EU Identity Threat Detection & Response Comparison Finale 2026: Silverfort vs CrowdStrike vs SentinelOne vs Vectra AI vs Semperis

Post #1277 in the sota.io EU Cyber Compliance Series

Identity Threat Detection and Response occupies a paradoxical position in the EU cybersecurity stack. Of all the security control categories a European CISO can deploy, ITDR platforms require the deepest access to the most sensitive organisational data — the complete map of your Active Directory, every privileged account, every Kerberos transaction, every authentication event for every user. This comprehensive visibility is the source of ITDR's value: you cannot detect an attacker moving through your identity infrastructure without seeing everything they might touch.

It is also the source of ITDR's CLOUD Act problem.

When that complete identity map — every admin account, every privilege relationship, every user authentication pattern — sits with a US-incorporated vendor, the CLOUD Act (18 U.S.C. § 2703) creates a legal pathway for US law enforcement to access it. Not hypothetically, not as a theoretical edge case, but as a structural consequence of deploying a Delaware or New York C-Corp as your identity security vendor. The better the ITDR platform — the more comprehensive its Active Directory visibility — the higher the compelled-disclosure payload under US law.

This finale closes the EU Identity Threat Detection and Response (EU-ITDR) series. We have scored five platforms — Silverfort, Vectra AI, CrowdStrike Falcon Identity, SentinelOne Singularity Identity, and Semperis — against our five-dimension CLOUD Act exposure framework. We present the unified comparison matrix, identify the three meta-paradoxes unique to the ITDR category, and map the EU-native sovereign alternatives that European security teams can deploy without US jurisdictional exposure.

The EU-ITDR Compliance Problem

Active Directory remains the identity backbone of approximately 90% of enterprise environments globally. It is also the primary target of every major threat actor group operating against European organisations — from ransomware operators to state-sponsored APT groups. The 2024 European Union Agency for Cybersecurity (ENISA) threat landscape identified Active Directory compromise as a component of 73% of major ransomware incidents affecting EU critical infrastructure operators.

This creates a structural demand for ITDR: tools that monitor AD in real time, detect attack techniques (Kerberoasting, DCSync, Pass-the-Hash, Golden Ticket, lateral movement via Kerberos delegation), and alert security teams before attackers can escalate to domain admin.

The regulatory framework amplifies this demand:

• NIS2 Article 21(2)(e) — Mandates "security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure." AD security monitoring is a core compliance control for essential and important entities.
• NIS2 Article 23 — Requires notification of significant incidents within 24 hours of discovery. ITDR platforms are the primary detection mechanism for identity-based incidents — they generate the evidence that triggers NIS2 Art.23 notification obligations.
• GDPR Article 32 — Mandates "appropriate technical and organisational measures" to ensure security appropriate to the risk. ITDR is a demonstrable technical measure for protecting authentication infrastructure.
• DORA Article 9 — Mandates information security for financial entities, including access management and detection capabilities over critical systems. ITDR directly addresses the identity security detection requirement.

The problem is structural: every leading ITDR platform capable of meeting these regulatory mandates is incorporated in the United States. Their European competitors are either niche products, open-source tooling without enterprise SLA support, or horizontal SIEM platforms that address ITDR partially through detection rules rather than purpose-built identity monitoring.

CLOUD Act Exposure Matrix — All Five Vendors

Higher score = higher CLOUD Act risk. All five vendors: US C-Corp. EU-native alternatives: 0/25.

Critical observation: Every ITDR platform in this series scores D3 at 5/5 — the maximum data sensitivity rating. This is not coincidence. It reflects the fundamental architecture of the ITDR category: to detect identity attacks, you must process complete Active Directory topology, real-time authentication telemetry, and privileged account inventories. There is no ITDR product that achieves its detection mission without processing this data. The D3 ceiling is category-structural, not vendor-specific.

Vendor Analysis

Silverfort — 20/25 (Joint Highest)

Corporate Structure: Silverfort, Inc. — New York C-Corp, headquartered in Tel Aviv, Israel. Founded 2016 by Hed Kovetz, Yaron Kassner, and Matan Fattal (all Israeli security researchers). Backed by General Atlantic (NYC, $83B AUM PE), Georgian Partners, and Acrew Capital. Raised $116M Series D in 2022 at $1B+ valuation.

Architecture: Agentless identity security platform. Deploys a Silverfort gateway that integrates with Active Directory and RADIUS authentication flows. Instead of deploying agents on every endpoint or domain controller, Silverfort intercepts authentication requests at the identity provider level — every login attempt to every system passes through the Silverfort gateway for analysis and policy enforcement. This architecture means Silverfort processes 100% of authentication events across all systems (not just AD-joined assets), including legacy systems, operational technology, and custom applications.

CLOUD Act Risk: The New York C-Corp structure creates definitive US jurisdiction under the CLOUD Act. Authentication proxy architecture means Silverfort has visibility into authentication attempts from all systems — including OT, SCADA, and legacy systems often excluded from endpoint-based ITDR. For critical infrastructure operators, this creates CLOUD Act exposure over OT authentication patterns that other ITDR platforms would not process.

D2 Score (4/5): General Atlantic's PE portfolio includes US defence and intelligence-adjacent technology companies. Israeli co-headquarters creates a Five Eyes-adjacent intelligence partnership dynamic: Israeli signals intelligence capabilities (Unit 8200) and Israeli-US intelligence sharing agreements create indirect intelligence relationship risks that a purely US company without Israeli ties would not present.

Key Paradox — The Protocol Universality Paradox: Silverfort's agentless architecture processes RADIUS, Kerberos, NTLM, SSH, LDAP, RDP, and OT protocol authentication. For a manufacturing or energy operator, this means Silverfort has visibility into OT system authentication — Modbus, PROFINET, IEC 61850 device access. KRITIS-Dachgesetz §10 mandates protecting critical infrastructure systems; deploying a US-incorporated vendor with access to OT authentication patterns may itself create a supply chain vulnerability under the regulation it is meant to support compliance with.

Vectra AI — 19/25

Corporate Structure: Vectra AI, Inc. — Delaware C-Corp, headquartered in San Jose, California. Founded 2010. Backed by Silver Lake (NYC, $102B AUM PE), TCV (technology-focused PE), and Accel. Raised $200M Series E in 2021.

Architecture: Network Detection and Response (NDR) platform extended to ITDR. Vectra AI's primary detection methodology is network telemetry analysis — it monitors network traffic for attack behaviour signatures, using machine learning to identify anomalous patterns. Its ITDR capabilities derive from analysing network-visible identity attack techniques: Kerberos Golden Ticket attacks appear in network traffic as anomalous TGS requests; DCSync attacks appear as unusual replication traffic; LDAP reconnaissance appears as bulk directory query patterns. Vectra AI does not deploy agents on domain controllers — it monitors identity attacks from the network perspective.

CLOUD Act Risk: Delaware C-Corp with Silver Lake PE ownership. Silver Lake's investment portfolio includes Broadcom, Dell Technologies, and other US technology companies with defence-adjacent government relationships. The NDR architecture means Vectra AI processes full network metadata — not just identity events but all east-west traffic metadata for the network segments monitored. Under CLOUD Act compelled disclosure, US authorities would receive network communication metadata for EU internal systems, not just identity-specific events.

D3 Score (5/5): Network metadata processed by Vectra AI includes communication patterns for all monitored systems — not limited to identity transactions. For a healthcare or financial services operator, this includes transaction-level metadata for patient record access, financial system queries, and inter-system communication. The breadth of network metadata elevates D3 to maximum despite the narrower identity-specific framing.

Key Paradox — The Retrospective Investigation Paradox: Vectra AI's Recall product stores up to 90 days of network metadata for retrospective investigation. When a security team uses Recall to investigate an identity-based incident, the investigation record itself — what was accessed, when, by whom — is stored in Vectra AI's cloud infrastructure under CLOUD Act jurisdiction. A GDPR Article 33 breach notification investigation creates a 90-day evidence window in US-jurisdictional storage.

CrowdStrike Falcon Identity — 20/25 (Joint Highest)

Corporate Structure: CrowdStrike Holdings, Inc. — Delaware C-Corp, headquartered in Austin, Texas. NASDAQ: CRWD. Founded 2011 by George Kurtz and Dmitri Alperovitch (ex-McAfee). FY2024 ARR: $3.44B.

Architecture: Falcon Identity is the ITDR module within CrowdStrike's unified Falcon platform. It deploys sensors on domain controllers that capture and forward authentication telemetry (Kerberos, NTLM, LDAP, SAML) to the Falcon cloud for correlation with endpoint telemetry, threat intelligence (Falcon Intelligence), and CrowdStrike's OverWatch threat hunting team. Falcon Identity benefits from CrowdStrike's $3B+ threat intelligence operation — every identity attack technique detected across the entire CrowdStrike customer base informs detection for all customers.

CLOUD Act Risk: CrowdStrike has the highest D2 score in the series (5/5) due to its confirmed deployments with US DoD (IL4+), Intelligence Community agencies, FedRAMP High authorisation, and the structurally significant role of CrowdStrike OverWatch — an always-on human threat hunting service that has direct human access to customer telemetry (with contractual consent). The OverWatch model means US-person analysts at CrowdStrike can directly access EU customer identity telemetry as part of their threat hunting mandate. CLOUD Act jurisdiction plus human analyst access creates the most direct exposure pathway of any vendor in this series.

D5 Score (2/5): CrowdStrike offers EU data residency through the Falcon EU-1 region (Frankfurt) but OverWatch's human threat hunting service necessarily involves US-person analysts accessing EU customer telemetry. The contractual consent model that makes OverWatch legitimate for threat hunting does not insulate the data from CLOUD Act compelled disclosure — consent to OverWatch access and CLOUD Act compelled disclosure are separate legal frameworks that operate simultaneously.

Key Paradox — The OverWatch Intelligence Adjacency Paradox: CrowdStrike OverWatch is one of the most capable human threat hunting services in commercial cybersecurity. Its access to customer telemetry is what makes it effective. For a European CISO, OverWatch's effectiveness and its CLOUD Act risk are inseparable: you cannot benefit from OverWatch without US-person analysts having direct access to your AD telemetry, which is directly accessible to US law enforcement under the CLOUD Act. The more you rely on OverWatch, the more you amplify the jurisdictional exposure.

SentinelOne Singularity Identity — 20/25 (Joint Highest)

Corporate Structure: SentinelOne, Inc. — Delaware C-Corp, headquartered in Menlo Park, California. NASDAQ: S. Founded 2013 by Tomer Weingarten and Almog Cohen. FY2024 ARR: $621M. Singularity Identity capabilities acquired through Attivo Networks acquisition (April 2022, ~$616.5M).

Architecture: XDR-integrated ITDR platform combining three inherited Attivo capabilities: (1) Active Directory continuous assessment (Ranger AD), (2) real-time identity attack detection via domain controller sensors, and (3) deception technology (Singularity Hologram) deploying fake credentials, decoy accounts, and memory-injected synthetic Kerberos tickets. Integration with the SentinelOne endpoint agent provides full process-level context for every identity event — a Kerberoasting attempt is correlated with the exact process, parent process, and memory state of the endpoint making the LDAP query.

CLOUD Act Risk: The deception architecture creates a unique D3 exposure category. For deception credentials to fool a sophisticated attacker, they must closely resemble real credentials — matching naming conventions, password complexity patterns, and group membership structures of your actual users. Constructing convincing fakes requires analysing your real user behavioral patterns. Under CLOUD Act compelled disclosure, US authorities would receive not just your AD topology but employee behavioral profiles generated from continuous monitoring of authentication behavior — profiles used to construct deception artifacts.

D2 Score (4/5): SentinelOne has pursued US federal certifications and has government customers. The In-Q-Tel prior investment in Attivo Networks (before the SentinelOne acquisition) creates an indirect intelligence relationship that post-acquisition SentinelOne inherited. This is one point below CrowdStrike's confirmed IC and DoD SRG IL4+ deployments.

Key Paradox — The Deception Baseline Paradox: Singularity Hologram must understand what "normal" looks like to construct believable "fake" credentials. This employee behavioral profiling — which authentication patterns, account names, and group structures look legitimate — is itself a CLOUD Act-accessible intelligence asset. The deception layer that catches attackers also creates a behavioral map of your legitimate workforce.

Semperis — 18/25

Corporate Structure: Semperis, Inc. — New York C-Corp, headquartered in Hoboken, New Jersey. Founded 2015 by Guy Teverovsky, Mickey Bresman, and Matan Liberman. Backed by Vector Capital (San Francisco-based private equity, ~$3B AUM, technology-focused buyout). Raised $200M Series C in 2023. Markets itself with "Europe-first" messaging — a designation that warrants scrutiny under CLOUD Act analysis.

Architecture: Semperis specialises in Active Directory security and resilience rather than real-time threat detection. Its product suite focuses on three areas: (1) Directory Services Protector (DSP) — continuous monitoring of AD changes (user/group modifications, GPO changes, replication anomalies), with automatic rollback of malicious changes; (2) Purple Knight — free AD security assessment tool that maps attack paths and misconfigurations; and (3) Active Directory Forest Recovery — enterprise AD backup and recovery product designed for post-attack restoration when AD is fully compromised (ransomware scenario). The Forest Recovery product holds complete AD database backups — the most sensitive possible data category for any identity security vendor.

D1 Score (5/5): New York C-Corp gives US federal courts unambiguous jurisdiction. "Europe-first" marketing refers to data processing location preferences, not corporate jurisdiction. A New York-incorporated company's data obligations to US law enforcement are determined by US law, not marketing language.

D2 Score (3/5): Vector Capital's portfolio focuses on enterprise software buyouts without a pronounced defence or intelligence-adjacent profile. No confirmed US government agency deployments or FedRAMP authorisations found in public information. Lower D2 than the other four vendors.

D3 Score (5/5): Active Directory Forest Recovery holds complete AD database backups — ntds.dit files containing all user accounts, password hashes (even historically), group memberships, and the full schema of the AD forest. This is the maximum possible D3 score: a CLOUD Act request against Semperis's Forest Recovery product yields not just the current AD state but historical AD state across the backup retention window. If your Forest Recovery backup spans six months, US authorities receive a six-month timeline of every AD change, every account creation, every privilege grant.

Key Paradox — The "Europe-First" CLOUD Act Paradox: Semperis's "Europe-first" marketing positions the company as uniquely aligned with EU sovereignty concerns — highlighting European data centre options, EU-specific sales teams, and GDPR commitment. This framing is technically accurate in describing data processing geography. It is structurally misleading as a CLOUD Act risk indicator. Semperis, Inc. is a New York C-Corp subject to US CLOUD Act jurisdiction regardless of where data centre servers sit. The CLOUD Act (18 U.S.C. § 2713) explicitly requires disclosure "regardless of whether such communication, record, or other information is located within or outside of the United States." Marketing as "Europe-first" does not reduce CLOUD Act risk; it creates a false confidence that may lead EU security buyers to underestimate the actual jurisdictional exposure of deploying a New York C-Corp for their most sensitive identity security workloads.

The Forest Recovery Severity: Of the five vendors in this series, Semperis's Forest Recovery product creates the highest-severity single CLOUD Act disclosure event: a compelled disclosure request yields complete historical AD database backups, including password hashes. No other product in this series carries this specific risk profile. CrowdStrike and SentinelOne process current authentication telemetry; Semperis holds historical AD snapshots that include credential material.

The Three Meta-Paradoxes of EU-ITDR

These paradoxes are category-structural — they apply to all five vendors equally and cannot be resolved by contractual or architectural adjustments from any individual vendor.

Paradox 1 — The Identity Visibility Paradox

ITDR platforms must process complete Active Directory topology to detect identity attacks. The more comprehensive the coverage — every Kerberos transaction, every privileged account, every authentication event — the more effective the detection. This comprehensive visibility is simultaneously the product's core value and its maximum CLOUD Act payload. You cannot resolve this paradox by limiting what data the vendor processes; limiting the data limits the detection capability. European organisations choosing ITDR must accept that the better the tool, the higher the CLOUD Act exposure — or accept inferior detection coverage in exchange for jurisdictional isolation.

Paradox 2 — The Incident Response Chain Paradox

NIS2 Article 23 requires notification of significant incidents within 24 hours of discovery. ITDR platforms are the systems that generate the forensic evidence supporting that notification — event logs, authentication telemetry, attack timeline reconstructions. Under the CLOUD Act, US law enforcement can access this same evidence through a compelled disclosure request. A breach affecting EU critical infrastructure may trigger simultaneous NIS2 Article 23 obligations to EU national authorities and CLOUD Act requests from US law enforcement — with the ITDR platform's evidence logs potentially reaching US authorities before the EU regulatory notification process is complete. The tools that enable NIS2 compliance create a parallel disclosure pathway that NIS2 does not govern.

Paradox 3 — The Behavioral Baseline Paradox

ITDR platforms detect attacks by establishing what "normal" authentication behavior looks like for each user and entity in your environment — then flagging deviations. This behavioral baseline — who logs in when, from where, with what frequency, accessing which resources — is an intelligence asset. Under CLOUD Act compelled disclosure, US authorities receive not just attack evidence but the behavioral baseline itself: a detailed map of how your employees operate, when they access systems, and what their authentication patterns reveal about organisational workflows. Identity threat detection requires building a comprehensive model of your workforce's digital behavior; that model is accessible to US law enforcement under CLOUD Act jurisdiction.

EU-Native Alternatives — Sovereign Options

The honest assessment: No EU-native vendor currently offers purpose-built ITDR coverage equivalent to the five US platforms analysed in this series. The EU-native options are:

1. Horizontal SIEM platforms (SEKOIA.IO, Wazuh) — capable of ingesting AD event logs and applying detection rules for identity attacks, but without the architectural depth of purpose-built ITDR (no deception technology, limited AD topology analysis, no automatic rollback of malicious AD changes).

2. NDR platforms (Stamus Networks) — detect network-visible identity attacks (Kerberoasting via LDAP, DCSync via replication traffic) without deploying agents on domain controllers. Lower coverage depth, lower CLOUD Act risk.

3. Open-source composition — self-hosted combination of Wazuh (log collection + SIEM), Velociraptor (forensics), Zeek (NDR), and custom Sigma rules for AD attack detection. Full sovereignty but requires significant operational investment and lacks the integrated detection intelligence of commercial ITDR platforms.

Regulatory guidance on sovereign tooling: ENISA's 2024 guidance on supply chain security for essential entities explicitly identifies the US CLOUD Act as a "third-country law" that may conflict with EU data protection obligations when processing incident response data. ENISA recommends that essential entities performing a risk assessment under NIS2 Article 21 explicitly evaluate the CLOUD Act jurisdictional status of security monitoring vendors.

Decision Framework for EU Security Teams

Tier 1 — Critical Infrastructure (KRITIS-Dachgesetz, NIS2 Essential Entities)

Recommendation: EU-native sovereign tooling (SEKOIA.IO + Stamus Networks + Wazuh self-hosted) with accepted detection coverage limitations, OR US ITDR with explicit Article 49 GDPR risk assessment, documented regulatory notification, and contractual CLOUD Act notification provisions.

Risk posture: Critical infrastructure operators should not assume CLOUD Act risk is theoretical. Post-Snowden intelligence practice demonstrates that US law enforcement and intelligence agencies actively request data from US-incorporated providers. Identity infrastructure for a power grid operator, water treatment facility, or banking core system warrants the highest possible sovereignty standard.

Practical path: Many KRITIS-Dachgesetz operators are running a hybrid: US ITDR for detection capability with EU-hosted SIEM (SEKOIA.IO or self-hosted ELK) receiving alerts and logs — ensuring the forensic record lives under EU jurisdiction even if the detection agent is US-incorporated.

Tier 2 — Important Entities (NIS2), DORA-Regulated Entities

Recommendation: US ITDR is operationally acceptable if: (a) the vendor is selected based on this matrix (prefer lower-scoring vendors — Semperis 18/25 or Vectra AI 19/25 for CLOUD Act risk minimisation), (b) a Data Protection Impact Assessment under GDPR Article 35 is completed, (c) EU data residency is configured and documented, and (d) the CLOUD Act risk is explicitly disclosed in the NIS2 Article 21 supply chain risk register.

Practical path: Vectra AI (19/25) or Semperis (18/25) — excluding Forest Recovery from cloud storage — represent the lowest-risk US ITDR options for organisations that require commercial ITDR capabilities.

Tier 3 — Other Regulated Entities (GDPR Article 32 compliance)

Recommendation: Any of the five vendors is operationally acceptable with standard DPA and EU SCCs in place. CLOUD Act risk should be documented in the Article 30 record of processing activities and disclosed to the DPA if identity data processing is a core business function.

Score Summary and Series Conclusion

The EU-ITDR series has established a consistent finding: identity threat detection is the security category with the highest structural CLOUD Act risk profile. Every platform scores D3 at the maximum (5/5) because the architecture required to detect identity attacks is, by definition, the architecture required to process the most sensitive organisational data: your complete identity infrastructure.

European organisations cannot resolve this paradox through vendor selection within the US ITDR market. The choice is between accepting CLOUD Act jurisdictional exposure for superior detection capability, or accepting reduced detection coverage for genuine jurisdictional sovereignty. That is a risk decision — not a compliance checkbox. The five platforms in this series provide the data to make that decision explicitly and documentably rather than by assumption.

The next series in the sota.io EU Cyber Compliance review continues with critical EU cloud workload categories. Subscribe to stay current on CLOUD Act exposure analysis as the regulatory environment evolves.

CLOUD Act scores reflect publicly available information as of May 2026. Scores are risk indicators, not legal assessments. Consult legal counsel for compliance decisions affecting your specific regulatory jurisdiction.