Identity Threat Detection and Response (ITDR): Tools, Capabilities, and Vendor Comparison
Identity Threat Detection and Response (ITDR) is a security discipline focused on detecting and responding to attacks that abuse legitimate identity infrastructure rather than exploiting software vulnerabilities. Unlike IAM (which governs access), PAM (which manages privileged accounts), or UEBA (which analyzes individual user behavior patterns), ITDR monitors Active Directory and Entra ID for the attack techniques used after an attacker already has valid credentials: Kerberoasting, DCSync, pass-the-hash, pass-the-ticket, privilege escalation via group membership manipulation, and service account abuse. Gartner formalized ITDR as a distinct category in 2022, and it has become one of the fastest-growing segments in enterprise security tooling as identity-based attacks have overtaken malware as the primary post-breach lateral movement method.
Why ITDR Exists: The Identity Attack Surface IAM and PAM Cannot See
IAM and PAM tools are provisioning and access control systems. They answer the question: who should have access to what? They are not designed to detect when legitimate access is being abused or when the identity infrastructure itself is under attack.
The specific gap ITDR fills: an attacker who has compromised a standard domain user account and begins Kerberoasting — requesting Kerberos service tickets for service accounts and cracking them offline — generates no alerts in a correctly configured IAM or PAM system. The requests are legitimate. The credentials are valid. Active Directory processes them normally. Without a tool specifically watching for the behavioral patterns of Kerberoasting, the attack proceeds undetected until the attacker escalates to Domain Admin.
The techniques ITDR specifically monitors for:
- Kerberoasting (T1558.003): Requesting service tickets for SPNs to crack offline
- AS-REP Roasting (T1558.004): Targeting accounts without pre-authentication required
- DCSync (T1003.006): Simulating domain controller replication to extract password hashes
- Pass-the-Hash / Pass-the-Ticket (T1550.002/003): Lateral movement using captured hashes or Kerberos tickets
- Golden / Silver Ticket attacks (T1558.001/002): Forged Kerberos tickets using krbtgt or service account hashes
- LDAP reconnaissance (T1018): AD enumeration via BloodHound-style queries
- Privilege escalation via group manipulation: Adding accounts to high-privilege groups outside normal provisioning workflows
- Service account abuse: Interactive logins on accounts configured for non-interactive service use
ITDR vs PAM vs UEBA: What Each Category Actually Covers
| Category | Primary Function | What It Detects | What It Misses |
|---|---|---|---|
| IAM | Access provisioning and governance | Unauthorized provisioning, orphaned accounts | Abuse of legitimate access, Kerberos attacks |
| PAM | Privileged account vaulting and session control | Unauthorized privileged account use | Kerberoasting, DCSync, attack paths via non-vaulted accounts |
| UEBA | Behavioral baseline and anomaly detection | Deviations from user behavioral baseline | Attacks that stay within normal behavior patterns, AD-specific techniques |
| ITDR | Identity infrastructure attack detection | Kerberos attacks, DCSync, lateral movement, privilege escalation, AD/Entra ID manipulation | Non-identity attack vectors, network-layer threats |
The practical implication: ITDR is most effective as a complement to PAM rather than a replacement. PAM vaults privileged credentials and sessions. ITDR detects when attackers bypass the PAM vault entirely by compromising credentials outside it, or when they abuse the Kerberos infrastructure that PAM does not control.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Also compare in identity security
ITDR Vendor Comparison
| Vendor | AD/Entra Depth | Agentless | Attack Path Analysis | Best For |
|---|---|---|---|---|
| CrowdStrike Falcon Identity Protection | High (DC sensor, Entra ID) | Partial | Strong | CrowdStrike shops, unified XDR |
| Silverfort | Very high (authentication proxy) | Yes | Strong | MFA on legacy apps, service accounts |
| Vectra AI Identity | High (Entra ID focus) | Yes (API-based) | Moderate | Entra ID / M365-heavy environments |
| Microsoft Entra ID Protection | Entra ID only (no on-prem AD) | Yes (built-in) | Limited | Pure Entra ID environments, M365 E5 |
| Illusive (Akamai Guardicore) | High (deception-based) | Partial | Very strong | Deception-first, high-value targets |
Key differentiator — Silverfort's authentication proxy model: Silverfort sits inline with authentication traffic (Kerberos, NTLM, LDAP, RADIUS) and can enforce MFA on any authentication request, including service accounts and legacy protocols that traditional MFA cannot reach. This makes it uniquely capable at the service account problem: the average enterprise has 2,500+ service accounts that PAM vaults do not cover and that Kerberoasting specifically targets.
Deployment Considerations: Agentless vs Agent-Based and AD Integration Depth
Agent-based approaches (CrowdStrike Falcon Identity): Require a lightweight sensor installed on domain controllers. This gives deep visibility into Kerberos ticket requests, LDAP queries, and replication traffic at the source. The tradeoff is deployment complexity: any agent on a domain controller requires careful change management and testing, as DC stability is critical. Agent-based approaches typically provide the highest detection fidelity for on-premises AD environments.
Agentless approaches (Silverfort, Vectra, Entra ID Protection): Connect via API to Active Directory Domain Services, Microsoft Graph, or act as an authentication proxy. Agentless deployment is faster and carries no agent stability risk on DCs. The tradeoff is that some attack techniques occurring entirely within the DC — like in-memory DCSync — may be harder to detect without a DC-level sensor. For Entra ID-heavy environments, agentless API-based approaches are fully sufficient since there are no DCs to instrument.
Hybrid environments: Most enterprises run both on-premises AD and Entra ID in hybrid sync configurations. The best ITDR tools cover both planes — monitoring on-premises Kerberos and LDAP activity alongside Entra ID sign-in risk signals and token anomalies. Gaps in hybrid coverage are a common evaluation failure point: a tool that only covers Entra ID misses the on-premises AD attack paths that attackers frequently use as a starting point.
The bottom line
ITDR addresses the identity-layer gap that PAM, IAM, and UEBA tools were not designed to fill: detecting Kerberos attacks, DCSync, lateral movement via credential abuse, and privilege escalation within Active Directory before an attacker reaches Domain Admin. For most enterprises, CrowdStrike Falcon Identity is the strongest choice if you are already in the CrowdStrike ecosystem. Silverfort is the most differentiated option if service account visibility and MFA enforcement on legacy protocols are priorities. Microsoft Entra ID Protection is sufficient for pure cloud environments but misses on-premises AD attack paths. Evaluate ITDR tools specifically on DC coverage depth, hybrid AD/Entra support, and attack path visualization quality.
Frequently asked questions
What is identity threat detection and response (ITDR)?
ITDR is a security discipline that monitors identity infrastructure — Active Directory, Entra ID, Kerberos, and service accounts — for attack patterns that use legitimate credentials to move laterally, escalate privileges, or establish persistence. It detects techniques like Kerberoasting, DCSync, pass-the-hash, and Golden Ticket attacks that IAM and PAM tools are not designed to catch.
How is ITDR different from PAM?
PAM manages and vaults privileged credentials, controls privileged sessions, and enforces least privilege for known privileged accounts. ITDR detects attacks against the identity infrastructure itself, including attacks that bypass the PAM vault entirely by compromising credentials that were never vaulted — service accounts, standard domain accounts used for Kerberoasting, and the AD replication mechanism used by DCSync. ITDR and PAM are complementary, not competing.
What is Kerberoasting and how does ITDR detect it?
Kerberoasting is an AD attack technique where an attacker with any valid domain account requests Kerberos service tickets (TGS) for accounts associated with Service Principal Names (SPNs), then cracks those tickets offline to recover the service account password. ITDR detects Kerberoasting by monitoring for anomalous TGS request patterns: high volume of requests from a single host, requests for accounts with RC4 encryption, or requests originating from hosts that do not normally interact with those services.
Does ITDR work for Entra ID environments?
Yes, all major ITDR vendors support Entra ID coverage. Microsoft Entra ID Protection is the native Microsoft offering. CrowdStrike Falcon Identity Protection, Vectra AI Identity, and Silverfort all provide Entra ID visibility via Microsoft Graph API integration. For hybrid environments, verify that your chosen ITDR tool covers both on-premises AD and Entra ID — some tools cover only cloud identity and miss the on-premises attack paths attackers frequently use as a starting point.
What should I look for when evaluating ITDR tools?
Evaluate on: (1) DC coverage depth — does it require an agent on domain controllers or operate agentless? (2) Hybrid AD and Entra ID coverage — does it cover both planes? (3) Attack path analysis — can it visualize privilege escalation paths to Domain Admin? (4) Service account visibility — does it track all service accounts, not just vaulted ones? (5) Alert fidelity — high-volume low-fidelity alerts on Kerberos events create analyst fatigue; ask for false positive rates in environments similar to yours.
Why are service accounts a priority ITDR concern?
Service accounts are AD accounts used by applications and automated processes rather than humans. They typically have long-lived passwords, elevated privileges, and are rarely monitored for anomalous behavior. Most PAM tools do not vault service accounts. Because service accounts have SPNs registered for them (making them Kerberoastable) and often have elevated permissions, they are a primary target for attackers conducting privilege escalation.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.