The perimeter is dead, or rather, it has mutated. In today’s corporate environments, dominated by hybrid architectures, remote users, cloud services, and interconnected applications, digital identity has become the new security perimeter. This idea, once aspirational, is now a reality driven by the most recent and sophisticated attacks. Threat actors no longer compromise endpoints as often as they compromise credentials; they don’t breach systems, they hijack identities.
In this context, Identity Threat Detection and Response (ITDR) emerges as a critical defensive capability. It is not designed to replace solutions like EDR or SIEM, but rather to fill a blind spot: detecting, analyzing, and responding to identity-centric threats, whether they target human users, service accounts, or cloud identities, across modern, distributed infrastructures.
What Is ITDR and Why Does It Matter?
ITDR refers to a set of technologies and operational practices aimed at monitoring identity usage, detecting anomalies, tracking credential-based lateral movements, and responding to incidents where identity is the main attack vector. It encompasses both on-premises identity systems such as Active Directory and cloud-based systems like Azure AD, AWS IAM, Okta, and Google Workspace.
The rise of ITDR is a direct response to the explosive growth of attacks that begin not with malware, but with credential phishing, token theft, brute force, or abuse of valid sessions. These techniques allow attackers to bypass traditional endpoint or network controls and operate undetected with legitimate access.
Recent incidents, including SolarWinds, Lapsus$, and Storm-0558, have shown that attackers wielding privileged credentials can move laterally and persist within networks for weeks, often without deploying any malware or raising suspicion.
Identity as an Expanding Attack Surface
In modern environments, identities go far beyond individual users. The identity landscape now includes service accounts used by applications and automation scripts, service principals that represent cloud-based applications, federated and guest identities from external partners, and temporary tokens such as JWTs or OAuth/SAML assertions. All of these can be stolen, impersonated, or abused, often without leaving clear traces.
Because many of these identities are overprivileged or poorly monitored, they create security gaps that conventional tools simply can’t cover.
Common Identity Abuse Techniques
In hybrid and cloud environments, attackers often don’t need to exploit software vulnerabilities. Instead, they exploit identity management weaknesses. Common techniques include the theft and reuse of OAuth 2.0 tokens, which allow attackers to bypass reauthentication if the token isn’t properly secured or revoked. MFA fatigue attacks, which overwhelm users with repeated MFA prompts until they approve one by mistake, are increasingly common.
Consent phishing attacks lure users into authorizing malicious apps with excessive permissions via legitimate login flows. Once inside, attackers maintain persistence by creating service principals, access keys, or hidden roles that let them re-enter systems at will. Shadow identities, accounts not visible in central IAM systems, are another major threat, often arising from misconfigured SaaS integrations or unmanaged third-party apps.
Privilege escalation in AWS and Azure IAM environments is also a widespread issue, especially when attackers chain together permissions, abuse role assumptions, or leverage cloud shell environments and unmanaged identities.
Core Capabilities of ITDR Solutions
An effective ITDR solution goes far beyond standard logging. It includes behavioral analytics to detect unusual access patterns based on time of day, location, device, or accessed resources. It must correlate events across multiple platforms, including on-premises Active Directory and cloud providers like Azure, AWS, and Google.
The solution must detect abnormal identity activity, such as the sudden appearance of new privileged accounts or the use of suspicious OAuth tokens. It should flag risky consent grants, identify over-permissioned roles, and monitor service account behavior. Automated responses may include session isolation, token revocation, account disabling, or role removal.
Some of these features are already available in platforms like Microsoft Defender for Identity or AWS IAM Access Analyzer, but dedicated ITDR tools, such as Authomize, Obsidian Security, or integrations in Splunk or Elastic, provide much deeper capabilities.
How ITDR Differs from Other Tools
ITDR doesn’t replace EDR, SIEM, or XDR. Instead, it complements them by focusing specifically on identity-based threats. EDR can detect malware or suspicious processes, but not necessarily when a legitimate admin token is reused maliciously from an unknown device. SIEMs often lack the contextual awareness to understand identity-specific patterns such as MFA exhaustion or token misuse.
ITDR fills this blind spot by offering behavioral visibility into identity actions, analyzing the semantics of identity and access APIs that other tools ignore.
Real-World Examples of Identity-Based Attacks
The Storm-0558 attack against Microsoft in 2023, attributed to a state-sponsored Chinese actor, involved forging OAuth 2.0 access tokens using a stolen Microsoft signing key. These forged tokens allowed access to email accounts across several US government entities. ITDR would have helped by detecting unusual access patterns involving tokens signed outside the usual trust chain, anomalous IP locations, or suspicious app behaviors.
The Lapsus$ attacks in 2022 were largely based on social engineering and credential theft, with attackers using MFA fatigue techniques to gain access to admin portals at Okta, Microsoft, and others. ITDR platforms could have identified multiple failed MFA attempts followed by a sudden successful login as a behavioral anomaly.
The SolarWinds breach is often remembered for its supply chain malware, but a significant portion of the impact stemmed from attackers abusing compromised identities in Azure AD to register persistent malicious applications. ITDR tools would have detected suspicious consent grants and anomalous app activity.
In the Okta subcontractor incident, attackers accessed admin consoles via compromised support engineer accounts. Although the credentials were valid, ITDR could have flagged the access based on its location, time, and device fingerprint, enabling early containment.
Comparative Overview of ITDR Solutions
Different vendors provide varying levels of ITDR functionality. Here’s a high-level comparison of leading solutions:
| Solution | Vendor | Hybrid Integration (AD + Azure AD) | OAuth/SAML Token Analysis | Identity-Focused UEBA | Response Automation | Notes |
|---|---|---|---|---|---|---|
| Microsoft Defender for Identity | Microsoft | Yes | Partial (via M365) | Yes (AD/AAD focus) | Yes (via Defender XDR) | Strong in Microsoft stack, limited outside |
| Authomize | Authomize | Yes | Yes | Yes | Yes | Deep SaaS visibility, fine-grained permission mapping |
| Obsidian Security | Obsidian | Partial | Yes | Yes | Limited | Focused on M365, Google Workspace, Salesforce |
| SentinelOne Singularity Identity | SentinelOne | Yes | Partial | Yes | Yes | Integrated with EDR/XDR, evolving rapidly |
| CrowdStrike Falcon Identity | CrowdStrike | Yes | Partial | Yes | Yes | Session-based behavioral detection |
| Veza | Veza | Yes | Yes | Yes (authZ focus) | Partial | Authorization-centric visibility across platforms |
| Ping Identity + PingOne Protect | Ping Identity | Partial | Yes | Yes | Yes | Useful in adaptive IAM contexts |
| AWS IAM Access Analyzer | Amazon Web Services | No (AWS only) | Partial | No | No | Great for IAM visibility, weak for threat detection |
Considerations for Selecting an ITDR Solution
Choosing an ITDR tool depends heavily on your identity architecture. If your environment is primarily Microsoft-based, Defender for Identity combined with other Defender modules provides strong integration. For multi-cloud or SaaS-heavy infrastructures, platforms like Authomize or Obsidian deliver cross-platform identity visibility.
Organizations already using CrowdStrike or SentinelOne can benefit from extending their existing EDR/XDR setups to include identity layers. Veza stands out for organizations prioritizing permission analysis and access governance.
Ultimately, the key is not only technical compatibility but operational maturity, having processes to act on the detections that ITDR platforms provide.
Conclusion
ITDR is not a passing trend. It is a critical evolution in cybersecurity strategy, responding directly to how real-world attacks now unfold. In a landscape where attackers don’t drop malware but instead hijack valid tokens or persist through unnoticed roles and service identities, traditional defenses fall short.
ITDR offers the necessary visibility and control to defend the modern perimeter: identity itself. It doesn’t replace other security layers, but without it, organizations risk flying blind through the most exploited vector of the moment.
Identity is no longer just an access mechanism. It is a high-value target. And unless organizations begin treating it as such—with detection, analytics, and response tailored to its complexity—they will remain vulnerable in ways that EDR and SIEM can’t compensate for.