Key features of Active Response

Active Response displays potential threats ranked by risk, so you can investigate, correct, and adapt with a single-click action. Use near real-time searches and hunting flows based on collectors, triggers, and reactions. Collectors and reactions can be customized and used with the defaults.

Active Response offers these key features.


Use Active Response to detect potential threats on compromised systems.
  • Use the Threat Workspace to see potential threats on endpoints, where they started, and how they moved through the environment, and their activities over time.
  • Prioritize the high-risk potential threats based on behavior to focus your investigation on the most important threats.
  • Search live and historical threat data to determine the full scope of an attack.
  • Filter behavior conditions of potential threats.
  • Monitor your environment with customizable collectors that search for indicators of attack that are not only running or lying dormant, but that might have been deleted.


Use Active Response to stop potential threats when they are detected. You can take immediate action on affected endpoints.
  • Use triggers and reactions to detect threatening events and react immediately.
  • Automate reactions based on triggers and act on multiple endpoints remotely at the same time.
  • Take remediation actions from the Threat Workspace with a single-click. For example, you can stop a running process on a single endpoint, or remove a threat and block it from recurring in the environment.


Use Active Response to learn from and automate threat responses and provide live security protection without manual intervention.

  • Customize collectors and reactions for adapting threat investigation and detection flows.
  • Adapt protection settings to automatically block persistent attacks.
  • Learn what to include in security policies.