Closing the Loop: Automated Remediation and Deeper Context

In Material’s last update roundup, we looked at recent updates that helped connect the dots across the cloud workspace. For most security practitioners, the "dots" are rarely the problem—it’s the lines between them.

When an incident hits, an analyst’s brain is essentially a high-speed context engine: Who else got this? Did they click? If they clicked, what did they do next? Speed is the goal, but precision is a requirement. 

This month, we’re releasing a set of features designed to continue to narrow the gap between seeing a threat and fixing–not just in the inbox, but across the entire environment. February’s updates continue Material’s focus on not just identifying the threat chain, but automatically breaking it.

Visualizing the "what happened next" in Google Drive

Detecting a compromised account is one thing; understanding the blast radius is another. If an attacker gains access to a Google Workspace account, one of their first stops is almost always the file store.

We’ve introduced a new Anomalous GDrive Activity UI to give analysts an at-a-glance timeline of an incident. Instead of digging through raw logs to see which files were accessed or shared during a specific window, you can now see GDrive actions mapped directly to the incident timing.

This isn't just about saving time during triage. For an analyst, this is a massive decrease in the cognitive load needed to understand the situation. It’s one thing to see file download alerts, being able to see a timeline of what was downloaded, when, and how sensitive it is makes the stress case more bearable.

No black boxes: improved explainability

"Because the AI said so" is rarely an acceptable answer when a frustrated executive asks why an important (if slightly suspicious) email was nuked.

Security practitioners shouldn’t have to babysit their tools–but they should be able to defend them. We’ve updated the analysis attached to phishing issues to provide significantly more detail on the why.

• Transparent Detection: See the specific indicators—from sender reputation anomalies to suspicious link construction—that triggered the flag.
• Impact Mapping: Quickly communicate the logic behind a detection to stakeholders or end-users without needing to reverse-engineer a proprietary model.

By showing the work behind the detection, we’re helping teams build trust in their automated systems while giving analysts the technical ammunition they need for complex cases.

Syncing the inbox and the calendar

Email remains the primary delivery vector, but the payload is increasingly moving to other surfaces. We’ve seen a steady rise in phishing attempts that leverage .ics files to plant malicious links or fake meeting details directly onto a user’s calendar.

The problem? Most remediation is inbox-centric. You defang or delete the email, but the calendar event remains—a persistent and implicitly-trusted potential time bomb sitting in the user’s schedule.

Material’s automated calendar remediation closes this loop:

• Auto-Cleanup: When Material remediates a phishing message, Material’s workflows can now automatically find and delete the associated calendar event.
• Smart Restore: We know triage isn't always linear. If a message is later marked as safe, Material automatically puts the meeting back on the calendar, saving you from "where did my meeting go?" support tickets.

Mapping the relationship between identity and data

We’ve added new filters to the Issues list, including a Recipients and a revamped Related To filter.

In a modern cloud office, an "incident" is rarely just a single message. It’s a person, a group, or an account being targeted across multiple surfaces. These filters allow you to pivot instantly:

• Search for a specific recipient and see every related email, file, and account activity.
• Understand the relationship between a target and the broader organization’s data footprint.

This helps tell the full story of the threat chain. It moves the conversation from "we blocked a link" to "we protected this specific user and their associated data across the workspace."

Protecting across the entire cycle

Security is rarely about a single "gotcha" moment. It’s a game of persistence and administrative hygiene. By automating the cleanup of calendar invites, surfacing file-level activity in the Google Workspace, and peeling back the curtain on our detection logic, we’re trying to give practitioners a few hours of their week back.

More importantly, we’re ensuring that when a threat is identified, it actually stays dead—across every corner of the cloud office.

‍