Corrata: extending Windows Defender ATP protection to Android & iOS devices

Windows Defender ATP is protecting your Windows device against threats. And while Ziften provides options to extend Windows Defender ATP protection to MacOS and Linux, until recently there were no partner solutions to extend Windows Defender ATP to iOS and Android.

Corrata, a mobile security provider, announced just recently that it integrated its solution with Windows Defender ATP and Microsoft Intune. Corrata generously provided me with a trial tenant, and I got to test drive their solution.


Corrata is a provider of mobile device security software which was founded in 2016 by Colm Healy and Brendan McDonagh. Corrata’s software has two primary functions: (1) defending against mobile threats and block malicious & inappropriate content from the web or from apps. (2) Secondly, Corrata helps eliminate unnecessary & unwanted data usage, for instance by controlling roaming data usage. Corrata was founded in Dublin Ireland and raised 1.3M in funding to build their solution.

Zero Gateway approach

Although there are other solutions out there like Lookout, Corrata is the first one to integrate with Windows Defender ATP, which helps companies that are pursuing a Microsoft-centric security architecture.

Corrata works very different from other solutions. Most other endpoint threat protection solutions will ‘route’ all your device traffic through either a VPN or the internet to their proxies. They do the inspection centrally in their cloud and provide the software/app on the device with a status whether this traffic is malicious. This adds a great deal of latency to the user’s network performance, but worst of all: these solutions get to see all your user’s traffic — a GDPR nightmare.

Corrata does the inspection of the network traffic locally, on the device itself. by using the native networking capabilities of the Android and Apple mobile operating systems. Visually it appears to the user as if a VPN connection is active but in reality, the tunnel is not terminated on the other end. Traffic goes through the API’s and Corrata’s threat detection engine does the inspection in real time.

Another big advantage is that Corrata bases their logic on this network traffic and is agnostic to apps. Other threat detection solutions will categorize your apps and for instance classify Airbnb as something to be blocked because it takes credit card information. But business users may use Airbnb for their business travel and so the Corrata takes is to allow using the app, while in the background checking what connections are made, and what behavior the app shows.

Mobile network usage

Alongside protecting the user from threats, Corrata can manage mobile network usage. The admin needs to set a policy centrally whether usage is just provided for informational purposes, or to restrict it.

For instance, my ‘unlimited’ data plan by T-Mobile Netherlands has unlimited domestic data that the providers restricts to 5 Gb per day and has an allowance of 20 Gb roaming data per month on T-Mobile networks abroad (example: T-Mobile USA). Which by the way is a great deal for EUR 35 per month!

To make sure that I never get to pay overages, Corrata can warn me when I reach those critical usage levels, and I could potentially restrict my device from using more by setting limits in the Corrata policy.

Defending against mobile threats

The primary functionality of Corrata is to detect malicious traffic and activities, block it and prevent the user from harm. Here is how Corrata describes it:

“Corrata identifies threats by monitoring device content, settings, and activity for malicious behavior. It also inspects network activity across multiple layers and protocols to prevent connections to compromised servers. Corrata’s ground-breaking SafePathML algorithms target zero-day threats and with threat intelligence updated hourly.”

Because it works at a low level on the device, not only are your apps protected, but Corrata provides protection from the full scope of mobile threats:

“Corrata protects against social engineering attacks by blocking access to phishing over email, SMS, social media, and messaging applications. It also prevents malware infection by blocking access to unofficial app stores, filtering malicious sites and content, as well as intercepting communication with CnC infrastructure to disable any malware attacks that do occur.”

Windows Defender ATP integration

Corrata’s Windows Defender ATP integration is with two clicks one of the easiest to set up that I’ve seen to date. You login to the Corrata admin portal, click on the first button to setup the corresponding access to your WDATP tenant for their application, which provides you with a consent page. Then you enter your Azure Active Directory ID and hit the Integrate button. That’s it.

On the backend, Corrata’s cloud then talks to the Windows Defender API to push device information and alerts into your WDATP instance.

Here’s a screenshot of an Alert:

Here’s a screenshot of Device information:

Intelligent Security Graph

An indirect but major benefit to the integration is that Corrata’s threat signals get shared on Microsoft’s intelligent security graph. Any alert about malicious activity happening on the device will get send from Corrata to Windows Defender ATP, and then get exposed on the Graph API.


Corrata is great in protecting your users and their mobile devices and is working on a vision to create an immune system for mobile. With the Windows Defender ATP integration it adds valuable data to your SecOps practice and provides extra depth to your threat hunting activities by leveraging Microsoft’s intelligent security graph.

Corrata can help build a single pane of glass on your environment, whether activities are happening on the endpoint, on Azure, or any other place, by allow its information to be aggregated back into Azure Sentinel.

— Maarten Goet, MVP & RD