IDSync — identity software buyer platform
Run Stack Finder

Detection & Response

Identity Threat Detection and Response (ITDR)

Identity Threat Detection and Response (ITDR) is a category of security tooling focused on detecting and responding to attacks that target identity infrastructure itself — credential theft, MFA bombing, session hijacking, AD/Entra compromise, OAuth abuse, and identity-based lateral movement.

Last reviewed 5/30/2026

Key points

  • ITDR sits next to EDR and XDR but watches the identity layer (IdPs, AD/Entra, SaaS sign-ins) instead of endpoints.
  • Coined by Gartner in 2022 in response to identity becoming the #1 initial access vector.
  • Detects: impossible travel, token theft, golden ticket / DCSync attacks, OAuth grant abuse, session hijacking, persistence in Entra ID.
  • Leading tools: Microsoft Defender for Identity, Silverfort, Authomize (now Delinea), Push Security, Oort (now Cisco), Permiso, Semperis.
  • Complements (not replaces) IGA and PAM — those prevent excess access, ITDR detects when access is abused.

What is ITDR?

Identity Threat Detection and Response (ITDR) is the category of security tools that watch the identity plane for attacks: stolen sessions, MFA fatigue, golden tickets, OAuth consent phishing, Entra ID persistence, SaaS account takeover.

It exists because attackers stopped breaking in and started logging in. Verizon's DBIR has reported for years that stolen credentials are the most common initial access vector, and Mandiant's M-Trends shows identity-based intrusions dominate cloud breaches. Endpoint Detection and Response (EDR) and SIEM weren't built to spot a valid token being used by the wrong person.

What ITDR actually detects

  • Credential theft signals — credentials appearing on infostealer marketplaces, password spraying, anomalous geo/ASN.
  • Session and token abuse — stolen session cookies replayed from a new device (the Uber breach pattern), refresh-token theft, OAuth token replay.
  • MFA attacks — push-bombing, SIM swap, AiTM (adversary-in-the-middle) phishing kits like Evilginx that bypass legacy MFA.
  • Directory attacks — DCSync, DCShadow, Kerberoasting, golden / silver tickets in AD; Entra ID persistence via app consent, federated trust abuse, FOCI tokens.
  • Privilege escalation paths — toxic combinations of group memberships, role assignments, conditional access gaps.
  • OAuth and SaaS abuse — malicious third-party app consent, dormant accounts being awakened, account takeover in Salesforce / Workday / GitHub.

ITDR vs adjacent tools

| Tool | Watches | Strength | | --- | --- | --- | | EDR | Endpoint processes | Malware, in-memory attacks | | ITDR | IdPs, AD/Entra, SaaS sign-ins | Identity-layer attacks | | CIEM | Cloud IAM entitlements | Over-permission, drift | | IGA | Access lifecycle & certifications | Excess access prevention | | PAM | Privileged sessions & secrets | Admin-account protection |

When buyers care

  • After a credential-theft or MFA-bypass incident (Cisco, Uber, Twilio, Cloudflare, Microsoft midnight blizzard).
  • Heavy SaaS footprint where IdP logs aren't enough on their own.
  • Hybrid AD + Entra ID environments — AD attacks have been industrialized for a decade and most SIEMs detect a fraction of them.
  • Anywhere Zero Trust is being adopted — Zero Trust assumes breach, and ITDR is the "detect" half of that assumption.

Editorial note

ITDR is genuinely useful but vendor messaging is noisy. Evaluate on three things: (1) coverage of your IdP (Entra, Okta, Ping, Auth0, Google), (2) AD-attack detection depth (this is where Silverfort, Semperis, and Defender for Identity differentiate), and (3) response actions — can the tool actually revoke a session / disable an account / kill a token, or does it just alert?

Standards & references