About Okta ThreatInsight

The detection of a threat takes place prior to authentication evaluation. Requests that are blocked by Okta ThreatInsight prevent user lockouts from suspicious IP addresses. Configure Okta ThreatInsight to detect suspicious IP addresses from credential-based attacks.

When Okta ThreatInsight actions are enabled, end users may sign in to their org as usual. If a sign-in attempt from a malicious IP address is detected and authentication requests are set to be blocked, the user receives an HTTP 403 error.

Org Under Attack

With Org Under Attack enabled, statistical and machine learning models are combined to detect when an org is under attack. In such cases, ThreatInsight increases protection to an org by blocking suspicious IP requests aggressively and only returns a normal mode of protection once no further attacks are detected.

To learn more on how to query ThreatInsight events in the System Log, see System Log events for Okta ThreatInsight.

Okta recommendation Enable Okta ThreatInsight to both log and block authentication attempts from suspicious IP addresses.
Security impact Critical
End-user impact Low

For more security recommendations from Okta, see HealthInsight.

Proxy IP usage

Okta can correctly identify the originating client IP for requests that are not proxied to Okta through proxy IP addresses.

When requests are proxied to Okta through trusted proxy IP addresses:

  • Okta expects that proxy IP addresses are configured as trusted proxies in any IP Zones.
  • Okta ThreatInsight cannot identify the originating client IP and is not effective in detecting threats if the trusted proxies are not configured correctly in IP Zones.


If the proxy IP addresses are not trusted by the admin, they should not be configured as trusted proxies in IP Zones.

In order to prevent abuse, Okta ThreatInsight is working in limited capacity for free trial editions. Please contact Okta Support if fully functional Okta ThreatInsight is required.

Okta ThreatInsight is just one tool in the security toolbox and blocks certain malicious traffic. It cannot guarantee 100% malicious IP address detection or 100% threat detection. To learn which endpoints support your Okta ThreatInsight implementation, please contact your Customer Success Manager or create a Support ticket at support.okta.com.

Related topics

Configure Okta ThreatInsight

System Log events for Okta ThreatInsight

Exempt an IP Zone from Okta ThreatInsight