EDR Integrations
See and act on endpoint threats without leaving your RMM.
EDR Integrations connect your endpoint detection and response platforms to Breeze so you can view threat data, agent coverage, and incident details alongside your managed fleet. Instead of switching between your RMM and EDR consoles, Breeze syncs agent and threat data on a schedule and maps it to your existing devices automatically.
Supported EDR Vendors
Breeze currently integrates with two leading EDR platforms. Huntress syncs agents and incidents into Breeze via API pull and webhook push. SentinelOne syncs agents, threats, and site mappings, and adds operational control: device isolation and threat actions dispatched directly to the SentinelOne management console.
Automatic Agent Linking
During each sync, Breeze matches imported EDR agents to enrolled Breeze devices automatically. Huntress agents are matched by hostname against each device’s hostname and display name (case-insensitive). SentinelOne agents match first by computer name, then fall back to IP address. Agents that cannot be matched surface as “unmapped” in the integration status dashboard so you can enroll the missing device or correct the hostname.
Device Isolation and Threat Actions
With SentinelOne connected, you can isolate compromised endpoints and act on detected threats directly from the Breeze dashboard. Threat actions include kill, quarantine, and rollback (Windows only), and isolation enforces network containment at the endpoint. Up to 200 devices or threats can be acted on in a single request, with each action’s status tracked back through SentinelOne.
Multi-Tenant Organization Mapping
Because EDR data spans your whole customer base, Breeze lets you attribute it to the right organization. Huntress is configured once at the partner level and each Huntress organization is mapped to a Breeze organization. SentinelOne organizes agents into Sites, which you map to Breeze organizations for multi-tenant management from a single console. Organization users only see the agents and incidents for their mapped org.
Automation Events
Both integrations emit platform events that can trigger automations and outbound webhooks, so security activity drives action automatically. Available events include new and updated Huntress incidents, Huntress agents going offline, new SentinelOne threats, completed device isolations, and completed threat actions. Use them to open a ticket when a critical incident is reported or notify your on-call channel when an endpoint is isolated.
Security and Sync Reliability
API keys and tokens for both vendors are encrypted at rest with AES and never returned in API responses. Huntress webhooks are verified with HMAC-SHA256 signatures and rejected if no secret is configured. Sensitive operations such as creating integrations, isolating devices, and executing threat actions require MFA verification. SentinelOne syncs automatically retry up to three times with exponential backoff, and each integration records its last sync status and any error for quick diagnosis.
Ready to see EDR Integrations in action?
Book a 20-minute demo to see how EDR Integrations works in your environment, or compare plans and self-host today.
Ready to try Breeze?
Self-host the open-source agent or join the managed cloud beta. No credit card required.
Related features
All features →Coming from another RMM? See how Breeze compares on price, features, and openness.
Compare Breeze