Silverfort EU Alternative 2026: CLOUD Act Risk in Identity Threat Detection

Post #1273 in the sota.io EU Cyber Compliance Series

Identity Threat Detection and Response (ITDR) tools occupy a unique position in the security stack: to detect threats, they must observe everything. Every login. Every privilege escalation. Every lateral movement attempt. Every service account authentication. This total visibility — essential for the tool to work — is precisely what makes ITDR platforms a category-one concern under the US CLOUD Act.

Silverfort has built one of the most comprehensive identity security platforms in the market. Its agentless architecture connects directly to Active Directory, LDAP, RADIUS, and cloud identity providers without requiring endpoint agents. This elegance in design is also the source of its largest compliance exposure: a US government request for Silverfort's data yields the complete authentication history of your entire organization.

This is post #1 in our EU Identity Threat Detection and Response (EU-ITDR) series. We examine Silverfort, Vectra AI, CrowdStrike Falcon Identity, SentinelOne Identity, and Semperis — all major US-headquartered ITDR vendors — against the CLOUD Act, NIS2, GDPR Art. 44–49, and the EU-US Data Privacy Framework.

What Is Silverfort?

Silverfort Ltd. was founded in 2016 in Tel Aviv, Israel by Hed Kovetz (CEO), Yaron Kassner (CTO), and Matan Raz. The company offers a Unified Identity Security Platform with three core pillars:

• Agentless MFA: Multi-factor authentication enforced across any resource — legacy apps, command-line tools, RADIUS endpoints, OT systems — without deploying agents.
• ITDR (Identity Threat Detection and Response): Real-time detection of identity-based attacks including pass-the-hash, golden ticket, Kerberoasting, and lateral movement.
• NHI Protection (Non-Human Identity): Discovery and monitoring of service accounts, API keys, and machine credentials — the attack surface attackers exploit after initial compromise.

As of 2025, Silverfort processes authentication events for organizations across financial services, healthcare, critical infrastructure, and government sectors. The platform sits inline between identity providers and protected resources, meaning it operates as an authentication proxy for the entire organization.

Funding and Investors:

• Series A: Accel Partners (Palo Alto, CA) — 2019
• Series B: Accel + One Peak + Citi Ventures — 2021 ($58M)
• Series C: General Atlantic + Insight Partners + One Peak — 2022 ($116M)
• Total raised: ~$224M

Corporate Structure: Silverfort operates through two legal entities — Silverfort Ltd. (Israel, parent) and Silverfort Inc. (Delaware, USA — US subsidiary). This dual-entity structure is the definitive trigger for US CLOUD Act jurisdiction.

CLOUD Act Analysis: Silverfort Scores 20/25

We apply the same five-dimension CLOUD Act risk matrix used throughout this series.

D1 — Corporate Jurisdiction (5/5)

Silverfort Inc. is incorporated in Delaware, USA. This is the definitive trigger for US CLOUD Act exposure. The CLOUD Act (18 U.S.C. § 2713) requires US-incorporated entities to disclose data held "outside the United States" when served with a qualifying legal order — regardless of where that data physically resides.

The existence of a US subsidiary (Silverfort Inc.) means that even if Silverfort's primary R&D and operations are in Israel, the US legal entity can be compelled to produce data. General Atlantic and Insight Partners — both US-based growth equity firms — hold board seats and governance rights through the Delaware entity structure.

CLOUD Act D1 Score: 5/5 — Delaware C-Corp, definitive US jurisdiction.

D2 — Intelligence Partnerships (3/5)

Silverfort has not disclosed partnerships with US intelligence agencies or law enforcement. There are no public records of NSA, FBI, or CISA formal relationships.

However, several structural factors elevate D2 beyond baseline:

1. Israeli-US intelligence framework: Israel is a close US intelligence partner under SIGINT-sharing frameworks. Israeli cybersecurity companies — especially those processing authentication telemetry — operate in a uniquely sensitive intelligence environment. While this does not constitute a direct CLOUD Act obligation, it creates a dual-jurisdiction risk landscape absent in purely European vendors.

2. US VC governance: Accel, General Atlantic, and Insight Partners collectively hold significant equity. These firms are subject to US jurisdiction and could theoretically be compelled to exercise shareholder influence in ways that affect corporate cooperation with US government requests.

3. FedRAMP trajectory: Silverfort has engaged federal customers and is positioned for US government market growth. Vendors pursuing FedRAMP authorization typically establish deeper integration with US government security requirements.

CLOUD Act D2 Score: 3/5 — Israeli parent + US investors + US federal customer trajectory.

D3 — Data Sensitivity (5/5)

This is where Silverfort's architecture creates maximum exposure. The platform's design requires observing every authentication request that passes through the identity infrastructure.

What Silverfort processes:

• All Active Directory authentication requests (Kerberos TGT + TGS grants)
• LDAP bind operations and attribute queries
• RADIUS authentication packets (VPN, Wi-Fi, legacy systems)
• SAML and OAuth flows from cloud providers (Azure AD, Okta, etc.)
• Service account authentication events (machine-to-machine)
• Privileged access events (domain admin, local admin escalation)
• Failed authentication attempts and anomaly baselines

This data set constitutes the complete organizational identity graph: who authenticates to what, when, from which source, with what privileges, and what anomalies exist. For an EU organization operating critical infrastructure, this is exactly the information a nation-state adversary — or a government with CLOUD Act authority — would want.

A single CLOUD Act order served to Silverfort Inc. (Delaware) yields:

• Historical authentication logs for all users and service accounts
• Behavioral baselines (what "normal" looks like for every user)
• Detected attack patterns (indicating security weaknesses)
• The complete list of privileged accounts and their access patterns

CLOUD Act D3 Score: 5/5 — Authentication telemetry = maximum organizational intelligence value.

D4 — Cloud Architecture (4/5)

Silverfort offers both SaaS (cloud-hosted) and on-premises deployment options. The SaaS offering processes authentication events on Silverfort's cloud infrastructure, hosted on AWS and Azure. Configuration data, policy rules, detection baselines, and authentication logs are stored in these cloud environments.

For the on-premises deployment, authentication events are processed locally — but the management plane (policy updates, threat intelligence feeds, portal access) connects to Silverfort's cloud infrastructure, which remains subject to CLOUD Act jurisdiction.

Organizations that choose on-premises deployment reduce D4 exposure, but the cloud management plane connection means data sovereignty is never complete with the SaaS-dependent model.

CLOUD Act D4 Score: 4/5 — SaaS default on US cloud infrastructure; on-premises option reduces but doesn't eliminate exposure.

D5 — Compliance Track Record (3/5)

Silverfort holds SOC 2 Type II, ISO 27001, and GDPR-compliant certifications. The company has not disclosed any CLOUD Act orders, government data requests, or security incidents involving authentication data.

The absence of disclosed incidents is not the same as absence of risk — CLOUD Act orders are typically accompanied by non-disclosure obligations (gag orders). Companies cannot always disclose when they have received and complied with government requests.

Silverfort's identity-focused product category — processing authentication events for critical infrastructure operators — places it in a higher-scrutiny tier than general SaaS applications.

CLOUD Act D5 Score: 3/5 — Clean public record, GDPR-certified, but identity data = elevated government interest tier.

Total CLOUD Act Score: 20/25

Three Compliance Paradoxes

Paradox 1: The NIS2 Identity Monitoring Paradox

NIS2 Art. 21(2)(i) requires organizations to implement "policies and procedures regarding the use of cryptography and, where appropriate, encryption" alongside "access control policies and asset management." Interpreted broadly, this mandates identity monitoring and anomaly detection — precisely what Silverfort provides.

The paradox: organizations deploy Silverfort to comply with NIS2 Art. 21(2)(i). But by doing so, they route all authentication telemetry through a US-CLOUD-Act-exposed platform. This creates exactly the supply chain risk NIS2 Art. 21(2)(d) requires them to manage: a third-party service provider with privileged access to critical authentication infrastructure, operating under a foreign legal jurisdiction.

Deploying Silverfort to meet NIS2 Art. 21(2)(i) creates a NIS2 Art. 21(2)(d) supply chain compliance gap.

NIS2-covered entities in critical infrastructure sectors (energy, transport, finance, health, water, digital infrastructure) should document this paradox explicitly in their risk register when evaluating ITDR vendors.

Paradox 2: The Active Directory Aggregation Paradox

Silverfort's most compelling differentiator is its agentless architecture: no endpoint agents, no AD schema modifications, no proxy servers between users and resources. It connects directly as an authentication proxy, intercepting and forwarding authentication requests.

This elegance means Silverfort receives every Kerberos ticket request that flows through Active Directory. For an organization with 10,000 users, this is tens of millions of authentication events per day. The aggregated dataset creates an intelligence resource of extraordinary value:

• Who accesses what: complete organizational access map
• When: authentication timestamps reveal work patterns, on-call schedules, project rhythms
• Anomalies: ITDR baselines reveal what "normal" looks like — and therefore what "attack" looks like
• Privileged access: domain admin activities, service account usage, cross-forest trust relationships

A US government request for this aggregated dataset provides a more complete picture of an EU organization's internal operations than any traditional intelligence collection method. The CLOUD Act, applied to Silverfort Inc. (Delaware), grants this access legally.

For organizations in defense supply chains, financial services, or EU critical infrastructure, this aggregation risk may be disqualifying under DORA Art. 28 (ICT third-party risk) or KRITIS-Dachgesetz §10.

Paradox 3: The Non-Human Identity Sovereignty Paradox

Silverfort's NHI (Non-Human Identity) protection discovers and monitors service accounts — the machine credentials that govern automated processes, inter-system communications, backup jobs, and application-to-database connections. These accounts are frequently neglected (password never rotated, excessive privileges, no MFA) and represent the highest-value lateral movement targets.

By discovering and monitoring NHI accounts, Silverfort builds a map of every automated workflow, API integration, and machine-to-machine connection in the organization. This NHI map includes:

• Service accounts with domain admin privileges
• Database connection strings and authentication patterns
• Application service principals and their permission scopes
• Backup agent credentials and schedules

For EU organizations operating in regulated industries, this NHI inventory represents critical infrastructure logic — the exact specifications of how automated systems authenticate and communicate. Under a CLOUD Act order served to Silverfort Inc., this inventory becomes accessible to US authorities.

In environments subject to KRITIS-Dachgesetz §10 (German critical infrastructure), the NHI visibility Silverfort provides may itself constitute a reportable risk when processed by a US-CLOUD-Act-exposed entity.

EU Compliance Framework Exposure

GDPR Art. 44–49 (International Transfers)

Silverfort's SaaS offering transfers authentication telemetry — personal data under GDPR — to US-based cloud infrastructure. This transfer relies on the EU-US Data Privacy Framework (DPF) adequacy decision.

The DPF's legal durability depends on US executive branch participation in the Privacy Shield courts framework. Given the current US political environment and documented challenges to DPF adequacy (NOYB, Austrian DPA proceedings), organizations cannot treat DPF as a permanent legal basis for authentication data transfers.

Authentication events contain: usernames (personal data), access times (behavioral data), authentication failures (security-relevant personal data), device identifiers. All are GDPR-regulated personal data categories.

GDPR Art. 44 risk: US CLOUD Act requests for Silverfort data represent compelled international transfers not covered by DPF. GDPR Art. 48 prohibits compliance with foreign court orders that conflict with EU law — creating a direct legal conflict when CLOUD Act orders are served to Silverfort Inc.

NIS2 Art. 21 and 26

Art. 21(2)(d) — supply chain security: Silverfort qualifies as a critical third-party service provider with privileged access to identity infrastructure. NIS2 requires documented risk assessment of this relationship, including assessment of the provider's legal jurisdiction.

Art. 21(2)(j) — security of human resources, access control: Authentication data processed by Silverfort falls under this obligation. Processing by a CLOUD-Act-exposed entity must be documented in the security policy.

Art. 26 — supervisory jurisdiction: EU member state authorities (ANSSI, BSI, CSIRT networks) have supervisory authority over NIS2-covered entities. Their ability to audit ITDR data processed by US entities may be limited by CLOUD Act non-disclosure obligations.

DORA Art. 28 (Financial Sector)

Financial entities subject to DORA must assess ICT third-party risk for all critical service providers. Silverfort processing authentication telemetry for a bank or insurance company qualifies as critical ICT dependency.

DORA Art. 28(4) requires assessment of subcontractor chains. Silverfort's cloud infrastructure (AWS/Azure) represents a subcontractor layer — both subject to CLOUD Act jurisdiction. DORA-compliant organizations must document this chain and assess the resulting concentration risk.

EU-Native Alternatives: CLOUD Act Score 0/25

The EU ITDR market is less mature than the US market — this is a known gap in the European cybersecurity ecosystem. However, several EU-native options provide meaningful identity monitoring capabilities.

Wazuh (Santander, Spain — Open Source)

CLOUD Act Score: 0/25 — Self-hosted, no US legal entity.

Wazuh is an open-source security platform with strong Active Directory monitoring capabilities. Key identity-relevant features:

• Windows Event Log analysis (authentication events, privilege escalation, account changes)
• File integrity monitoring for identity-critical files
• Active response rules for credential-based attacks
• Integration with Active Directory audit logs

Wazuh's advantage: zero CLOUD Act exposure, no vendor dependency, fully auditable source code. EU organizations can deploy on-premises with complete data sovereignty.

Wazuh's limitation: no agentless AD proxy — it requires agents on endpoints and relies on Windows Event Forwarding for centralized collection. Not a direct Silverfort replacement for organizations that require proxy-based enforcement.

SEKOIA.IO (Paris, France — EU SaaS)

CLOUD Act Score: 0/25 — French company, EU-incorporated, no US parent.

SEKOIA.IO offers a threat intelligence-driven SIEM/XDR platform with identity analytics capabilities. The platform includes:

• Behavior analytics for user and entity (UEBA)
• Integration with AD and Azure AD logs
• Threat intelligence from SEKOIA's EU-based CTI team
• Incident response workflow automation

SEKOIA is BSI and ANSSI-aligned, deployed in French critical infrastructure, and incorporated entirely within France. Its data processing remains under French/EU jurisdiction.

Limitation: SEKOIA is an XDR/SIEM rather than a dedicated ITDR platform. It lacks Silverfort's agentless AD proxy architecture and MFA enforcement capabilities.

TEHTRIS XDR (Bordeaux, France — EU SaaS)

CLOUD Act Score: 0/25 — French company, EU data centers.

TEHTRIS offers an EU-native XDR platform with identity protection modules. Relevant capabilities:

• Endpoint Detection and Response with identity context
• Network behavior analysis including authentication patterns
• Integration with Windows AD and LDAP
• French PASSI certification, NIS2-aligned

Limitation: TEHTRIS XDR is endpoint-centric. Identity protection is integrated within the XDR architecture rather than built from the ground up as an identity-first platform.

Self-Hosted Stack: FreeIPA + Wazuh + TheHive

CLOUD Act Score: 0/25 — All open-source, fully self-hosted.

For organizations with strong operational capabilities, a self-hosted ITDR stack provides maximum sovereignty:

1. FreeIPA (Linux Foundation, self-hosted) — enterprise identity management, AD integration via cross-realm trust
2. Wazuh (open-source) — authentication monitoring, anomaly detection, SIEM
3. TheHive + Cortex (StrangeBee, French company) — incident response and threat intelligence correlation
4. OpenLDAP (open-source) — LDAP directory with full audit logging

This stack requires significant operational investment but delivers complete data sovereignty with no third-party CLOUD Act exposure.

EU ITDR Landscape Summary

Decision Framework for EU Organizations

Deploy Silverfort if:

• Your security team's primary concern is operational effectiveness over data sovereignty
• You have no NIS2 Art. 26 supervisory exposure or DORA ICT third-party risk obligations
• You operate outside critical infrastructure sectors
• You rely on DPF adequacy as sufficient legal basis and accept its documented durability risks

Choose EU-native alternatives if:

• You are a NIS2-covered entity in essential or important sectors
• You are subject to DORA ICT third-party risk requirements
• Your organization processes data that may be of interest to US intelligence (defense supply chain, EU government services, critical infrastructure)
• Your DPA (CNIL, BfDI, DPC, etc.) has issued guidance restricting US SaaS data transfers
• You operate in Germany under KRITIS-Dachgesetz §10 scope

Minimum controls if Silverfort deployment is required:

1. Deploy the on-premises connector where possible (reduces D4 exposure)
2. Implement a Data Processing Agreement documenting CLOUD Act risk
3. Add Silverfort to your NIS2 Art. 21(2)(d) supply chain risk register
4. For DORA: document the AWS/Azure subcontractor chain and concentration risk
5. Monitor for DPF adequacy changes — plan for SCCs as fallback

What's Next in the EU-ITDR Series

Post #2 — Vectra AI: San Jose, CA — NDR-based identity threat detection. AI-driven attack surface analysis. CLOUD Act score analysis and EU alternatives.

Post #3 — CrowdStrike Falcon Identity: Austin, TX — Falcon platform identity module. Integration with EDR telemetry. Jurisdiction concentration risk for organizations already running Falcon.

Post #4 — SentinelOne Identity (formerly Attivo Networks): Mountain View, CA — deception-based identity security. CLOUD Act analysis on behavioral decoy data.

Post #5 — Semperis: Fort Lee, NJ — Active Directory recovery and ITDR. EU alternatives for AD disaster recovery and forest recovery sovereignty.

sota.io is an EU-native managed PaaS — 100% GDPR, deployed on Hetzner Germany, no US parent, no CLOUD Act exposure. Start your free deployment →