Obsidian Security's Token Compromise Prevention is a SaaS identity security solution focused on detecting and responding to attacks that leverage stolen authentication tokens. It addresses the challenge that token-based attacks are difficult to detect because attackers mimic legitimate user behavior after stealing tokens, including through Attacker-in-the-Middle (AiTM) frameworks such as Evilginx. The solution provides two primary detection mechanisms: ML-Based Detections: - Normalized view of identities to detect suspicious behavior across SaaS applications - Anomalous user behavior identification across multiple phases of the kill chain - Detection of AiTM framework attacks (e.g., Evilginx) - Explainable ML models for deeper investigative context Rule-Based Detections: - Out-of-the-box detection rules mapped to the MITRE ATT&CK framework - Rules informed by hundreds of incident response (IR) engagements - Custom rule creation, testing, and deployment - Automated backtesting to estimate expected alert volumes - Rule fine-tuning based on risk factors such as terminated employees Incident Response Capabilities: - Months of searchable SaaS logs in human-readable format - Contextual pivoting by IP, user, event type, and other attributes - Behavioral baselining for individual users - Identity and activity analysis across SaaS applications - Tailored remediation steps to accelerate response workflows