PRODUCT: Scheduled reports
SUMMARY: Huntress provides Monthly and Quarterly Threat Reports to partners. These reports were redesigned in April of 2026, read this article to see what's new!
Table of Contents
Threat Report Overview Definitions
Detailed Summary Reports for Organizations
Accessing and Running Custom Reports
Overview
The Huntress Monthly and Quarterly Threat Reports have been updated with a modernized design and expanded product coverage. The updated reports continue to answer the same core question — "What did Huntress do for me lately?" — but now with a refreshed visual layout, richer insights, and data across more Huntress products including Managed EDR, Managed ITDR, and Managed SIEM.
This article covers what has changed, what is new in this release, and what remains the same.
What's New
Updated Visual Design
The reports have been redesigned with a modern, horizontal (landscape) layout. Key visual changes from the previous format include:
- A horizontal, card-based layout replacing the legacy portrait format
- A cleaner, more professional look optimized for screen sharing and slide decks
- Consistent visual style shared with other Huntress assessment reports, creating a unified experience
- Co-branding support — your account's logo and brand color appear on the cover and throughout the report
New cover page — supports co-branding with your logo and brand color
Updated Summary Page
The Summary page now presents your protection overview in a cleaner card layout with a funnel visualization showing:
- Events analyzed → Signals detected → Signals investigated → Incidents reported
- Entities Protected counts (Windows, macOS, Servers, Identities)
- Analyst Notes from the Huntress SOC team
- Global Threat highlights relevant to your environment
Updated Summary page with funnel visualization and analyst notes
New Content and Coverage
In addition to the visual refresh, this release adds new pages covering capabilities not previously included in the monthly and quarterly reports.
Firewall Status Monitoring
The Managed EDR section now includes a Firewall Status Monitoring page, providing a snapshot of Windows Firewall status across your eligible endpoints:
- Hosts with firewall enabled or disabled
- Hosts with policy conflicts between local settings and Group Policy Object (GPO)
- Engineering insights with recommended next steps when issues are detected
New Firewall Status Monitoring page — endpoint firewall health at a glance
External Recon
A new External Recon page provides visibility into your organization's externally visible attack surface — the "low-hanging fruit" that attackers commonly target:
- External IP addresses and open ports identified via Shodan
- A breakdown of analyzed services by risk level (Risky vs. Normal)
- Examples of high-risk exposed services: RDP, SMB, FTP, SQL, and more
New External Recon page — externally visible services and risk breakdown
Managed ITDR Coverage
Accounts with Managed ITDR enabled will now see ITDR data directly in their monthly and quarterly reports — data that was previously only available in the standalone ITDR Assessment. The ITDR section includes:
- ITDR event triage funnel — events analyzed, signals detected, signals investigated, and incidents reported
- Total Identities protected with billable vs. non-billable breakdown
- Top usage locations for your monitored Microsoft 365 identities
- Capability-specific pages for Unwanted Access, Shadow Workflows, and Rogue Applications — each with incident previews and sidebar explainers
New Managed ITDR section — event triage, identity protection, and usage locations
Managed SIEM
Accounts with Managed SIEM enabled will now see a dedicated SIEM section in their reports. This page provides a full-funnel view of SIEM activity during the reporting period:
- SIEM logs ingested (with Smart Filtering applied to reduce noise)
- SIEM signals detected, investigated, and incidents reported
- Visibility into how raw log volume maps to actionable threat intelligence
New Managed SIEM section — log ingestion, signals, and incident reporting
Incident Summary
A new cross-product Incident Summary page consolidates all incidents from the reporting period in one place:
- Total incident count with severity breakdown (Critical, High, Low)
- Breakdown of incidents by product (EDR, ITDR, SIEM)
- Most targeted devices and most commonly reported AV signals
New Incident Summary page — cross-product incident breakdown by severity and source
Coming Soon
The Managed EDR Assessment Report is launching soon as a standalone report for EDR trial accounts. Once launched, the EDR Assessment content will also be incorporated into the monthly reports for existing Managed EDR customers.
| Note: The EDR Assessment Report is a separate report from the Monthly and Quarterly Threat Reports covered in this article. A dedicated KB article will be published when it launches. |
What Hasn't Changed
The following remain the same as before:
- Reports are generated monthly and quarterly at the account and organization level
- Reports can be generated on demand for a custom date range of up to 90 days via the Reports page in the portal
- Organization-level report recipients are managed per organization via the org edit page
- Account-level reports remain available in the portal under Reports
- Branding settings (logo and brand color) are configured in Account Settings
- The report is white-labeled — Huntress is not referenced by name in the report body, so it can be shared directly with your end clients
Frequently Asked Questions
Will I still receive reports on the same schedule?
Yes. The delivery schedule has not changed. Monthly reports are sent on the 1st of each month, and quarterly reports are sent on the 1st of each new quarter.
Will my existing report recipients still receive the new reports?
Yes. Existing organization-level recipients will continue to receive reports automatically. Account-level reports remain available in the portal.
I don't use Managed ITDR or Managed SIEM. Will those sections appear in my report?
No. Report sections are only shown for capabilities that are active on your account. If ITDR or SIEM is not enabled, those pages will not appear in your report.
I noticed the report looks different. Is something wrong?
No, this is expected. The reports have been updated with a new visual design. All the same data and content is present, just presented in the refreshed format.
Can I still generate a report for a custom date range?
Yes. Ad-hoc reports for custom date ranges (up to 90 days) can be generated at any time from the Reports page in the Huntress portal.
When will the EDR Assessment Report be available?
The standalone EDR Assessment Report is coming soon for EDR trial accounts. Once launched, existing Managed EDR customers will also see EDR Assessment content integrated into their monthly reports. A dedicated KB article will be published at launch.
Threat Report Overview Definitions
- Events Analyzed: Represents all the data ingested and analyzed by the Huntress Platform. This includes automated analysis and in some cases an actual human hunting through the telemetry events, looking for suspicious behaviors. Events include autoruns, monitored canary files, EDR antivirus events, EDR process events, Microsoft 365 cloud events, and other telemetry sources.
- Signals Detected: Each month 100s-1000s of signals can be detected via automated and human analysis, but not all signals are the same. A majority of signals are low fidelity, used for contextual purposes only and do not require investigations when detected in isolation. However, in context with other higher fidelity, suspicious signals then become useful for discovering attacker tradecraft. Signals that are detected, but not investigated are not currently visible in the Huntress UI.. Learn more about signals here.
- Signals Investigated: These are the potential security threats that a Huntress SOC Analyst manually investigated to determine malice before making a reporting decision. Signals are the leads that kick off a cyber investigation within the Huntress SOC. When a high fidelity, suspicious signal enters the triage queue it will be investigated by a SOC analyst.
- Incidents Reported: Each report communicates a likely compromise to one of your managed endpoints or identities. One or more Signals Investigated was indicative of malicious behavior leading to an incident report. Remember, not all signals are reported (see Investigation Context).
- Protected User Profiles: This count refers to Windows user profiles where Huntress Ransomware Canaries are deployed. Because canaries are placed in user profile folders, this number may be lower than the total endpoint count, especially in mixed Windows and macOS environments or on devices without eligible Windows user profiles.
Detailed Summary Reports for Organizations
Toggling this option affects the data presented to you when generating reports for organizations under your account. When this option is OFF, reports for organizations under your account are abridged. When this option is ON, reports for organizations under your account will generate a full data set.
This setting can be changed via the Huntress portal > Top right dropdown menu > Settings > Scroll down to “Detailed Threat Summary Reporting”
Accessing and Running Reports
You have the option to get a report for your account and an individual report for each of your organizations.
Automatically Sending Reports
You have the option to automatically send reports to specified users.
On the Organizations view, click the pencil icon to edit the settings for the organization you want to automatically send reports to.
On the Organization Settings page, enter the email addresses to send the reports to and click Save.