Semperis, an identity-driven cyber resilience and crisis response company, announced that Purple Knight, its free, community-driven Active Directory and Entra ID security assessment tool, now fully supports Microsoft Government Community Cloud High (GCC High) environments.
This milestone expansion ensures that the tens of thousands of U.S. federal civilian agencies, Department of Defense organizations, and defense industrial base contractors operating in GCC High can, for the first time, leveraging identity security assessment capabilities already trusted by more than 65,000 organizations worldwide.
The announcement comes at a critical moment for federal cybersecurity. The Five Eyes Alliance—the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Australian Signals Directorate (ASD), Canadian Centre for Cyber Security (CCCS), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the New Zealand National Cyber Security Centre (NCSC-NZ)—updated landmark joint advisory in 2025 titled ‘Detecting and Mitigating Active Directory Compromises.’ In the report, several tools to assess Active Directory security posture, including Purple Knight are recommended.
Until now, federal agencies and defense organizations running GCC High tenants—the cloud environment purpose-built by Microsoft to meet the stringent FedRAMP High, ITAR, and DFARS compliance requirements that most government agencies must adhere to—were unable to take advantage of Purple Knight’s Entra ID scanning capabilities. Agencies could assess their on-premises Active Directory health but could not extend that same assessment into their GCC High cloud identity environment. That gap has now been closed.
“With this release, Purple Knight delivers a unified, holistic security posture score that spans both on-premises Active Directory and GCC High Entra ID environments,” said Jimmy McNary, Semperis Vice President of Federal Solutions. “Federal IT and security teams can now run a single assessment to identify risky configurations, misconfigurations, and unpatched vulnerabilities across their entire hybrid identity infrastructure—not just the on-premises half. This is a gamechanger for agencies striving to meet the identity security requirements outlined by the Five Eyes guidance, Executive Order 14028, FISMA, and OMB Memorandum M-22-09, all of which demand that federal organizations adopt Zero Trust principles, harden identity systems, and continuously monitor for compromise.”
“Federal agencies have been told for years that identity is their new perimeter, but many still lack practical, low-friction tools to validate whether that perimeter is truly resilient,” said Ed Amoroso, CEO of TAG Cyber and former Chief Security Officer of AT&T. “Extending Purple Knight into GCC High gives federal defenders a fast, community-driven way to benchmark their hybrid identity posture against the latest Five Eyes guidance and Zero Trust expectations.”
For federal agencies looking to move beyond point-in-time assessments, Semperis also offers Directory Services Protector (DSP) for continuous hybrid AD threat detection and response, Active Directory Forest Recovery (ADFR) for cyber-first disaster recovery, and Lightning Intelligence for automated, SaaS-based continuous identity security posture monitoring.
