Keeper links identity security alerts into ServiceNow
Keeper Security has launched a new integration with ServiceNow that channels identity and access security alerts from its platform into ServiceNow's IT Service Management and Security Incident Response modules.
The move links Keeper's password, secrets and privileged access monitoring with existing ServiceNow-based incident workflows. Security teams can receive high-priority alerts in real time inside the same system they use for broader IT and security operations.
The integration targets a rising volume of attacks that use stolen or misused credentials. Organisations face attacks that exploit passwords, passkeys and privileged accounts across distributed infrastructure.
Industry data shows that the human element remains a significant factor in breaches. The 2025 Verizon Data Breach Investigations Report states that 60% of cybersecurity breaches involve human actions, such as compromised passwords or misuse of access.
Keeper's own research suggests that many organisations are investing in tools that focus on identities and elevated accounts. The company reports that 69% of organisations have adopted Privileged Access Management as a defence against credential theft.
Many of these organisations use products such as KeeperPAM, which is Keeper's cloud-based platform for privileged access management. The new ServiceNow integration links alerts from that platform and other Keeper services into the ServiceNow environment.
Keeper Security describes identity-based threats as increasingly complex. It also highlights the need for cleaner signals about suspicious activity.
"Identity-based attacks are growing more sophisticated, but the fundamentals remain the same. Defenders need reliable signals and immediate context, and this integration delivers both," said Craig Lurey, CTO and Co-founder of Keeper Security. "By sending Keeper's privileged access telemetry to ServiceNow in real time, security teams can focus on analysis and action instead of stitching data together. It's a streamlined, practical way to strengthen visibility where it matters most."
The integration sends alerts on events within the Keeper platform into ServiceNow via a secure webhook. It uses OAuth 2.0 for connection security. Only authorised Keeper systems can send alerts to the ServiceNow instance.
The Keeper Security IT Service Management application in ServiceNow guides administrators through the setup process. It provides tools for configuring the webhook, managing authentication tokens and connecting the Keeper environment without additional development work.
Once connected, the integration converts incoming alerts into Security Incident Response tickets. Each alert becomes a record in ServiceNow with contextual data attached. Analysts see details such as the type of event, associated user or system, and any related privileged activity.
This approach reduces manual ticket creation. It also standardises how identity and privileged access events move into the organisation's wider incident queue.
Security teams can triage and investigate incidents within ServiceNow. They can follow existing playbooks and escalation rules. Keeper states that this structure supports more consistent investigations of incidents that involve credentials, secrets and privileged sessions.
The integration also supports events from BreachWatch, which is Keeper's monitoring service for compromised passwords. Alerts about detected compromised credentials can appear in ServiceNow as incidents. Analysts can then review and respond under their normal processes.
Administrators can assign severity levels to different categories of alerts from Keeper. The mapping aligns incoming events with an organisation's existing response rules inside ServiceNow. Events that indicate higher risk, such as unusual privileged user behaviour or high-risk credential actions, can receive higher priority.
Alert payloads include metadata that supports investigation. This includes contextual information around users, resources, and the nature of the triggered event. The aim is to reduce the number of steps needed before an analyst can act.
Keeper also highlights its zero-knowledge security architecture in relation to the integration. The company states that it cannot access or decrypt customer data. ServiceNow receives alerts with metadata and event context, but Keeper does not hold the keys to the underlying encrypted information.
Closing visibility gaps
The integration sits within a wider push in the security sector for clearer visibility over identity and privileged access activity. Many organisations have separate tools for password management, secrets management and privileged access control.
When systems operate in silos, alerts around logins, credential use and elevated sessions can remain isolated. Security teams may rely on manual processes to move information from one platform into a central incident queue.
Keeper positions the ServiceNow integration as a way to reduce this gap. Alerts from across the Keeper ecosystem flow into a common incident handling process in ServiceNow. This includes activity linked to administrative accounts and other elevated roles.
Darren Guccione, CEO and Co-founder of Keeper Security, said organisations face adversaries that move quickly. He points to the need for prompt delivery of critical signals.
"Attackers don't wait, so organizations shouldn't wait either for the critical signals that can stop an attack before damage is inflicted," said Darren Guccione, CEO and Co-founder of Keeper Security. "By bringing Keeper's privileged access intelligence straight into ServiceNow, in real time, we're giving organizations a faster path to detection and response at the identity layer, where most attacks begin."
Keeper says the new integration is available in the ServiceNow Store. Documentation for deployment is published alongside the application for administrators who plan to roll it out in production environments.
