DETECTION & RESPONSE · 8 MIN

Identity Threat Detection & Response (ITDR): Why Identity Is the New Endpoint

ITDR closes the gap between IAM (which decides who can log in) and EDR (which watches the endpoint). Here is why every modern attack now runs through identity, what ITDR actually does, and how QMasters operationalizes it on CrowdStrike Falcon Identity Protection.

QMasters SOC Team· Detection Engineering· 2026-02-12
TL;DR

What is Identity Threat Detection and Response (ITDR) and how is it different from IAM and EDR?

Identity Threat Detection and Response (ITDR) is a security category focused on detecting and responding to attacks that abuse legitimate identities — credential theft, session hijacking, Kerberoasting, Golden Ticket attacks, OAuth consent grants, and SaaS account takeover. It is different from IAM (Identity and Access Management), which provisions and authenticates users; ITDR assumes the IAM layer has been bypassed or abused and watches identity behavior for attack signals. It is different from EDR (Endpoint Detection and Response), which watches process and file activity on a host; ITDR watches authentication, authorization, and identity-graph events across Active Directory, Entra ID, Okta, and SaaS apps. ITDR became necessary because more than 80% of modern breaches now involve credential misuse rather than malware-based intrusion.

Identity threat detection diagram showing AD, Entra ID, and SaaS identities feeding a single ITDR analytics layer with risk-based response
Identity threat detection diagram showing AD, Entra ID, and SaaS identities feeding a single ITDR analytics layer with risk-based response

Identity Threat Detection & Response (ITDR): Why Identity Is the New Endpoint

Identity Threat Detection and Response (ITDR) is a category of security tooling and operations that watches identity — authentication, authorization, session, and directory events — for signs of attack. It exists because most modern breaches no longer depend on malware. The attacker steals a session token, abuses a service account, phishes an OAuth grant, or rides a Kerberos ticket across the domain. Endpoint Detection and Response, no matter how well-tuned, cannot see most of that. ITDR can, and a managed MDR built on top of it is what closes the loop.

If your detection strategy is still anchored to what runs on the endpoint, you are watching last decade's attack surface. Here is why identity moved into the foreground, what ITDR actually does, and how the QMasters SOC operationalizes it.

Why identity became the attack surface

Three structural shifts pushed identity to the front:

The endpoint got harder. Modern EDR platforms — CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne — block most commodity malware on first contact. The economics of malware-based intrusion have flipped against the attacker.

The perimeter dissolved. SaaS, remote work, and BYOD mean that "inside the network" is meaningless. The control plane is the identity provider — Entra ID, Okta, Google Workspace, Ping — and an attacker with valid credentials looks indistinguishable from a legitimate user from the network's perspective.

The phishing kit caught up. Adversary-in-the-middle (AiTM) phishing kits like Evilginx and Tycoon now defeat MFA by stealing session cookies in real time. The attacker never touches the endpoint, never installs malware, never triggers EDR. They log in as the user, with valid MFA, from a compromised session.

The published numbers vary by source, but the consensus is that identity-based attacks now account for the majority of confirmed breaches. Verizon's DBIR has tracked credential abuse as a top-three breach vector for five years running. CrowdStrike's threat reporting reaches similar conclusions. The shift is structural, not cyclical.

What ITDR actually does

ITDR consumes telemetry from the identity layer and runs detection logic against it. A capable ITDR stack pulls from:

  • On-prem directories — Active Directory authentication events (Kerberos, NTLM), Group Policy changes, privileged-group membership shifts, LDAP queries.
  • Cloud identity providers — Entra ID sign-in logs, Okta system logs, Google Workspace audit logs, conditional-access policy evaluations.
  • SaaS audit feeds — Microsoft 365, Salesforce, GitHub, Slack, Zoom — the apps that hold the data the attacker actually wants.
  • Privileged access — service-account behavior, key-vault access, AWS IAM role assumptions, just-in-time elevation events.

It correlates those streams into an identity risk graph and runs detection logic for techniques like:

  • Kerberoasting and AS-REP roasting (offline ticket cracking)
  • Pass-the-Hash and Pass-the-Ticket lateral movement
  • Golden Ticket and Silver Ticket forgery
  • Risky OAuth grants and consent phishing
  • Token-replay and session hijack from impossible-travel or impossible-device anomalies
  • MFA fatigue / push-bombing
  • Dormant account reactivation
  • Service-account misuse

The output is not a list of alerts. The output is a prioritized identity risk view that names specific accounts, specific sessions, specific privilege paths — and which ones are statistically anomalous right now.

ITDR vs. IAM vs. EDR — the simple model

| Layer | Question it answers | Who runs it |

| --- | --- | --- |

| IAM (Okta, Entra ID, Ping) | Who is allowed to log in, and as what? | Identity / IT |

| PAM (CyberArk, Delinea) | Who can elevate to privileged access, and how is that vault protected? | Identity / IT |

| ITDR (Falcon Identity Protection, Silverfort, Semperis) | Once they log in — does this look like an attack? | Security / SOC |

| EDR (Falcon, Defender, SentinelOne) | What is happening on this endpoint right now? | Security / SOC |

IAM is the front door. PAM is the safe in the back office. ITDR is the security camera watching everyone inside the building. EDR is the camera in each room. They are complements, not substitutes.

How QMasters operationalizes ITDR

For protected customers, ITDR is built into the StrongHold MCSS detection stack. Most of our deployments run on CrowdStrike Falcon Identity Protection, which has the widest native coverage across hybrid AD + Entra ID environments and integrates directly with the same Falcon agent already deployed for EDR.

Our standing operating model:

1. Risk-based policy enforcement, not blanket lockdown. A Falcon Identity policy in QMasters' SOC is keyed to risk score, not user role. A standard user who suddenly Kerberoasts gets blocked at the directory layer in real time. A privileged admin doing the same gets a step-up MFA challenge plus a P1 alert to a SOC analyst within the 15-minute critical SLA.

2. Service accounts are the priority watchlist. Service accounts are the most abused identity type in every incident we work. Our ITDR baseline catalogues every service account in the customer's directory, profiles its normal authentication pattern (source host, target service, time window), and alerts on deviation. The most common red flag: a service account interactively logging in to a workstation. That is never legitimate.

3. Token theft is treated as endpoint-equivalent. Falcon Identity correlates session tokens with the EDR session. If a session token from a known endpoint suddenly appears in a request from a different geography or device fingerprint, the SOC treats it the same way it would treat an EDR detection — isolate, investigate, revoke.

4. Identity events feed the same SIEM as everything else. All ITDR signals flow into the customer's SIEM (QRadar, Sentinel, or Falcon NG-SIEM depending on the deployment) so investigators have one timeline across endpoint, identity, network, and cloud — not four consoles.

Soft CTA

If you are not sure which identity-based attack patterns your current detection stack would catch, our identity and access solutions team runs a structured ITDR readiness review. It produces a named-attack coverage map — what gets caught, what gets missed, what needs tuning — in two weeks.

What every CISO should take from this

Three things to pin to the planning wall:

Buy ITDR if you do not have it. EDR coverage without ITDR coverage is a half-built detection stack. Modern attackers know this. The gap between IAM and EDR is the gap they are working in.

Service accounts deserve their own program. Treat them as a privileged tier with their own discovery, baseline, and hunt cadence. Most identity-based incidents involve at least one abused service account.

ITDR without managed response is a louder alert pile. A 24x7 SOC that knows how to triage identity alerts in 15 minutes is what turns ITDR from a tool into a control.

FAQ

Q: Is ITDR the same as Active Directory monitoring?

A: No. AD monitoring is one input. Modern ITDR correlates AD events with Entra ID, Okta, Google Workspace, AWS IAM, and SaaS audit logs to build a unified identity risk graph. Watching AD alone misses cloud-only attack paths and most modern phishing-driven account takeovers.

Q: Where does ITDR fit relative to MDR?

A: ITDR is a telemetry and detection layer; MDR is the operating model that turns its alerts into responses. ITDR without 24x7 analyst response is an alert generator, not a control.

Q: What attacks does ITDR specifically catch?

A: Lateral movement after initial access (Pass-the-Hash, Pass-the-Ticket, Kerberoasting, Golden Ticket), session hijacking via stolen tokens, risky OAuth grants, anomalous service-account usage, MFA fatigue, and dormant-account reactivation. These are the techniques EDR misses because no malware ever touches the endpoint.

Q: Do I need ITDR if I already have MFA everywhere?

A: Yes. MFA raises the cost of credential theft but does not eliminate it. AiTM phishing, session-token theft, MFA fatigue, and OAuth consent attacks all defeat or sidestep MFA. ITDR watches what happens after authentication succeeds — which is where modern attackers operate.

Talk to QMasters

If you want to see what an identity-aware detection stack looks like running on real customer telemetry, talk to a QMasters SOC analyst. We will walk through a Falcon Identity Protection demo against a sample of your own AD and Entra ID logs and show what would have been caught in the last 30 days that wasn't.

For more context, start at QMasters, review our managed detection and response, or check out technology partners.

---

Author · QMasters SOC Team — Detection Engineering

Last updated · 2026-02-12

Reading time · 8 min

FAQ

Frequently asked questions.

  • No. AD monitoring is one input to ITDR. Modern ITDR platforms correlate AD events with Entra ID, Okta, Google Workspace, AWS IAM, and SaaS audit logs to build a unified identity risk score. Watching AD alone misses cloud-only attack paths and most modern phishing-driven account takeovers.

ABOUT THE AUTHOR

QMasters SOC Team
Detection Engineering

Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.

READY TO TUNE YOUR SIEM?

Tighter detections, fewer false positives.

Book a working session with a senior detection engineer. Bring a sample of your noisiest alerts and we will rebuild the rule with you.

Explore Managed Detection & Response

F-003 · CONSULTATION

Book 30 minutes. No slides.

A real working session with a SOC engineer — bring your alerts.