Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.petrasecurity.com/llms.txt

Use this file to discover all available pages before exploring further.

Mid-Trial FAQs

Yes! You can link Connectwise, HaloPSA, or Autotask to Petra.

How does billing work?

You’ll get an invoice at the end of the month, it’ll include a link to pay via Stripe. Payment is on Net 30 terms.

Can I pause/remove tenants?

Yes, you can remove tenants or pause them (retain data, no cost) in Settings -> Usage.

How do volume-based pricing tiers work?

Once you cross into a certain volume tier, all billable identities are billed at that tier. Usage is summed across all tenants in an organization.

What counts as a Billable User?

See here. Tl;dr: a billable user is a non-free licensed Microsoft account. Shared Mailboxes and similar accounts are monitored but not billed for.

Are Shared Mailboxes billable?

No. Petra still monitors for compromises on these accounts, but does not bill for them.

Can I use Petra for health checks when I onboard a new client?

Yes. Petra runs a Scan lookback on every onboarded tenant, surfacing active attackers, malicious inbox rules, and malicious apps. After ~3 days of baselining, ongoing monitoring kicks in.

What is Autopsy Mode?

Every onboarding includes a Petra Scan that surfaces active attackers, persistence, and notable past compromises. Autopsy Mode goes further by pulling every past incident with complete forensic detail, including compromises that were already fully remediated. It is designed for IR firms and special cases, has additional cost, and is available upon request. Most users do not need it. See Autopsy Mode for details.

Do you have material to help me show value to my clients?

Yes. See the “Marketing” tab in Petra for more.

Can I invite a co-managed client to Petra?

Yes. Go to Settings -> Access, click “Invite”, then select “External Guest” as the role. You can select one or multiple tenants to scope access. You can also configure additional permissions:
  • Is Read Only: Set to true to restrict the client to viewing only
For more details, see Co-Managed Tenants and Member Roles and Permissions.

What shows up in Co-Managed?

Co-managed access allows an end client direct access to the Petra portal, scoped to a particular tenant or set of tenants.. Often, co-managed clients will spend time exploring the logs viewer and examining Failed Attacks and top targeted users. Partial Members will only have access to their assigned tenant(s) and will not have access to the Marketing tab.

How should I talk about Petra with my clients?

Lean on the fact that Account Compromise is the #1 cause of money lost to cybercrime. If there is one threat to protect against, it’s this one. Use data from your tenants (anonymized if helpful). Show a client what life is like with M365 monitoring (example incident of yours, caught quickly), versus without it (example Autopsy, cautionary tale).

Does Petra detect AiTM OAuth token theft?

Yes. Petra detects AiTM token theft regardless of how the token was stolen, whether through DNS hijacking (as in Forest Blizzard / APT28), a phishing proxy page, or any other interception method. Petra doesn’t sit inline on the network, so it won’t detect the DNS hijack or TLS interception itself. Detection happens when the attacker uses the stolen token to access the account: Petra sees the session from new infrastructure, flags AiTM-specific patterns (like the programmatic browser agents common AiTM toolkits use), and enriches every login with proxy/datacenter/residential-proxy intelligence. If an attacker replays a stolen token, Petra’s SOC detects the intrusion, locks them out, and alerts you in real time. No configuration needed. It’s on by default for every onboarded tenant.

What is leftover persistence?

Leftover persistence is an artifact a previous attacker left behind that still exists in the tenant: an inbox rule, an OAuth app consent, a service principal, a device registration. The original compromise may already be remediated, but the artifact itself is still there. Petra surfaces these so they can be cleaned up. From the incident, use the Remediation Actions panel to remove the rule, app, or registration. See Remediate an Account Compromise for the full flow.
Disabling an inbox rule is not the same as deleting it. Petra will keep flagging a disabled rule as leftover persistence because the rule still exists on the mailbox. Use Delete Rule from the incident page to clear it for good.

Why do remediated incidents still show up on the incident page?

Remediated incidents stay on the incident page. They do not disappear. This is intentional: the incident record is your audit trail and the source for reports. The “N incidents” badge shows all incidents in the last 30 days, not just active ones. An active threat looks different: it will have an open status and live remediation actions in the Remediation Actions panel. If the same “leftover persistence” incident keeps re-appearing for a user, the underlying artifact (usually an inbox rule) is likely disabled but not deleted. See What is leftover persistence? above.