ManageEngine AD360 adds risk mapping & MFA to fight breaches

ManageEngine has announced the addition of risk exposure management and local user multi-factor authentication (MFA) features to its AD360 identity and access management platform, aimed at strengthening identity threat defences within enterprises.

Growing risks in enterprise identity

These new capabilities are designed to help security teams detect privilege escalation risks and secure unmanaged local accounts, which the company notes are common vectors attackers regularly exploit.

This focus comes in response to findings from Verizon's 2025 Data Breach Investigations Report, which indicated that credential abuse was involved as the initial access point in 22 per cent of breaches and identified widespread misuse of poorly managed local accounts and privilege paths across more than 12,000 confirmed breaches.

Most identity and access management (IAM) tools traditionally place emphasis on user provisioning and policy enforcement.

By contrast, ManageEngine claims that AD360 introduces risk exposure mapping using attack path analysis, alongside local MFA enforcement.

The aim is to close off attack paths often bypassed by conventional protections and reinforce identity management as an active security control within the wider defensive posture of enterprises.

"With this release, ManageEngine AD360 moves beyond traditional IAM by embedding identity threat defences into core identity operations."

"By turning identity data into actionable security insights, we're helping customers make IAM the first line of defence, not a check box," said Manikandan Thangaraj, Vice President of ManageEngine.

Enhancements in detection and MFA

The identity risk exposure management feature employs graph-based analysis to map lateral movement and privilege escalation paths in Active Directory (AD) environments.

According to ManageEngine, this approach automatically prioritises risky configurations and offers remediation steps.

The platform models AD objects as nodes and privilege inheritance as lines, making it possible for IT teams to identify multi-step attack chains in real time and act on suggested mitigations.

Local user MFA is designed to improve security around unmanaged local accounts, especially those on non-domain-joined servers, DMZ assets, and test environments. The extension of adaptive MFA to these accounts is intended to counteract credential stuffing and persistence attacks that frequently target such weaknesses.

Additional technical features in the release include machine learning-driven access recommendations.

During access reviews and provisioning, the platform analyses permission patterns to suggest modifications that support least privilege access models, which can help organisations prevent unnecessary entitlements from accumulating within their IT systems.

Expanded governance and compliance

ManageEngine has also updated the AD360 access certification module to enable broader entitlement review coverage, and the risk assessment tool now features new indicators that support improved monitoring across both AD and Microsoft 365 environments.

These enhancements are positioned to facilitate compliance reporting and strengthen overall access governance.

The capabilities released support a range of regulatory and security requirements, including NIST SP 800-207 guidance on Zero Trust architectures, PCI DSS Version 4.0 Requirement 8, and relevant controls for SOX, HIPAA, and GDPR frameworks.

AD360 functions as a unified identity platform, providing enterprises with tools for lifecycle management, secure single sign-on (SSO), adaptive MFA, risk-based governance, auditing, compliance, and identity analytics in a centralised console.

The platform integrates with a broad ecosystem of existing IT tools and supports both off-the-shelf and custom connectors.

ManageEngine is a technology provider specialising in IT management solutions, delivering tools for digital enterprise management aimed at facilitating safer, more efficient operations for organisations worldwide.