What Is ITDR? Identity Threat Detection and Response
Identity threat detection and response (ITDR) is the discipline that detects, investigates, and stops attacks abusing identities, credentials, and directories.
A help-desk ticket reset an executive's password at 2 a.m. The reset was legitimate, processed through the real self-service portal, satisfying every check. Minutes later the account enrolled a new MFA device, granted itself membership in a privileged group, and began pulling files from a finance share it had never touched. The endpoint agent saw nothing: no malware ran, no exploit fired, no binary dropped. The firewall saw an authorized session. Every preventive control was satisfied because the attacker was not breaking in. They were logging in.
Identity threat detection and response, ITDR, is the discipline built for exactly that intrusion. It is the set of tools and practices that detect, investigate, and stop attacks that abuse identities, credentials, and the systems that issue them, rather than the malware and exploits that endpoint and network tools were built to catch. This guide covers what ITDR is, why the attack moved to identity, the four things an ITDR capability does, how it works in a live intrusion, how it differs from EDR and IAM, and where it breaks. It is written for the people on the other end of that 2 a.m. alert: SOC analysts, threat hunters, and identity engineers.
What is ITDR?
ITDR is a security discipline that detects and responds to threats targeting identity infrastructure: user accounts, service accounts, the directories that hold them, and the credentials and privileges attached to them. Gartner named the category in March 2022, defining it as the threat intelligence, best practices, tools, and processes used to protect identity systems, detect when they are compromised, and respond to restore their integrity.
The unit of defense is the identity, not the host or the packet. The discipline watches who an identity is, what it is allowed to do, what it actually does, and how its standing posture changes, then acts when that picture turns hostile. It spans both halves of the problem: the proactive side, finding and fixing the exposures that make an identity attack cheap, and the reactive side, catching and stopping the attack in progress.
Gartner positioned ITDR to fill a specific gap. Identity and access management decides who gets in. Endpoint and network detection watch hosts and traffic. Neither was built to watch the identity layer itself for abuse, which is precisely where modern adversaries operate. ITDR is the control that sits on that layer.
Why the attack moved to identity
ITDR exists because the economics of intrusion changed. Breaking through a hardened endpoint or exploiting a patched perimeter is expensive and noisy. Logging in with a credential someone already stole is cheap and quiet.
The data is blunt about the shift. CrowdStrike's 2026 Global Threat Report found that 82% of detections in 2025 were malware-free, with adversaries leaning on valid credentials, trusted identity flows, and approved integrations to move across domains rather than dropping tooling a scanner would flag. The same report puts the average breakout time, from initial access to lateral movement, at 29 minutes. The attacker holds a real key and moves before most teams finish triaging the first alert.
When the credential is genuine, the traditional signals disappear. There is no malicious binary for the endpoint agent, no exploit signature for the IPS, no anomalous payload for the proxy. The login is real, the session is authorized, and the only thing wrong is who is behind it and what they do next. That residue, the behavior of a legitimate account in the wrong hands, is the signal ITDR is built to read. Everything else in the stack was looking for the wrong evidence.
The four things ITDR does
ITDR is not a single feature. A working capability does four jobs, and they map onto the two halves of the discipline: reduce exposure before the attack, and detect plus respond during it.
Posture and exposure management (proactive). Before any attack, the capability inventories the identity attack surface and shrinks it: dormant accounts that should be disabled, service accounts with stale or never-rotated passwords, standing privilege no one reviews, misconfigured trusts, weak or absent MFA, and orphaned identities no one owns. Every one of these is a cheaper path for an attacker, and fixing them is the prevention half of the job.
Threat detection (reactive). It analyzes identity telemetry, authentication events, directory changes, and access activity, to find attacks in progress. Some detections are rule-based and absolute, like impossible-travel logins. Most are behavioral, scoring activity against what is normal for that specific identity. This is where account takeover, escalation, and lateral movement surface.
Investigation and correlation. A single odd event rarely justifies action. The discipline chains weak signals across the identity, an anomalous login, then an MFA device enrollment, then a privilege grant, then access to a sensitive share, into one high-confidence incident with the timeline an analyst needs to decide fast.
Response. Finally it acts to contain: force step-up authentication, terminate the active session, disable the account, revoke a token, or roll back a malicious directory change. Response can be analyst-driven or automated where confidence and policy allow, and speed is the whole point against a 29-minute breakout.
| ITDR function | Phase | What it produces |
|---|---|---|
| Posture and exposure management | Before the attack | A smaller, hardened identity attack surface |
| Threat detection | During the attack | Scored, prioritized identity alerts |
| Investigation and correlation | During the attack | A correlated incident with a timeline |
| Response | During the attack | Containment: session kill, account disable, rollback |
Drop the proactive half and ITDR becomes pure alerting on an attack surface no one shrank. Drop the reactive half and it becomes a hygiene report no one acts on. The value is in running both.
How ITDR works in an intrusion
Walk the help-desk attack through an ITDR capability and the pieces connect.
Baseline. The capability has already profiled each identity, the hours it works, the locations and devices it signs in from, the resources it touches, and the privileges it normally holds. Normal for a domain admin is nothing like normal for a kiosk account, so the baseline is per-identity. This is the same behavioral baselining that powers user and entity behavior analytics (UEBA), applied specifically to identity telemetry.
Detect. The 2 a.m. password reset is unusual but not damning on its own. The new MFA device on an executive account scores higher. The self-granted privileged-group membership is a high-fidelity directory event. Each is a signal; none alone is a verdict.
Correlate. The engine chains them. One identity, in a short window: off-hours reset, new MFA enrollment, privilege escalation, then access to a finance share outside its baseline. That sequence is a high-confidence detection that any single event would not support, and it arrives as one incident, not four disconnected alerts.
Respond. With the chain confirmed, it contains: terminate the session, disable the account, revoke the freshly enrolled MFA device, and reverse the group change. Done inside the breakout window, the intrusion ends before lateral movement reaches its target.
The faster that loop runs, the smaller the attacker's window. ITDR that surfaces yesterday's anomalies is a report. ITDR that correlates and contains in minutes is a control.
ITDR vs EDR vs IAM
ITDR is often confused with the tools next to it. The cleanest way to see the difference is by what each one watches and when it acts.
| ITDR | EDR | IAM | |
|---|---|---|---|
| Watches | Identities, credentials, directories | Endpoints: processes, files, memory | Identity lifecycle and access policy |
| Primary job | Detect and respond to identity abuse | Detect and respond to endpoint threats | Decide and govern who gets access |
| Timing | During and before identity attacks | During endpoint attacks | At the moment access is requested |
| Catches the valid-credential attack? | Yes, that is its purpose | Mostly no, no malware to see | No, the request is authorized |
Endpoint detection and response watches what happens on hosts and is excellent at catching malware, suspicious processes, and exploit behavior. It is largely blind to an attacker who logs in with valid credentials and never drops a binary, because there is nothing on the endpoint to flag. Identity and access management governs the lifecycle, provisioning, authentication, and authorization, and decides whether a request is allowed at the moment it is made. It is preventive by design and cannot catch a policy being satisfied by the wrong person.
ITDR sits in the gap both leave. It assumes the credential is already compromised and the access already granted, and it watches the identity layer for the abuse that EDR and IAM are not built to see. The three are complementary, not competing: EDR owns the host, IAM owns the policy, ITDR owns the identity under attack.
The attacks ITDR is built to catch
ITDR earns its place against the class of attack that holds a real credential and therefore raises no traditional alarm.
Account takeover. An attacker authenticates as a real user with phished or stolen credentials. The login succeeds. The tell is the context, new geo, new device, odd hour, and the behavior after, not the authentication itself.
Credential-based intrusion. Most modern initial access is identity, not exploit. Stolen credentials from info-stealer logs, password spraying, and credential theft hand an attacker a front-door key, and the only downstream signal is how the account behaves.
Privilege escalation. Once inside, an attacker expands rights: adding the account to a privileged group, granting itself admin, abusing a service account. The privilege-change event is among the highest-fidelity signals ITDR produces, which is why watching directory change events matters as much as watching logins.
Lateral movement. An identity reaching systems it never normally touches, hopping host to host, is lateral movement seen from the identity plane. Access-pattern anomalies are where it surfaces, often inside the 29-minute breakout window.
Directory and infrastructure attacks. Techniques aimed at the identity store itself, Kerberoasting, DCSync, golden-ticket forgery, and abuse of trusts, attack the system that issues credentials. ITDR with directory visibility is one of the few controls positioned to see them.
The thread is that none of these involve software a scanner flags. They are legitimate accounts and trusted infrastructure behaving illegitimately, and behavior is the only signal left.
Where ITDR breaks
ITDR is powerful and far from automatic. Four failure modes recur.
False positives. Behavioral detection on a workforce that travels, works odd hours, and adopts new tools produces legitimate anomalies. Tuned badly, the system buries analysts in noise and trains them to dismiss the alerts that matter. Baseline quality and good correlation are what separate signal from alert fatigue.
Coverage gaps. ITDR is only as good as the identity telemetry feeding it. Accounts in unmonitored systems, a SaaS app outside SSO, a local account, an unfederated cloud directory, are blind spots, and attackers find them. Hybrid and multi-cloud estates make full coverage genuinely hard.
Identity sprawl. Service accounts, machine identities, and orphaned accounts now vastly outnumber human users, and many carry standing privilege no one reviews. Each is an account to monitor and a target to defend, and the inventory problem scales faster than the team does.
Tool overlap and ownership. ITDR straddles the identity team, which owns IAM, and the SOC, which owns detection and response. Without a clear owner, posture findings and live alerts fall between the two, and the proactive and reactive halves stop reinforcing each other.
None of these are reasons to skip ITDR. They are the reasons it is a program, baseline tuning, coverage expansion, identity hygiene, and clear ownership, rather than a product you install and forget.
Frequently Asked Questions
What is ITDR in simple terms?
ITDR, identity threat detection and response, is a security discipline that detects and stops attacks abusing user accounts, credentials, and directories instead of malware. Because the attacker logs in with a real credential, traditional tools see nothing, so ITDR watches identity behavior and posture, then responds when an account is used the way an attacker would use it.
How is ITDR different from EDR?
EDR watches endpoints for malware, suspicious processes, and exploit behavior. ITDR watches identities, credentials, and directories for abuse. The split matters because most modern intrusions use valid credentials and drop no malware, so they are invisible to EDR but visible to ITDR through anomalous identity behavior. The two are complementary: EDR owns the host, ITDR owns the identity.
Is ITDR the same as IAM?
No. Identity and access management governs the identity lifecycle and decides whether an access request is allowed at the moment it is made. It is preventive and cannot catch a legitimate policy being satisfied by an attacker. ITDR assumes a credential is already compromised and watches the identity layer for abuse after access is granted, then responds to contain it.
What attacks does ITDR detect?
Account takeover, credential-based intrusion, privilege escalation, lateral movement, and directory or infrastructure attacks such as Kerberoasting and golden-ticket forgery. All of them use legitimate credentials or trusted identity infrastructure, so they raise no malware or exploit alarm, and behavioral and directory deviation is the only signal, which is exactly what ITDR is built to read.
What does ITDR actually do?
Four things: posture and exposure management to shrink the identity attack surface before an attack, threat detection on identity telemetry to find attacks in progress, investigation and correlation to chain weak signals into one incident, and response to contain it by killing a session, disabling an account, revoking a token, or rolling back a directory change.
Why did ITDR emerge as a category?
Gartner named ITDR in March 2022 to fill the gap between preventive identity controls and detection and response. Attackers shifted to logging in with stolen credentials rather than breaking in, with CrowdStrike reporting 82% of 2025 detections malware-free. IAM, EDR, and network tools were not built to watch the identity layer for that abuse, so a dedicated discipline was needed.
The bottom line
ITDR exists because the attack moved to identity. When the credential is real, the perimeter is satisfied, IAM approves the request, and the endpoint sees no malware, the only signal left is behavior: where an identity authenticates from, what it reaches, and how its privileges and posture change. With 82% of detections malware-free and breakout times under half an hour, that signal is no longer an edge case. It is the main event.
ITDR reads it across both halves of the problem: shrinking the identity attack surface before an attack and detecting, correlating, and containing the attack during it. It catches account takeover, escalation, lateral movement, and attacks on the directory itself, the intrusions that own a valid credential and would otherwise walk in clean. And it is a program, not a product: the value comes from clean baselines, full coverage, identity hygiene, and a clear owner across the identity team and the SOC. Get those right and a 2 a.m. password reset stops being a line in a log no one read and becomes the alert that ends the intrusion.
Frequently asked questions
<p>ITDR, identity threat detection and response, is a security discipline that detects and stops attacks abusing user accounts, credentials, and directories instead of malware. Because the attacker logs in with a real credential, traditional tools see nothing, so ITDR watches identity behavior and posture, then responds when an account is used the way an attacker would use it.</p>
<p>EDR watches endpoints for malware, suspicious processes, and exploit behavior. ITDR watches identities, credentials, and directories for abuse. The split matters because most modern intrusions use valid credentials and drop no malware, so they are invisible to EDR but visible to ITDR through anomalous identity behavior. The two are complementary: EDR owns the host, ITDR owns the identity.</p>
<p>No. Identity and access management governs the identity lifecycle and decides whether an access request is allowed at the moment it is made. It is preventive and cannot catch a legitimate policy being satisfied by an attacker. ITDR assumes a credential is already compromised and watches the identity layer for abuse after access is granted, then responds to contain it.</p>
<p>Account takeover, credential-based intrusion, privilege escalation, lateral movement, and directory or infrastructure attacks such as Kerberoasting and golden-ticket forgery. All of them use legitimate credentials or trusted identity infrastructure, so they raise no malware or exploit alarm, and behavioral and directory deviation is the only signal, which is exactly what ITDR is built to read.</p>
<p>Four things: posture and exposure management to shrink the identity attack surface before an attack, threat detection on identity telemetry to find attacks in progress, investigation and correlation to chain weak signals into one incident, and response to contain it by killing a session, disabling an account, revoking a token, or rolling back a directory change.</p>
<p>Gartner named ITDR in March 2022 to fill the gap between preventive identity controls and detection and response. Attackers shifted to logging in with stolen credentials rather than breaking in, with CrowdStrike reporting 82% of 2025 detections malware-free. IAM, EDR, and network tools were not built to watch the identity layer for that abuse, so a dedicated discipline was needed.</p>