Keeper Security has introduced a new integration with ServiceNow IT Service Management (ITSM) and the Security Incident Response (SIR) module. This integration enables organizations to securely funnel security alerts from the Keeper platform into ServiceNow, streamlining and accelerating investigations involving credentials, secrets, and privileged access.
Stolen credentials remain one of the most common entry points for cyber attackers. According to the 2025 Verizon Data Breach Investigations Report, 60% of cybersecurity breaches involve the human element, including compromised passwords and misuse of access. Keeper’s global research reinforces the urgency of protecting the identity layer, with 69% of organizations adopting Privileged Access Management (PAM) to defend against credential theft. Many of these threats originate from privileged and administrative activity, which organizations secure through solutions like KeeperPAM®, Keeper’s cloud-native PAM platform. The new ServiceNow integration helps teams operationalize these defenses by routing high-priority identity and access alerts into the workflows they already rely on for incident management.
“Identity-based attacks are growing more sophisticated, but the fundamentals remain the same. Defenders need reliable signals and immediate context, and this integration delivers both,” said Craig Lurey, CTO and Co-founder of Keeper Security. “By sending Keeper’s privileged access telemetry to ServiceNow in real time, security teams can focus on analysis and action instead of stitching data together. It’s a streamlined, practical way to strengthen visibility where it matters most.”
The Keeper Security ITSM application provides a guided setup experience and a secure, OAuth 2.0-protected webhook to receive alerts from the Keeper platform. Security teams can operationalize activities such as BreachWatch detections of compromised passwords, changes in privileged user behavior and high-risk actions involving credentials, secrets or privileged sessions. The integration automatically converts incoming alerts into SIR tickets with full contextual detail, allowing analysts to triage and investigate with greater accuracy and fewer manual steps.
Key features include:
- Secure Webhook Ingestion: Endpoint protection with OAuth 2.0 ensures that alerts are only accepted from authorized Keeper systems.
- Automated Incident Creation: Incoming alerts are mapped to SIR records, eliminating manual ticket creation and reducing response time.
- Custom Priority Mapping: Administrators can assign severity levels based on alert type, aligning Keeper events with existing response processes.
- Guided Setup and Token Management: Administrators can configure the connection and manage authentication tokens without custom development.
- Comprehensive Alert Context: Alert payloads include detailed metadata to support efficient investigation.
- Zero-Knowledge Security Architecture: Keeper cannot access or decrypt customer data, ensuring maximum privacy and security.
“Attackers don’t wait, so organizations shouldn’t wait either for the critical signals that can stop an attack before damage is inflicted,” said Darren Guccione, CEO and Co-founder of Keeper Security. “By bringing Keeper’s privileged access intelligence straight into ServiceNow, in real time, we’re giving organizations a faster path to detection and response at the identity layer, where most attacks begin.”
As organizations contend with increasingly distributed infrastructure and a rise in credential-driven attacks, consistent visibility across identity and privileged access tools is essential. Keeper’s integration with ServiceNow closes a persistent monitoring gap and strengthens an organization’s ability to detect, investigate and resolve identity-related incidents quickly.
The ServiceNow integration is available now in the ServiceNow Store, along with full documentation for deployment here.
Related News:
Keeper Recognized for Non-Human Identity Management Excellence
