.png)
.png)
.png)
Material's new Okta integration automates real-time responses to identity threats by connecting in-platform detections with access controls.
As a Lead Product Manager at Material, I spend a lot of time talking to security teams. A common theme I hear, especially from lean teams, is the struggle to keep up with the sheer volume of security alerts. The resulting gap between receiving an alert and taking meaningful action literally leaves the door open for attackers.
Security tools are great at creating signals. The dashboard is blinking, the SIEM is humming, and notifications are piling up. But an alert is just the start. The real work is investigating, determining the actual risk, and then responding. While your team is busy correlating logs, a compromised account could be creating forwarding rules, exfiltrating sensitive files, or phishing the rest of the company. The problem isn’t a lack of signals; it’s the lack of a direct, automated connection between the place where risk is detected and the place where it can be contained.
That's why I'm thrilled to announce our new integration with Okta’s Identity Threat Protection (ITP) using their Shared Signals Framework (SSF). We built this to help you move from detection to response in real-time, allowing you to automate security workflows and protect your business without needing a large security team.
Connecting your identity plane to your collaboration plane
For most businesses, Google Workspace or Microsoft 365 is your office. It’s where your most sensitive data lives and your most important work happens.
Your identity provider, like Okta, is the front door to that office, and they are very good at keeping that door secure. Material, in turn, has deep visibility into what’s happening inside the office. We see when a user responds to a phish, when suspicious email rules are created, or when sensitive data is being mishandled.
Separately, these are powerful platforms. But what if the system that sees the risk could talk directly to the system that controls access?
That’s the idea behind ITP and the SSF. By leveraging the SSF standard, Material can now send real-time risk signals from your cloud workspace directly into Okta’s identity protection. This closes the loop between in-platform detection and access-plane response, allowing you to build powerful, automated workflows that protect your organization without adding manual work for your team.
Of course, Material already offers a wide range of automated remediations and responses. But by integrating Material with Okta ITP, customers have an even wider range of immediate and automated responses to protect their identities and accounts.
From a Material detection to an automated Okta action
So, how does it work?
The integration is designed for simplicity. When Material detects a security issue, like a suspicious email forwarding rule or a risky login, we now send a real-time event signal directly to your Okta instance using SSF. Okta can immediately understand these signals and, most importantly, act on them.
This allows you to build powerful "if-this-then-that" workflows within Okta, using Material’s high-fidelity detections as triggers for Okta’s security actions.
Use cases you can automate today
This isn't just theoretical. This integration unlocks immediate, practical use cases that address common and critical threats. Here are a few examples of what you can now automate:
Scenario 1: Detect a compromised account rule
The Threat: An attacker gains access to a user's account and creates a new email rule to auto-forward all incoming emails to an external address, hoping to intercept sensitive information.
Automated Response: Material detects the suspicious forwarding rule. A signal is instantly sent to Okta, which can trigger an automated workflow to:
- Force a password reset for the user.
- Require step-up authentication with a phishing-resistant MFA factor on their next login.
- End all active user sessions.
Scenario 2: Prevent data exfiltration to a personal account
The Threat: A user begins sending a higher-than-usual number of emails with sensitive content to their personal freemail account, indicating potential data exfiltration.
Automated Response: Material flags this anomalous behavior. The signal to Okta can trigger a workflow to:
- Log the event for compliance and auditing purposes.
- Apply a data loss prevention (DLP) policy to block further sensitive sharing.
- Create a ticket in your incident response system for follow-up.
Scenario 3: Respond to a high-risk login
The Threat: A user’s credentials have been compromised and are used to log in from a high-risk network, like Tor or an anonymous VPN.
Automated Response: Material detects the login from a risky location. The signal to Okta can immediately:
- Temporarily suspend the account to prevent further access.
- Add the user to a high-risk group in Okta that enforces more stringent access policies.
- Notify your security team or the user’s manager of the suspicious activity.
Security that works for you
Our goal with this integration and everything we build here at Material is to provide you with security that enables your business, rather than slowing it down. By connecting Material's visibility into your cloud office with Okta's Identity Threat Protection, you can now automate your defenses against account takeovers, insider risks, and other identity-based threats.
For small security teams, this means you can get enterprise-grade protection without the complexity or manual overhead. You can save time and resources by letting your tools handle the initial response, freeing your team to focus on the most critical incidents.
We’re incredibly excited to see the automated security workflows you build with this new capability.