Identity Threat Detection and Response (ITDR)

What is Identity Threat Detection and Response (ITDR)?

Identity Threat Detection and Response (ITDR) is a security discipline focused on monitoring, detecting, and responding to attacks that target identity systems — including user accounts, credentials, authentication mechanisms, directory services, and privileged access infrastructure. ITDR emerged as a distinct category when it became clear that traditional endpoint, network, and perimeter controls were not designed to catch attackers who gain access using legitimate, stolen credentials. Gartner introduced ITDR as a formal category recognizing that established identity and access management (IAM) hygiene practices were no longer sufficient against modern identity-based attacks.

Description

Identity has become the primary attack vector in enterprise breaches. According to Unit 42's Global Incident Response Report 2026, 90% of incident response investigations in 2025 involved identity weaknesses, and 65% of initial access was identity-driven — through phishing, stolen credentials, or brute force. Nearly two billion credentials were indexed from malware combo lists in 2025 alone. ITDR addresses this reality by adding identity-specific behavioral detection that other security tools lack. Where endpoint detection and response (EDR) monitors device behavior and SIEM aggregates log data, ITDR specifically tracks identity behavior — detecting anomalies like impossible travel logins, unusual privilege escalation patterns, lateral movement using valid credentials, and attacks against directory services like Active Directory. ITDR is especially relevant for detecting the types of Active Directory attacks that penetration testers commonly execute: Kerberoasting, Pass-the-Hash, DCSync, and Golden Ticket attacks all leave identity-layer behavioral signatures that ITDR solutions are designed to surface. ITDR also complements Zero Trust Architecture by providing the continuous identity monitoring that informs access decisions.

Usage and Examples

In the Midnight Blizzard breach of Microsoft corporate systems, attackers used a password spray attack against a legacy non-MFA test account, then used that initial access to pivot to OAuth applications with elevated privileges — operating entirely within the identity layer. ITDR solutions monitoring for OAuth token anomalies, unusual application consent grants, and lateral movement patterns would have provided earlier detection signals than endpoint or network controls alone. Snowflake credential attacks in 2025 similarly demonstrated that cloud identity compromise — using valid credentials stolen via infostealer malware — can result in large-scale data breaches with no malware footprint for endpoint tools to detect. ITDR integrates with existing SIEM platforms for threat monitoring, provides automated response capabilities to isolate compromised identities, and feeds risk signals into authentication infrastructure to trigger step-up verification when anomalous behavior is detected.

How Does This Relate to Penetration Testing?

Penetration testing directly validates what ITDR is designed to detect. During internal network and assumed breach engagements, Evolve Security testers simulate identity-based attack chains — credential harvesting, lateral movement through Active Directory, privilege escalation via misconfigured service accounts, and persistence through domain manipulation. The artifacts these tests generate reveal whether ITDR monitoring is configured to detect real attacker tradecraft, or whether gaps in coverage would allow an identity-based compromise to go undetected. Post-engagement, ITDR gap analysis helps organizations prioritize which identity security controls to implement or tune. Reviewing Active Directory attack techniques from Evolve Security's video library provides context for the types of identity attacks ITDR must be configured to detect. Evolve Security's internal network penetration testing and assumed breach assessments simulate the identity-based attacks that ITDR must detect — giving organizations ground truth about their detection and response coverage.