Identity Threat Detection and Response (ITDR): The 2026 Practitioner Guide

The detection gap that ITDR addresses is precisely defined: identity-layer attack techniques that use legitimate credentials and protocols, making them invisible to tools that look for known malicious signatures or obvious anomalies.

Kerberoasting is the canonical example. An attacker with any valid domain account can request Kerberos service tickets for service principal names (SPNs) registered in Active Directory. The tickets are encrypted with the service account's password hash. The attacker takes the tickets offline and cracks them to recover the service account password, which often has elevated privileges. The Kerberos request itself is legitimate protocol traffic. Nothing about it triggers standard EDR or SIEM rules written for malware signatures. ITDR platforms that baseline normal Kerberoasting rates and alert on anomalous service ticket request volumes, particularly requests for high-value service accounts from unusual workstations, catch this technique.

Pass-the-Ticket and Pass-the-Hash allow attackers to use captured Kerberos tickets or NTLM hashes to authenticate as another user without knowing their password. The authentication event looks legitimate: a valid ticket or hash was presented. ITDR detects behavioral anomalies around these events, such as a ticket being used from a different IP address than where it was issued, or authentication events that do not match the user's historical patterns.

Lateral movement using legitimate remote access protocols (SMB, WMI, RDP, PsExec) is similarly invisible to signature-based detection. When an administrator account that normally accesses two systems suddenly accesses 40 systems in 30 minutes, ITDR's behavioral baselining surfaces this as anomalous. Standard SIEM rules without behavioral baselines see only authenticated administrator access, which matches the expected rule condition.

ITDR, PAM, and IAM address different phases of the identity security lifecycle, and understanding their boundaries clarifies why each is needed and where they overlap.

IAM (Identity and Access Management) governs the provisioning and policy enforcement layer: who gets access to what, under what conditions, and for how long. IAM tools manage the lifecycle of identities from creation to deprovisioning. They enforce access policy at the authentication and authorization checkpoint. They do not monitor what happens after access is granted or detect when granted access is being abused.

PAM (Privileged Access Management) extends IAM specifically for high-privilege accounts: vaulting credentials, recording sessions, enforcing just-in-time access, and monitoring privileged activity. PAM addresses the standing privilege problem. It does not provide broad identity threat detection across all user accounts, only the specific accounts enrolled in the PAM system.

ITDR monitors the entire identity layer continuously for threat behaviors. It watches all authentication events, all access patterns, all privilege usage, and all identity-related protocol traffic (Kerberos, NTLM, LDAP) for evidence of attack techniques. Where IAM and PAM enforce policy, ITDR detects deviations from expected identity behavior that may indicate compromise.

Gartner and KuppingerCole now recommend treating ITDR and PAM as complementary layers in a unified identity defense strategy. PAM reduces the attack surface by eliminating standing privileges. ITDR detects when the remaining identity attack surface is being exploited. Organizations that implement only one without the other have coverage gaps: PAM without ITDR cannot detect techniques that operate outside enrolled PAM accounts; ITDR without PAM cannot eliminate the over-privileged account conditions that make identity attacks so impactful.

The ITDR market formed rapidly following Gartner's 2022 identification of the category. Three categories of platform have emerged: purpose-built ITDR tools, identity security platforms with ITDR capabilities, and endpoint-centric security platforms extending into identity.

CrowdStrike Falcon Identity Protection is the most widely deployed enterprise ITDR solution. Built on CrowdStrike's threat graph, it provides behavioral analysis for Active Directory, Azure AD, and Okta identities, detection coverage for all major AD attack techniques, and integration with the Falcon XDR platform for unified identity and endpoint investigation. Its strength is deep AD attack coverage and tight integration with the broader CrowdStrike ecosystem. Organizations standardizing on CrowdStrike get ITDR as a natural extension.

Microsoft Defender for Identity (formerly Azure ATP) provides ITDR specifically for Active Directory and Azure AD environments within the Microsoft security stack. It integrates natively with Microsoft Sentinel and Defender XDR, making it the natural ITDR choice for organizations running the Microsoft security platform. Its coverage is deep for Microsoft identity protocols and shallower for non-Microsoft identity providers.

Vectra AI takes a network-based approach to identity threat detection, analyzing Kerberos, NTLM, LDAP, and SMB traffic from the network layer rather than requiring directory service integrations. This approach works in environments where agent deployment on domain controllers is restricted and provides visibility into identity attacks that never touch an instrumented endpoint.

SentinelOne Singularity Identity, Semperis, and Silverfort round out the leading platforms. Semperis is particularly strong in Active Directory disaster recovery and AD forest recovery following ransomware attacks, combining ITDR detection with the ability to restore a clean AD state after compromise.

ITDR implementation requires deciding where to start, what to connect, and how to integrate findings into the broader SOC workflow.

Active Directory is the highest-priority ITDR target in most enterprises. AD is the identity backbone for Windows environments, holds the keys to the domain, and is the target of the most impactful identity attack techniques. ITDR coverage for AD attack techniques (Kerberoasting, DCSync, Golden Ticket, LDAP enumeration) should be the first deployment priority.

Data source integration determines detection quality. ITDR platforms require access to: Windows Security event logs from domain controllers (particularly logon events, Kerberos ticket events, and directory service changes); network traffic capturing Kerberos and NTLM authentication flows (PCAP or NetFlow from domain controller-adjacent network segments); and cloud identity provider logs (Azure AD sign-in logs, Okta system logs, AWS IAM events). Incomplete data source coverage creates blind spots in identity threat detection.

Response automation is the most impactful ITDR capability after detection. An attacker discovered performing Kerberoasting has a time advantage measured in minutes before they crack the offline ticket and begin using the compromised credential. ITDR response automation that can immediately disable the targeted service account, force a password reset, or apply an access restriction without waiting for analyst approval eliminates that time window. Define automated response playbooks for the highest-severity identity attack techniques before deploying ITDR in production.

SIEM integration routes ITDR alerts alongside other security events for unified investigation. ITDR findings frequently require correlation with endpoint data (what did the process tree on the system that made the suspicious Kerberos request look like?) and network data (what did the attacker do after obtaining the credential?). ITDR as a standalone tool produces alerts; ITDR integrated into a unified investigation platform produces complete incident context.

ITDR detects attacks against Active Directory. AD hardening reduces the attack surface that ITDR must monitor and reduces the impact of any successful attack. Both are required; neither is sufficient alone.

The highest-impact AD hardening controls are: enabling Protected Users security group membership for privileged accounts, which prevents NTLM authentication and short-lived Kerberos ticket caching for those accounts; implementing tiered administration (separate administrative accounts for Tier 0, domain controllers and AD management; Tier 1, server administration; Tier 2, workstation administration) to prevent credential lateral movement across tiers; deploying Managed Service Accounts or Group Managed Service Accounts (gMSA) to replace service accounts with manually managed passwords that are never changed; enabling AD Recycle Bin and Protected Deleted Objects to support forensic recovery after an attack; and auditing and removing unnecessary SPN registrations that are targets for Kerberoasting.

Microsoft's ESAE (Enhanced Security Admin Environment) architecture and its successor, the Enterprise Access Model, provide reference architectures for AD privilege tiering that significantly limit the blast radius of any individual identity compromise. Purple Knight (from Semperis) and PingCastle are free tools that assess AD security posture against hundreds of known misconfiguration and attack exposure indicators, providing a starting point for remediation prioritization.