Next Perimeter

A user entered a code into what looked like a legitimate device sign-in prompt. That was all it took for an attacker to get persistent access. For Next Perimeter, this was exactly the kind of identity threat they'd been preparing for.

Their client, a mid-sized marketing agency with users across the Americas and Europe, needed a fast response. Huntress flagged the activity within seconds. By the time David Lloyd, Head of Technology at Next Perimeter, finished reading the report, Huntress had already revoked the active sessions and locked the account.

"The attacker got in once, and they tried to get back in," says Lloyd. "The logs showed exactly where those attempts failed, thanks to Huntress Managed ITDR [Identity Threat Detection and Response], and that's what a true, fast, automated response should look like."

Challenge | When "managed" still leaves too much for the team

Next Perimeter provides managed IT and cybersecurity for regulated businesses—law firms, healthcare organizations, and financial services firms—that need to protect sensitive data without slowing down everyday work.

“Security is an identity-first problem," says Luy Teitelroit, founder and Head of Strategy at Next Perimeter. "Your employees are out on the road, or wherever they happen to be working, and their identities are the beginning of your corporate perimeter."

That framing made the limits of their existing stack hard to ignore. Over time, new features started creating operational problems. Communication gaps meant Next Perimeter sometimes learned about breaking changes after they shipped. macOS issues created friction for clients in media and entertainment. Reporting looked useful until the team found discrepancies between what it showed and what was actually in their security information and event management (SIEM) solution.

Alerting was an even bigger problem. Their existing tool generated more than 50 false alerts a month. Each investigation took 15 to 30 minutes. And even when Next Perimeter identified a false positive, they had no tuning control to stop it from coming back.

"It wasn't just that we were receiving false positives," says Teitelroit. "It's the amount of work that the false positives generate."

Solution | An identity-first stack with a SOC behind every layer

Next Perimeter evaluated Huntress primarily for identity and device protection, a direct fit with how they already saw the market: cloud identity and endpoints are the practical perimeter for modern work.

The team deployed the Huntress Agentic Security Platform: Managed ITDR, Managed EDR (Endpoint Detection and Response), Managed SIEM, and Managed SAT (Security Awareness Training).

For Lloyd, the difference came down to what "managed" actually means. With their previous tool, SOC analysis was available as a separate paid tier. Next Perimeter ultimately wanted analyst-backed reviews included by default, giving their clients stronger context and support around signals that surfaced.

"The fact that every single component of Huntress has a SOC looking at it has been a complete game changer for my team," says Lloyd. "It's reduced the amount of noise, and the actual cases that are coming in are actionable threats."

Huntress also fit Next Perimeter's Microsoft-forward approach. Where the previous tool sidelined Defender into passive mode, Huntress manages and operationalizes the Microsoft tools clients already pay for, adding managed detection, SOC review, and remediation on top.

"We wanted a single pane of glass," says Teitelroit. "Not a single agent per se."

Results | Millions of events narrowed down to the threats that mattered

Over the first 180 days, Huntress processed 341 million SIEM events for Next Perimeter. The Huntress SOC narrowed those down to 209 signals worth investigating. From there, 100 were confirmed incidents, sent to Next Perimeter with SOC review complete and remediation steps already in hand.

That changed the work for Next Perimeter's service delivery team. Instead of digging through noisy alerts, they could focus on verified incidents and client remediation.

Lloyd says they haven't received a false positive since switching. Many incidents involved unexpected VPN or non-US logins. Huntress surfaced them fast enough for Next Perimeter to separate travelers from threats and act on the real ones immediately.

The marketing client's device code phishing incident was the clearest proof point.

Device code phishing abuses a legitimate OAuth flow built for devices that can't open a browser, like smart TVs. In the real flow, a device generates a short code and asks users to visit a sign-in page to approve access. Attackers weaponize this by initiating that flow themselves, then phishing the user into entering the code at a real Microsoft login page. The user thinks they’re approving a normal device sign-in, but they’re actually authorizing access for the attacker. Instead of stealing a password, the attacker receives valid OAuth tokens that can keep working until those tokens are revoked.

Once Huntress detected the suspicious OAuth activity, they cut off the attacker's active access and locked the account. Next Perimeter promptly received the logs they needed to understand exactly what happened. When the attacker tried to get back in, those attempts failed. The account was secured in minutes, and the user was back online with a clean session within the hour.

Conclusion | Security that matches how Next Perimeter already works

Next Perimeter runs on four core values: customer focus, operational excellence, being outcome-driven, and professional accountability. Teitelroit says Huntress has aligned with those values from the beginning.

"Our experience has been a complete 180 from what we were dealing with before," says Lloyd.

For Next Perimeter, Huntress fits the way they already serve clients: identity-first, SOC-backed, and focused on work that actually moves protection forward.