Semperis

Identity/IAM Visit website →
Best for: Enterprises that depend on Active Directory and need to detect AD-specific attacks and guarantee forest recovery
Pricing: Contact for pricing

What Semperis actually does

Semperis focuses entirely on Active Directory security and recovery. Its core products are Directory Services Protector (DSP) for real-time AD threat detection and Purple Knight, a free community tool for AD security assessments.

DSP monitors AD replication streams to catch changes that bypass normal security logging — the kind of modifications attackers make during DCSync attacks, DCShadow, or rogue Group Policy changes. When it finds something, it can auto-revert unauthorized changes before they propagate. The recovery side is equally important: Semperis can rebuild an entire AD forest from scratch in a fraction of the time it takes with native Microsoft tools, without reintroducing malware from compromised backups.

This matters because AD is the single point of failure most organizations refuse to think about until it’s too late. If your domain controllers go down, nothing else works — email, VPN, file shares, applications. Semperis exists to make that scenario survivable.

Who it’s best for

  • Large enterprises with complex, multi-domain Active Directory forests
  • Organizations that have experienced (or are worried about) ransomware targeting AD
  • Security teams that need visibility into AD-specific attack techniques like DCShadow and Golden Ticket
  • Companies with compliance requirements around identity infrastructure recovery time
  • Hybrid identity environments running both on-prem AD and Entra ID

Pricing reality check

Semperis sells to enterprises, and pricing reflects that. Expect per-user or per-domain-controller licensing on annual contracts. The free Purple Knight assessment tool is genuinely useful and worth running regardless of whether you buy anything.

The real cost is the operational investment. You need people who understand AD at a deep level to get value from DSP’s alerts. If your team doesn’t know what a DCShadow attack looks like, the alerts won’t mean much without training or external support.

Alternatives to consider

  • CrowdStrike Falcon Identity Protection — Broader identity threat detection, but less depth on AD-specific recovery scenarios.
  • Microsoft Defender for Identity — Included with E5 licensing. Decent detection but no AD recovery capability.
  • Quest Recovery Manager for AD — Focused on AD recovery without the threat detection layer. Lower cost if you only need the backup piece.
  • Silverfort — Complements rather than competes. Silverfort handles authentication enforcement; Semperis handles AD integrity and recovery.

The Charting Cyber take

If Active Directory is critical to your business — and for most enterprises it still is — Semperis addresses a risk that generic security tools miss entirely. AD recovery is a specialized problem. Microsoft’s native tools are slow and unreliable under pressure. Semperis makes that process predictable.

Start with Purple Knight. It’s free, it runs in minutes, and it will show you exactly how exposed your AD environment is. If the results keep you up at night, DSP is the logical next step.

Get a quote for Semperis

Related vendors

1Password
Organizations that need a password manager employees will actually use, with solid developer secrets management bolted on.
Identity/IAM
Attivo Networks (SentinelOne)
Enterprises dealing with identity-based attacks and lateral movement that want deception-based detection layered into their endpoint security.
Identity/IAMMDR/MSSP
BeyondTrust
Organizations needing PAM, endpoint privilege management, and secure remote access in one vendor
Identity/IAMPAM