Skip to main content
Petra Response is a per-tenant setting that allows you to authorize the Petra team to remediate incidents for you.
Enabling Petra Response allows our team to remediate an incident, remove persistence mechanisms, and retract phishing emails as soon as the incident occurs. We have an extremely low surfaced false-alarm rate, so business disruption is minimal. We highly recommend that everyone enables Petra Response.

Steps to Remediate an Account

If Response is enabled, we will take care of the first 3 steps, leaving you to reset the password and re-enable the account.
  1. Revoke Sessions and Lock Account ✅
  2. Retract Phishing Emails ✅
  3. Disable Persistence Mechanisms ✅
  4. Reset Password
  5. Re-enable Account
  6. Mark as Remediated
✅ = Petra Response does this step.

How to Enable Petra Response

Go to the Home Page by clicking the logo in the top left corner. In the list of tenants, toggle the Petra Response switch to enable or disable it.
You’ll only need to do this if Petra Response is disabled. Otherwise, a member of the Petra team will take care of it as soon as the incident occurs.
When Petra detects a compromised account, it immediately appears as an active incident and notifies you via configured notification methods, such as your PSA, Teams chat, calls, or texts.

Remediating Without Petra Response

When Petra Response is not enabled, none of the first three steps happen automatically. Your team is responsible for working through all six remediation steps manually. Speed matters — the sooner you lock the attacker out, the less damage they can do.
If Petra Response is disabled, there is no one covering incidents 24/7. Make sure your team has notification methods configured and knows to act immediately when an alert arrives. We strongly recommend enabling Petra Response for every tenant.

How incidents appear without Petra Response

When Petra Response is off, new incidents start in an unpublished state. Petra still detects the compromise and sends your configured notifications (email, text, Teams, PSA, etc.), but no automatic action is taken. When you open the incident page, the Remediation Actions Panel will show a Publish Incident button at the top, before the numbered remediation steps.

Step-by-step: remediating manually

Before you start: Publish the incident Click Publish Incident at the top of the Remediation Actions Panel. This makes the incident visible to your full team and is required before the remaining steps can proceed. Step 1: Revoke sessions and lock account Click Revoke Sessions and Lock Account. This immediately terminates all active sessions, disables the account in Microsoft 365, and prevents the attacker from logging back in. Do this before anything else.
This works for all account types, including on-premises synced and hybrid accounts.
Step 2: Retract phishing emails Petra automatically identifies similar phishing emails across all mailboxes in the tenant and surfaces them for removal. Click the retraction button to move them to Deleted Items. This prevents other users from falling for the same phish. Step 3: Disable persistence mechanisms Attackers frequently establish persistence so they can regain access even after a password reset. Petra identifies and lists all persistence mechanisms it found. Work through each one:
  • Inbox rules — malicious mail filter rules (e.g. forwarding all email to the attacker). Click Disable or Delete.
  • App registrations / service principals — OAuth apps granted access to the mailbox. Click Disable.
  • Inbound connectors — unauthorized mail routing rules. Click Disable or Remove.
Do not reset the password until all persistence mechanisms are removed. An attacker with an active app registration or forwarding rule can maintain access or receive email even after a password change. Step 4: Reset password
  1. Click Reset Password in the Remediation Actions Panel.
  2. Petra generates a new password and applies it to the account, then shows you the new password.
  3. Communicate the new password to the user securely. A phone call is best.
Step 5: Re-enable account After the password is reset and safely communicated, click Re-enable Account to restore the user’s access. Step 6: Mark as remediated Click Mark as Remediated to close out the incident. The incident remains available for investigation, report generation, and export.

About trial expiration

A trial expiring does not affect your ability to remediate active incidents. All remediation actions remain fully functional regardless of trial status. Trial expiration only prevents onboarding new tenants or switching products.