Coro
About Coro
Coro brings together all core security protections in one platform. Easy to use. Ready to scale. One interface for all modules, eliminating the need for integration and improving security posture. The company offers a range of cybersecurity solutions, including email protection, data protection, and endpoint security. It has earned recognition from SE Labs for its advanced security protection. Coro's platform is designed for lean IT teams and is scalable to meet the needs of growing businesses.
Why Notable
KuppingerCole Challenger 2025
Sector Coverage
Feature Coverage
Administration & Console
| Control Panel | full | Central place to configure subscribed modules and add-ons. |
|---|---|---|
| Cloud application administration | full | Control Panel manages cloud applications. |
| Protected users administration | full | Control Panel manages protected users. |
| Device administration | full | Control Panel manages protected-user devices. |
| Synchronize users from cloud apps button | full | Lets admins synchronize protected users and groups in seconds. |
| Data governance actions from data tickets | full | Actions menu can apply data-governance permissions directly from tickets. |
| Control Panel restructuring in v2.0 | full | Coro 2.0 restructured the control panel. |
| Exclude outgoing email scans by subject keyword | full | Release note added subject-keyword exclusion for outgoing scans. |
| Cloud apps section in control panel | full | Control Panel includes Cloud apps section. |
| Devices section in control panel | full | Control Panel includes Devices section. |
| Users section in control panel | full | Control Panel includes Users section. |
| Email section in control panel | full | Control Panel includes Email section. |
| Data section in control panel | full | Control Panel includes Data section. |
| Protectable user discovery | full | Connecting cloud applications causes Coro to discover protectable users from directories. |
Cloud Security
| Connected cloud application monitoring | full | Cloud Security connects cloud apps and monitors access to user accounts. |
|---|---|---|
| Regulatory-compliance support | full | Cloud Security supports regulatory compliance for connected apps. |
| Heuristic activity analysis | full | Uses heuristics to observe suspicious activity by logged-in users. |
| Location-based access controls | full | Can enforce access permissions by geographic location. |
| IP-based access controls | full | Can enforce access permissions by IP address. |
| Abnormal access alerts | full | Alerts administrators about abnormal access and activity patterns. |
| Large data-download alerts | full | Detects unusually large download events. |
| Large data-deletion alerts | full | Detects unusually large deletion events. |
| Cloud-file malware scanning | full | Scans for malware in uploaded or shared cloud-storage files. |
| Cloud Security policies tab | full | Policies UI for access permissions and threat types. |
| Access-permission policies | full | Admins can configure access permissions for connected cloud apps. |
| Access-permission violation tickets | full | Raised when users log in from disallowed locations or IPs. |
| Permitted locations dropdown | full | Displays currently configured access permissions. |
| Allowed countries and US states | full | Location-based access permissions can use countries or U.S. states. |
| Allowed IP ranges | full | Access policies can allow specific IP addresses. |
| Automatic remediation on access-policy violations | full | Policies define remediation for access violations. |
| Threat detection policy defaults | full | Threat detection policies are created by default for all protected users. |
| Threat type: Impossible Traveler | full | Detects impossible-travel access anomalies. |
| Threat type: Abnormal Admin Activity | full | Detects abnormal admin actions. |
| Threat type: Mass Data Deletion | full | Detects mass deletion activity. |
| Threat type: Mass Data Download | full | Detects mass download activity. |
| Threat type: Suspected Bot Attacks | full | Detects suspicious bot-like behavior. |
| Threat type: Suspected Identity Compromise | full | Detects likely identity compromise. |
| Automatic remediation for cloud-security threats | full | Threat-type policies support automatic remediation when violated. |
| Missing-permission detection status | full | Coro flags when detections are disabled because required permissions or audit logs are missing. |
| Audit-log dependency | full | Cloud policies become active only after required permissions are granted and audit logging is enabled and syncing. |
| Third-party application management | full | Supports third-party application management for Microsoft 365 and Google Workspace. |
| Unauthorized third-party app blocking | full | Admins can block unauthorized third-party apps from being installed. |
| Third-party application blocklist | full | Blocked apps appear in a dedicated blocklist. |
| Suspend user from one cloud app | full | Cloud Security tickets can suspend users from a named cloud app. |
| Suspend user from all connected cloud apps | full | Cloud Security tickets can suspend users across all connected apps. |
| Unsuspend from original ticket | full | Admins can restore access from the original ticket once the issue is resolved. |
Coro Cybersecurity
| Coro platform | full | Cloud-based cybersecurity platform for email, data, cloud apps, devices, and users. |
|---|
Coro Platform
| One Interface | full | All modules feed into one dashboard for visibility and response. |
|---|---|---|
| One Endpoint Agent | full | Single endpoint agent spans device posture, NGAV, EDR, ZTNA, VPN, firewall, and data governance. |
| One Data Engine | full | Shared data engine lets modules inform each other and improves security posture without heavy integration overhead. |
Data Governance
| Data loss and misuse protection | full | Provides multiple controls to protect sensitive information from unauthorized access and misuse. |
|---|---|---|
| Device monitoring for sensitive data | full | Can remotely scan endpoint drives for sensitive data. |
| Remote sensitive-data scan | full | Admins can launch remote scans from the Devices page. |
| Scheduled sensitive-data scans | full | Admins can schedule recurring scans for groups of devices. |
| Permission management | full | Supports definition of access rights for individuals and groups. |
| Ticket management | full | Actionboard summarizes data-protection and monitoring activity. |
| User Data Governance | full | Monitors and protects against data loss, misuse, and accidental exposure by users. |
| Monitor email data exposure | full | UDG monitors sensitive-data exposure via email. |
| Monitor shared-cloud-drive exposure | full | UDG monitors exposure in shared cloud drives. |
| Protected users model | full | Users can be explicitly protected in Coro. |
| Protectable users model | full | Users discovered in connected directories can be protectable but not yet protected. |
| Monitored sensitive data: Credit card data | full | Recognizes and monitors credit card data. |
| Monitored sensitive data: Health data | full | Recognizes and monitors health data. |
| Monitored sensitive data: Non-public data | full | Recognizes and monitors non-public data. |
| Monitored sensitive data: Personal data | full | Recognizes and monitors personal data. |
| Business-sensitive data: Certificates | full | Can monitor certificates as business-sensitive data. |
| Business-sensitive data: Keyword objects | full | Can monitor specific keyword-based objects. |
| Business-sensitive data: Passwords | full | Can monitor password disclosures. |
| Business-sensitive data: Source code | full | Can monitor source-code exposure. |
| Business-sensitive data: Specific file types | full | Can monitor selected risky file types. |
| Industry-based data privacy configuration | full | Automatically recommends sensitive data types based on the organization's industry. |
| Automated sensitive-data recommendations | full | Reduces ticket fatigue by selecting relevant sensitive-data types. |
| Configuration customization | full | Admins can modify selected industries and data types. |
| Sensitive data setup parameters | full | Monitoring page offers setup-parameters workflow. |
| Endpoint Data Governance | full | Scans endpoint drives for sensitive-data violations. |
| Endpoint scans are admin-initiated | full | Endpoint Data Governance does not continuously scan endpoint drives by default. |
| Endpoint ticket aggregation | full | EDG tickets include all detected occurrences for a single event. |
| EDG remote scan for sensitive data | full | Device action launches remote scan for sensitive data. |
| EDG regulations support: GDPR | full | Helps enforce GDPR-related controls. |
| EDG regulations support: GLB | full | Helps enforce GLB-related controls. |
| EDG regulations support: HIPAA | full | Helps enforce HIPAA-related controls. |
| EDG regulations support: SOC2 | full | Helps enforce SOC 2-related controls. |
| EDG regulations support: SOX | full | Helps enforce SOX-related controls. |
| Endpoint scan data type: Credit card data | full | Endpoint scans can identify credit card data. |
| Endpoint scan data type: Health data | full | Endpoint scans can identify health data. |
| Endpoint scan data type: Non-public data | full | Endpoint scans can identify non-public data. |
| Endpoint scan data type: Personal data | full | Endpoint scans can identify personal data. |
| Image sensitive-data scanning | full | Can detect sensitive data in bmp, jfif, jpeg, jpg, png, tiff, webp, x-portable-anymap, x-portable-bitmap, x-portable-graymap, and x-portable-pixmap images. |
| No scanned-PDF OCR for EDG | full | Cannot identify sensitive data in scanned PDFs or images embedded in documents such as Word files. |
| Expanded non-public data detection | full | Added new non-public data patterns such as APR, income, housing, and lender info. |
| Expanded Italian data detection | full | Added Italian license, fiscal code, passport, and VAT detection. |
| Expanded Spanish data detection | full | Added Spanish DNI, NIE, and passport detection. |
| Renamed data governance tickets | full | Ticket types were updated to support broader data-classification standards. |
Email Security
| API-based email security | full | Works with Gmail and Microsoft 365 via API connection, without user-by-user config. |
|---|---|---|
| Pre- to post-delivery email protection | full | Covers email security from pre- to post-delivery, including encryption services. |
| Identity spoofing protection | full | Detects identity spoofing threats. |
| Malware injection protection | full | Detects malicious software in email flows. |
| Ransomware injection protection | full | Detects ransomware delivery attempts in email. |
| Malicious embedded link detection | full | Identifies embedded malicious links. |
| Generic phishing detection | full | Detects broad phishing attacks. |
| Spear-phishing detection | full | Detects targeted spear phishing. |
| Email account takeover detection | full | Detects account takeover activity in email. |
| Spam content identification | full | Classifies spam in bodies, headers, and attachments. |
| Real-time email threat detection | full | Performs real-time detection against connected cloud email services. |
| Email Security tickets | full | Raises Email Security tickets describing the threat and remediation status. |
| Gmail support | full | API-based email security is available for Gmail. |
| Microsoft 365 support | full | API-based email security is available for Microsoft 365. |
| Runs after Gmail/M365 native controls | full | With API-based mode, provider rules run first and provider quarantine takes priority. |
| Inbound Gateway add-on | full | Optional email proxy can provide pre-provider detection and remediation. |
| Protect licensed users only | full | API-based mode protects licensed accounts in M365 or Google Workspace. |
| Need Inbound Gateway for unlicensed/shared users | full | Coro recommends Inbound Gateway for unlicensed users, groups, or shared inboxes. |
| Email settings tab | full | Control Panel tab for configuring threat detection and remediation. |
| Threat scan configuration | full | Admins can configure which email threats Coro detects and remediates. |
| Bypass criteria | full | Admins can configure bypass criteria for email scanning. |
| Quarantine settings | full | Admins can define quarantine settings for email. |
| Detection sensitivity | full | Admins can set email detection sensitivity levels. |
| Attachment quarantine | full | Admins can configure attachment-quarantine behavior. |
| Threat-scan exclusions | full | Admins can exclude emails from threat scanning. |
| Quarantine location | full | Admins can choose quarantine location. |
| Delete auto-forwarding rules | full | Settings support deleting malicious or risky auto-forwarding rules. |
| Point of contact | full | Settings support defining point-of-contact information. |
| Quarantined-email user reports | full | Can send reports for quarantined emails to users. |
| Allowlist bypass | full | Messages from allowlisted senders, domains, or IPs bypass detections. |
| Blocklist delete action | full | Emails from blocked senders can be blocked and deleted. |
| Blocklisted sender tickets | full | Raises Blocklisted sender or Crowd Blocked Sender tickets. |
| Warning-Only mode | full | Inbound Gateway flags suspicious emails without blocking them. |
| Block mode | full | Inbound Gateway blocks suspicious emails and quarantines them for admin review. |
| SUSPECTED tag | full | Marks suspicious emails with a caution tag in Warning-Only mode. |
| Secure Messages tab | full | Email Security area includes Secure Messages encrypted messaging service. |
| Add-Ins tab | full | Email Security area includes downloadable add-ins for user feedback and encrypted messaging. |
| Allow/Block tab | full | Email Security area includes sender allow/block controls. |
Endpoint / Network / MDM
| Endpoint Security AV | full | Protects Windows and macOS endpoints with antivirus. |
|---|---|---|
| Endpoint Security NGAV | full | Includes next-generation antivirus protection. |
| Advanced threat protection on endpoints | full | Uses ATP to defend endpoint devices against malware and phishing campaigns. |
| EDR behavioral analysis | full | EDR detects suspicious activity that bypasses traditional AV. |
| Real-time endpoint scanning | full | Endpoint scanning happens whenever a user or process accesses files. |
| Quarantine malicious files on endpoint | full | Malicious files are quarantined in real time. |
| Terminate malicious processes | full | Potentially malicious processes can be terminated. |
| ZTNA | full | Zero Trust Network Access is part of the Network module. |
| VPN | full | VPN is part of the Network module. |
| ZTNA device support: Android | full | ZTNA supported on Android devices. |
| ZTNA device support: iOS | full | ZTNA supported on iOS devices. |
| ZTNA device support: macOS | full | ZTNA supported on macOS devices. |
| ZTNA device support: Windows | full | ZTNA supported on Windows devices. |
| Mutually exclusive ZTNA or VPN selection | full | Network module requires selecting either ZTNA or VPN, not both. |
| ZTNA default deny | full | ZTNA blocks all connections by default until resource policies are configured. |
| Resource-policy instance limit | full | Each network policy can include up to five resource instances. |
| MDM policy type: Allowed and compliant application lists | full | MDM supports allowed/compliant application lists. |
| MDM policy type: Passcode restrictions | full | MDM supports passcode restrictions. |
| MDM policy type: Security policy | full | MDM supports security policies. |
| MDM policy type: Network policy | full | MDM supports network policies. |
| MDM policy type: App Restrictions | full | MDM supports app restrictions. |
| Connected services for MDM | full | MDM requires connected services and certificates for remote management. |
Inbound Gateway
| Inbound Gateway email proxy | full | Adds protection for third-party email providers and can add pre-provider protection for all email services. |
|---|---|---|
| SMTP relay configuration | full | Requires domain and SMTP relay details to forward checked messages. |
| MX record redirection | full | Uses top-level MX change to route inbound email through Coro. |
| Configuration test mechanisms | full | Provides testing mechanisms before DNS cutover. |
| Gmail inbound-gateway support | full | Supports Gmail as an original provider behind the Inbound Gateway. |
| Microsoft 365 inbound-gateway support | full | Supports Microsoft 365 as an original provider behind the Inbound Gateway. |
| Third-party MTA support | full | Supports other third-party mail transport agents behind the Inbound Gateway. |
Operations
| MSP global view | full | Unified MSP dashboard to monitor channel and descendant workspaces. |
|---|---|---|
| Release notes | full | Product documentation includes release notes and end-of-life notices. |
Platform Capability
| Public API | full | Coro documentation includes public API and developer content. |
|---|
Platform Evolution
| Email Security module in Coro 3.0 | full | Version 3.0 highlights Email Security as a module for phishing/malware detection and remediation. |
|---|---|---|
| Secure Messages add-on in Coro 3.0 | full | Version 3.0 introduces Secure Messages add-on for outbound encryption. |
| Coro 3.0 module expansion | full | Release blog says Coro 3.0 increased power with cloud security, email security, user data governance, endpoint security, EDR, endpoint data governance, network security, and MDM. |
| Robust add-ons | full | Coro 3.0 release blog notes some modules come with add-ons that scale with customer needs. |
| Gradual rollout process | full | Coro describes gradual rollouts for product and endpoint-agent features. |
Security Awareness Training
| Security Awareness Training module | full | Trains employees to recognize business threats and cyberattacks. |
|---|---|---|
| Phishing simulations | full | SAT includes phishing simulation capability. |
| Security training | full | SAT includes awareness training content. |
| Microsoft 365 SAT enrollment | full | Can enroll users from Microsoft 365. |
| Google Workspace SAT enrollment | full | Can enroll users from Google Workspace. |
| Third-party-email SAT enrollment | full | Can enroll users from other third-party email services. |
| SAT workspace trial | full | Offers a fully featured two-week trial run of SAT. |
| Trial phishing simulation plan | full | Admins can activate a trial simulation and training plan. |
| Best-practice cyber awareness content | full | Content is based on best-practice awareness guidance. |
| Regularly updated SAT content | full | Training is updated as the threat landscape evolves. |
| Timed training engagement tracking | full | Tracks assignment, completion, and overdue status against schedule. |
| Onboarding training for new employees | full | Additional option to introduce new employees to cyber awareness challenges. |
| Compliance training for employees | full | Additional option for sensitive-data regulation training. |
| SAT Actionboard panel | full | Actionboard includes a SAT dashboard panel for subscribers. |
| SAT statistics panel | full | Panel shows phishing simulation engagement and training completion statistics. |
| SAT activation banner | full | Coro shows an activation banner when SAT is not yet enabled. |
| SAT allowlisting requirement | full | SAT senders must be allowlisted in the organization’s email domain. |
| SAT supported on Microsoft 365 | full | Allowlisting guide lists Microsoft 365 support. |
| SAT supported on Google Workspace | full | Allowlisting guide lists Google Workspace support. |
| SAT supported on third-party email providers | full | Allowlisting guide lists other email-provider support. |
| SAT service management | full | SAT settings let admins activate SAT and manage related services. |
| SAT simulation configuration | full | SAT settings support configuring simulations. |
| SAT training configuration | full | SAT settings support configuring training. |
Security Module
| Endpoint Protection | full | Logs endpoint activity, analyzes anomalies, and automates resolution of security events. |
|---|---|---|
| Email Protection | full | Scans emails for threats and remediates them automatically. |
| Network Protection | full | Protects networks and data with ZTNA, VPN, and enterprise-grade encryption. |
| Cloud App Security | full | Protects cloud apps and drives with threat detection and remediation. |
| Data Protection | full | Protects user and endpoint data from leaks, misuse, and unauthorized access. |
| Security Awareness Training | full | Trains users against phishing and social engineering with simulations. |
| WiFi Phishing | full | Prevents end users from connecting to suspicious Wi-Fi endpoints. |
| Secure Web Gateway | full | Module family listed in Coro platform navigation. |
| User Data Governance | full | Enforces secure handling of PII and critical data. |
| Endpoint Data Governance | full | Enforces data-security policies on endpoints. |
| EDR | full | Supports reboot, shutdown, and isolation for compromised devices and processes. |
| Endpoint Security | full | Endpoint antivirus and next-generation antivirus protection. |
| Cloud Security | full | Cloud application access, activity, and file threat monitoring. |
| MDM | full | Mobile-device management capability with connected services and policy types. |