Auth0 selects Expel for super cloud coverage and transparent, reliable partnership

The identity platform uses Expel to help increase overall efficiency and monitor complex cloud environments, 24x7.

The company

Auth0, a product unit within Okta (NASDAQ: OKTA), is a leading customer identity and access management (CIAM) platform. Auth0 makes it easy for developers and application teams to add authentication and authorization services to their applications in a way that maximizes security, privacy, and user experience. For more information, visit

The situation

With a rapidly-expanding customer base, Auth0 needed a way to scale its thoughtful approach to platform security for customers around the world.

As critical infrastructure, Auth0 has contractual obligations to its customers around security – one of the most important being a requirement for 24×7 detection and response (DnR). Combined with its large existing security operations center (SOC) team, Auth0 wanted to outsource additional capabilities to continue meeting the requirement.

The goal was also to allow Auth0’s security team to concentrate on other strategic priorities – including an increased focus on custom monitoring of its core product, and continuing to expand in-house expertise in multiple cloud platforms, like Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS).

Auth0’s authentication and authorization services are the digital front door for thousands of consumer and SaaS applications. Security with a great user experience needs to come first in all of Auth0’s decisions.

So, what does a worst-case scenario look like? For Adam Maksimuk, Detection & Response Manager, Corporate Security at Auth0, it’s encountering incidents without a playbook.

“The scariest scenarios are the ones you never envision,” Maksimuk explained. “Anything completely new, when there’s no historical tabletop to reference or tools available. We never want to be in a situation where we don’t have the incident response tools, the exposure, or depth of experience to allow us to take ownership. It’s the unknown.”

Like any service provider faced with the risk of the unknown, Maksimuk considered how to best protect both the Auth0 product unit and its customers. He had to ask: Where are the potential gaps? And what does Auth0 need to be focused on to drive business priorities forward?

With most of Auth0’s experience and exposure in AWS, it needed to find a vendor to augment and expand its cloud monitoring in the newer environments, while continuing to meet customer requirements in existing ones.

Evaluating options

Maksimuk and team looked for a provider that would be more than just a vendor, but a partner for him and his team, and found Expel.

“We saw all the expertise that Expel was bringing right on the blog – publishing and talking about automation, and pushing the envelope forward in security,” Maksimuk shared. “We saw the chance to work with someone aligned on automation and focused on the same security concerns we had prioritized.”

With their interest piqued, Auth0 began the process with Expel – first meeting with sales, then solution architects, and finally sitting down with the DnR team.

“Expel not only covered all of Auth0’s cloud providers, but really showed us their entire detection strategy,” said Troy Wegner, staff security engineer, corporate security at Auth0. “And, it was really, really good.”

After hearing these sentiments echoed from others in the industry, Auth0 chose Expel as its new managed detection and response (MDR) and security partner.

We saw all the expertise that Expel was bringing right on the blog – publishing and talking about automation, and pushing the envelope forward in security. ”

⎯Adam Maksimuk | Detection & Response Manager

How Expel helps

Expel Workbench™ proved to be a valuable tool for Auth0 from the onset. Presenting key information in an easy-to-understand interface helped Auth0’s team to make smart decisions more efficiently.

Expel quickly adapted to Auth0’s environment and recommended a penetration test. This test early on in the partnership helped Auth0 identify potential gaps and focus on areas of its product that needed additional attention. Expel followed up after the test to discuss and workshop what happened to improve the experience in the future.

Maksimuk said communications like these following any test or incident, with proactive outreach from Expel, is what makes the relationship feel more like a partnership – especially when compared with his previous experience with other providers.

Another area where Expel was able to customize to Auth0’s specific needs was triaging a subset of Guarduty alerts, triggered by Auth0 customers’ making changes in their Auth0 tenant (a key product feature). These alerts are noisy, making them difficult to understand and triage due to volume and false positives. The Auth0 team wasn’t sure if they’d find a vendor that was able to handle their custom use case. Cue, Expel.

Right away, “I was able to share context about [Auth0’s] environment right in Workbench, which Expel DnR engineers could use to filter and approve access,” said Maksimuk. “Expel is really on top of our custom requirements for our environment.”

Not only did the services Expel provided meet Auth0’s contractual language for customer requirements, but the Expel analysts also included answers and recommended next steps with every investigation. This process made it easy for Maksimuk and team to quickly engage other Auth0 teams for remediation next steps.

As Maksimuk said, “This allowed us to take a deep breath because we didn’t have to become Azure and GCP experts overnight when we initially branched out to becoming multi-cloud. We have confidence in Expel and the detections in place, which gives us the capacity to focus on our backlog for other issues we know we need to invest in — it enables us to scale better.”

I was able to share context about [Auth0’s] environment right in Workbench, which Expel D&R engineers could use to filter and approve access. Expel is really on top of our custom requirements for our environment.”

⎯Adam Maksimuk | Detection & Response Manager, Auth0


For Auth0, the benefits became clear as early on as the onboarding process. “Talking to Expel was like talking to someone else on our team,” Maksimuk said. “They knew our environments and the potential threats we were focused on. It was an easy, natural transition.”

Benefits of partnering with Expel

  • Streamlined onboarding process and easy transition
  • Data-driven reporting right in Workbench
  • Transparent and reliable automation, accelerating quality response – giving engineers the time and space to focus on other improvements
  • Augmenting detection; in this case, with cloud coverage across AWS, Azure, and GCP

Expel’s visibility and expertise in the cloud has been helpful as Auth0 continues to invest more heavily in multiple cloud infrastructures. While Auth0 continues its strong relationship with AWS, it recognized the need to expand its team’s tooling and knowledge.

Through automated enrichment and correlation, the Expel SOC has the ability to detect potential risks even earlier. Customer context provided by the Auth0 team allows the SOC to prioritize the most business critical assets and alerts. So when the Expel team opens an investigation and assigns remediation actions to the Auth0 team, they have everything they need to compare with the other systems that Expel isn’t monitoring to understand and deliver on next steps.

Expel’s emphasis on data-driven reporting enables Maksimuk and his team to readily communicate goals and achievements to the company’s leadership. These reports have helped Auth0 to identify places where it could be more efficient overall.

His team also regularly analyzes the metrics to hone in on potential areas for improvement — such as identifying common false positives, and why some alerts consistently show up in different environments.

“With the help of Expel, knowing you’re in good hands with a trusted vendor in the space, we are confident that our team can turn their attention to areas where we need to continue building,” Maksimuk said.

With Expel’s transparent platform, reliable automations, and coverage across cloud environments, Auth0’s security team can shift their focus back to improving their core product to meet (and exceed) the needs of a rapidly expanding customer base.