microsoft identity stack.
How It Works
- Identity Security / ITDR – Shrink the window between exposure and detection for free.
- IAM/AD Admins – Replace scripts and swivel-chair checks with always-on monitoring for free.
- Compliance & Audit – Prove control with continuous, centralized evidence for free.
Security & Architecture Highlights
- Agentless collection – No agents on DCs or endpoints
- Least-privileged access – Scoped, auditable connections
- Change logging – Protect investigative evidence
- Designed for hybrid scale – Multi-forest & multi-tenant aware
Key Use Cases
Cayosoft Guardian Protector FAQ
GENERAL OVERVIEW
Guardian Protector is a free, agentless tool that delivers continuous monitoring, real-time threat detection, and audit-ready visibility across Active Directory (AD), Microsoft Entra ID, and key Microsoft 365 services—without time limits or object caps.
Yes. Protector is a free-forever tier focused on real-time monitoring, alerting, and core reporting—no trial clocks, no agents.
Static scans are moment-in-time snapshots that age immediately. Continuous monitoring closes the blind spot between scans, alerting you to suspicious changes the moment they occur, so you can disrupt identity-layer attacks before they escalate.
Protector delivers continuous visibility and alerts. Guardian (paid) adds instant, selective rollback for object-level recovery and expanded automation. Guardian Forest Recovery adds patented, push-button AD forest recovery in minutes. Paid Guardian also adds unlimited data retention and SIEM integration.
DEPLOYMENT & ARCHITECTURE
No. Protector is agentless by design. Connect with least-privileged read scopes and start monitoring in minutes.
Most teams connect AD and Entra ID in minutes: grant read scopes, validate connections, and you’ll see the live change feed right away.
Yes. It’s built for hybrid scale; you can connect multiple forests/domains and Microsoft 365 tenants (upgrade tiers expand response capabilities and automation).
SECURITY & COMPLIANCE
- Lateral Movement – misconfigurations that could allow an attacker to gain access to sensitive resources and move to different systems and applications in your environment
- Credential Theft – Password hygiene including common passwords, breached passwords, and the lack or MFA enforcement.
- Persistence mechanisms – allowing the attacker to persist in your environment that are often missed by audits
- Privileged Abuse across hybrid identity systems, Microsoft 365, and Intune
- Privilege/role abuse: new Domain Admins, risky role assignments
- Policy & GPO tampering: password/lockout/Conditional Access drift, GPO edits
- Account & group risk: dormant-to-active, mass group membership changes, unexpected owner/admin changes
- High-impact deletes and permission sprawl
Cayosoft Guardian protector can supports sending alerts via email and teams, as well as protector portal
Yes. You get centralized, tamper-evident logs and exportable reports that help demonstrate control for frameworks like SOX, HIPAA, PCI-DSS, ISO 27001, and internal audit policies.
Protector uses a read only certificate based Entra ID Application Service Principal that automatically rotates and Read only gMSA account for Active Directory
FEATURES & COVERAGE
A live change feed tracking who changed what, where, and when across AD, Entra ID, and key Microsoft 365 signals—24/7, not just at scheduled scan times.
Protector covers Active Directory, Entra ID, Exchange Online, Teams, and Intune
Protector does include some basic dashboard and reporting, including detailed threat summary report
Protector has no limits on the number of objects that can be monitored
INTEGRATIONS & WORKFLOWS
Protector can send alerts via email and Teams. Most ITSM solutions can accept emails as the initial input for workflow automation
Guardian Protector is not intended to replace your SIEM
OPERATIONS & SCALE
It’s tuned for actionable alerts. You can refine detections, suppress patterns, and route high-priority events to the right owners.
Guardian Protector provides the details of why the alert was triggered and the initial evidence, in addition Guardian Protector’s change history can help with incident investigation
Protector will allow certain customizations like including and excluding objects from threats full alert customization comes with a paid Guardian subscription
DATA HANDLING & PRIVACY
Protector is designed to run in your environment, with your control over data retention/export.
Protector uses TLS and data encryption to ensure data is secure.
COMPARISONS & BUYER QUESTIONS
Scanners produce static lists of issues. In addition to regular scans, Guardian Protector delivers always-on detection with real-time alerts, hybrid context, and audit-ready evidence—so you can act before a change becomes a breach.
IGA and SIEM solutions are valuable to enterprises, but they often fall short in areas of threat detection and change monitoring and SIEMS require heavy customizations to detect identity-based threats
Guardian Protector software is completely free, TCO will vary from organization to organization based on operations and initial hardware cost.
GETTING STARTED
A supported Windows server operating system, for initial configuration. A Domain Administrator account that can create GMSA and add needed AD partitions for Entra ID initial configuration. A Global Administrator account that can create the Entra ID application and service principal.
Protector can be installed in any environment that you choose including lab and test environments
Follow the quick-start steps in product help and check out our How-To-Resources. When you’re ready for remediation features, upgrading is seamless. Support is also available on Reddit and YouTube.