Customer stories

Customer stories

How MSPs are winning with enhanced.io

How Whitehat Virtual Technologies caught the attack its endpoint tools could not see

The Texas MSP ran endpoint MDR across a healthcare client and the dashboard stayed green. The threat was on identity, where the agent could not look.

In short: Whitehat Virtual Technologies ran endpoint MDR across its healthcare and enterprise clients, and it reported clean. enhanced.io found an identity-based intrusion the endpoint agent never saw, because the attack never touched a monitored device. With correlation across identity, cloud, network and endpoint in one SOC, Whitehat now catches what agent-based tools miss.

Location

Texas, USA

Specialization

Security-focused managed services for healthcare and enterprise clients across the US and Europe

End clients

Healthcare organizations with HIPAA requirements and enterprise clients with multi-site deployments

Portfolio scale

Mid-market MSP. Client and device counts not disclosed.

Security stack (before)

Endpoint MDR with no correlation across identity, cloud or network. Agent-based alerts only, with no visibility into attacks that bypass the endpoint.

Partnership start

2020

Location

Texas, USA

Specialization

Security-focused managed services for healthcare and enterprise clients across the US and Europe

End clients

Healthcare organizations with HIPAA requirements and enterprise clients with multi-site deployments

Portfolio scale

Mid-market MSP. Client and device counts not disclosed.

Security stack (before)

Endpoint MDR with no correlation across identity, cloud or network. Agent-based alerts only, with no visibility into attacks that bypass the endpoint.

Partnership start

2020

Location

Texas, USA

Specialization

Security-focused managed services for healthcare and enterprise clients across the US and Europe

End clients

Healthcare organizations with HIPAA requirements and enterprise clients with multi-site deployments

Portfolio scale

Mid-market MSP. Client and device counts not disclosed.

Security stack (before)

Endpoint MDR with no correlation across identity, cloud or network. Agent-based alerts only, with no visibility into attacks that bypass the endpoint.

Partnership start

2020

What problem was Whitehat Virtual Technologies trying to solve?

When the market shifted

When the market shifted

Whitehat Virtual Technologies built its reputation on hard clients. Healthcare organizations with HIPAA obligations. Enterprise clients with multi-site networks. The kind of work that needs more than managed IT, and clients who pay for a provider that can handle it.

Its security stack was endpoint-led. An EDR agent on every managed device, feeding an MDR service that watched those agents. On paper that looked like coverage. The dashboard was green and stayed green.


The problem is what an endpoint agent can and cannot see. An agent watches the device it runs on. It does not watch a sign-in from a stolen session token. It does not watch a mailbox rule quietly forwarding finance email to an outside address. It does not watch lateral movement between two servers that both look healthy. When an attack lives on identity, cloud or the network rather than on a managed endpoint, an endpoint tool has nothing to report.


For a practice serving healthcare clients, that gap is the whole risk. The data attackers want sits in Microsoft 365 and line-of-business apps, reached through stolen credentials, not through malware on a laptop. Whitehat needed to see the surfaces its endpoint tools were blind to, without ripping out the stack it already ran.

"Our endpoint tooling told us everything was fine. The problem was everything it could not see. A clean agent is not the same as a clean environment, and we needed something that knew the difference.”

Val King

CEO, Whitehat Virtual Technologies

"Our endpoint tooling told us everything was fine. The problem was everything it could not see. A clean agent is not the same as a clean environment, and we needed something that knew the difference.”

Val King

CEO, Whitehat Virtual Technologies

"Our endpoint tooling told us everything was fine. The problem was everything it could not see. A clean agent is not the same as a clean environment, and we needed something that knew the difference.”

Val King

CEO, Whitehat Virtual Technologies

"Our endpoint tooling told us everything was fine. The problem was everything it could not see. A clean agent is not the same as a clean environment, and we needed something that knew the difference.”

Val King

CEO, Whitehat Virtual Technologies

Why did Whitehat Virtual Technologies choose enhanced.io?

Val’s test for a partner was simple. Does this close the gap the endpoint stack leaves open, or does it just add another agent to manage?

enhanced.io closed the gap. The SOC correlates signals across identity, cloud, network and endpoint in one place, so an event that looks harmless on any single surface is caught when the surfaces are read together. A sign-in that an identity log treats as routine becomes an alert when it lines up with an unusual mailbox change and traffic to an unknown host.


It overlaid the stack Whitehat already ran. The existing EDR stayed in place, feeding enhanced.io alongside identity, cloud and network telemetry, through 400+ integrations and no rip and replace. Whitehat added a layer, it did not rebuild.


The model fit how Whitehat sells. Channel-only, so enhanced.io never sells to Whitehat’s clients and the relationship stays Whitehat’s. A named Fractional Security Director included from day one, on hand for the client conversations where a healthcare board wants to hear from a security lead. A fixed monthly subscription, so the economics of each new client are clear from the start.

enhanced.io

Your Team

Your Clients

"We did not want another tool to babysit. We wanted someone watching the surfaces we could not. That is what we got"

Val King

CEO, Whitehat Virtual Technologies

What does the Whitehat Virtual Technologies and enhanced.io security stack look like?

What does the Whitehat Virtual Technologies and enhanced.io security stack look like?

Endpoint

Endpoint

Multiple endpoint and EDR tools across the client base, kept in place and ingested by enhanced.io for cross-surface correlation

Network

Network

enhanced.io network detection across client environments, including lateral movement and traffic to unknown hosts that endpoint tools do not see

Cloud and SaaS

Cloud and SaaS

Microsoft 365, Azure, AWS and Google Workspace telemetry monitored for account takeover, mailbox rule abuse and data access anomalies

Identity

Identity

Identity monitoring across the client’s identity provider and directory, covering sign-in activity, account takeover, credential and MFA abuse, and privilege misuse

OT and IoT

OT and IoT

Not in scope for Whitehat’s core portfolio. Remove or update if applicable.

SOC delivery

SOC delivery

enhanced.io 24/7 SOC with cross-surface correlation, alert triage, incident response and HIPAA-aligned reporting for healthcare clients. Named Fractional Security Director for client relationship continuity.

What results has Whitehat Virtual Technologies achieved with enhanced.io?

Whitehat now catches the attacks its endpoint stack used to miss


The clearest example is an identity attack. An attacker signs in to a client’s Microsoft 365 with a stolen session, so no malware runs on a managed device and the endpoint agent stays green. enhanced.io correlates the unfamiliar sign-in with a newly created mailbox forwarding rule and escalates it, so Whitehat can shut the account down before data leaves the tenant. On the endpoint-only stack Whitehat ran before, none of that would have surfaced.

Visibility across the surfaces endpoint tools miss

Identity, cloud and network are now monitored alongside the endpoint, not instead of it. The attacks that bypass an agent, credential theft, mailbox abuse and lateral movement, are in view. The dashboard reflects the whole environment, not only the managed devices.

Healthcare and enterprise clients covered on every surface

HIPAA-aligned monitoring and reporting now sit on top of full-surface detection. Whitehat can show a healthcare client that its email, identity and network are watched, not only its laptops. That is a stronger answer than an endpoint-only competitor can give.

The client relationship stayed Whitehat’s

enhanced.io is channel-only and never sells to Whitehat’s clients. The security capability is delivered under Whitehat’s name, so the trust Whitehat built with healthcare and enterprise clients stays with Whitehat.

A named security lead for the hard conversations

When a client board asks who is watching their environment, Whitehat has a named Fractional Security Director to bring to the call. The security expertise is there for the conversation without Whitehat hiring a security director of its own.

"Stop treating the endpoint as the whole picture. It is half of it, at most. Find out what is watching the other half, because that is where your clients get hit.”

"Stop treating the endpoint as the whole picture. It is half of it, at most. Find out what is watching the other half, because that is where your clients get hit.”

Val King

CEO, Whitehat Virtual Technologies

What would Whitehat Virtual Technologies say to other MSPs facing the same problem?

Val King’s view is blunt. A green endpoint dashboard is not proof you are safe. It is proof your agents are fine. Those are different things.


For any MSP running endpoint-led security, the question is what watches identity, cloud and the network. If the honest answer is nothing, that is where the next breach comes from, and an endpoint tool will not warn you.

Frequently asked questions

Questions we get asked

Can an endpoint MDR miss a real breach?

Yes. An endpoint agent only sees the device it runs on. Attacks that work through stolen credentials, cloud accounts, email or network movement often never touch a monitored device, so the agent has nothing to detect. A clean endpoint dashboard means the agents are healthy, not that the environment is safe.

What kind of attacks do endpoint agents not see?

What is identity-based attack detection?

What is the difference between EDR and full spectrum detection?

How does enhanced.io catch what an endpoint agent misses?

How does the named Fractional Security Director model work for a multi-client MSP?

Does enhanced.io replace our EDR?

Ready to deliver a complete cybersecurity solution?

Let’s talk

Ready to deliver a complete cybersecurity solution?

Let’s talk