Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Predictive shielding (Preview) is a proactive defense strategy designed to anticipate and mitigate threats as part of an ongoing attack. Predictive shielding expands the Microsoft Defender autonomous protection stack, enhancing automatic attack disruption capabilities with proactive measures.
This article provides an overview of predictive shielding so that you can understand its capabilities and how it enhances your security posture.
Learn how predictive shielding works or how to manage predictive shielding in Microsoft Defender.
How predictive shielding expands on automatic attack disruption
The evolving threat landscape creates an imbalance: defenders must secure every asset, while attackers need only one opening. Traditional defenses are reactive, responding after malicious activity begins. This approach leaves defenders chasing attackers, who often act too quickly or subtly to detect in real time. While some attacker behaviors must be blocked outright, static prevention disrupts productivity and adds operational overhead.
To address these challenges, predictive shielding enhances Defender's autonomous protection stack, expanding attack disruption to include proactive measures during an attack, anticipating risks and applying targeted protections only where needed.
This proactive approach reduces the reactive chase, minimizes operational burden, maintains usability, and protects the environment before attackers can advance.
While attack disruption identifies and contains compromised assets, predictive shielding anticipates potential attack progression and proactively restricts vulnerable assets or paths. For example, while automatic attack disruption isolates a compromised device, predictive shielding might proactively restrict access to sensitive data for at-risk devices.
How predictive shielding works
Predictive shielding uses predictive analytics and real-time insights to dynamically identify emerging risks, and applies targeted protections.
Predictive shielding integrates posture, activity, and scenario context to identify potential attack paths and targets, selectively hardening critical assets, or constraining attack paths just in time.
This approach minimizes operational overhead and provides security teams with more time to respond. For example, predictive shielding can dynamically restrict access to sensitive data for devices identified as at-risk, reducing the need for broad, environment-wide restrictions.
Predictive shielding relies on two pillars:
- Prediction
- Involves analyzing threat intelligence, attacker behavior, past incidents, and organizational exposure.
- Defender uses this prediction data to identify emerging risks, to understand likely attack progression, and to infer risk on noncompromised assets.
- Enforcement applies preventative protective controls to disrupt potential attack paths in real time.
This dual approach ensures that protection is both precise and timely.
Prediction logic
Prediction allows organizations to identify assets at risk and apply tailored protections in real time. Prediction focuses on emerging risks rather than static prevention, which minimizes operational friction and ensures that security measures are applied precisely where needed. For example, if a specific attacker tool is detected, predictive shielding can infer the next likely target based on past attack patterns.
Defender uses multiple layers of insight to make accurate predictions:
- Threat intelligence aligns observed activity with known attacker tools and tactics.
- Learnings from past incidents are used to recognize statistical patterns, and extrapolate the most probable next steps.
- Organizational exposure data is used to map how the environment is structured—which assets and identities are connected, which permissions these identities have, which vulnerabilities or misconfigurations exist, and how risk can propagate across them.
Together, these insights create a dynamic understanding of the environment and its risks.
Graph-based logic
Graph-based prediction logic bridges the gap between pre-breach and post-breach systems, providing a unified view of attacker activity across the organizational topology. This unified view includes the organization's assets, connections, and vulnerabilities. Graph-based logic combines live activity data with the structural map of the environment.
This integration allows Defender to dynamically adjust protections based on the most critical vulnerabilities, enabling real-time prioritization of defenses and stopping attackers before they reach critical assets.
The process involves three key stages:
- Defender overlays post-breach activity onto the organization’s exposure graph, creating a comprehensive view of potential attack paths.
- Defender identifies the blast radius—the related assets that the identified activity might affect.
- Reasoning models predict paths attackers are most likely to take, factoring in past behaviors, asset characteristics, and environmental vulnerabilities.
This dynamic understanding allows Defender to move beyond reactive responses, enabling just-in-time protection that stops attackers before they reach critical assets.
Predictive shielding actions
Predictive shielding uses Defender for Endpoint-based actions. To use these actions, you need a Defender for Endpoint license.
Safeboot hardening - hardens the device against booting into Safe Mode. Booting into Safe Mode is a common tactic used by attackers to bypass security controls and maintain persistence on compromised systems.
GPO hardening - hardens Group Policy Objects (GPOs) to prevent attackers from exploiting misconfigurations or weaknesses in GPO settings to escalate privileges or move laterally within the network.
Proactive user containment (contain user) - infuses activity data with exposure data to identify exposed credentials at risk of being compromised and reused to conduct malicious activity. Proactively restricts the activity of the users associated with those credentials.
Note
While the contain user action is used both in attack disruption and predictive shielding, this action is applied differently in each context. In predictive shielding, the contain user action applies restrictions more selectively, with a focus on users identified as high risk through prediction logic. This action prevents new sessions rather than terminating existing ones.
Next steps
- Manage predictive shielding in Microsoft Defender - Learn how to manage predictive shielding actions and investigate their impact in your environment.
- Automatic attack disruption in Microsoft Defender - Learn how automatic attack disruption works to identify and neutralize confirmed malicious activities.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.