← All terms
Identity Threat Detection and Response (ITDR)

What is Identity Threat Detection and Response (ITDR)?

ITDR is the practice of detecting and responding to attacks on identities — credential theft, account takeover, and privilege abuse — across identity systems.

Last updated: 13 July 2026

How ITDR works

ITDR treats the identity infrastructure itself — directories, identity providers, and authentication flows — as an attack surface to be monitored. It collects sign-in events, directory changes, and permission modifications, then analyzes them for the patterns that precede or accompany identity attacks.

Typical detections include impossible travel, where one account signs in from two distant locations within an implausible window; brute-force and password-spray patterns; sign-ins from new or unmanaged devices; MFA fatigue attacks that bombard a user with push prompts; sudden privilege escalations; and suspicious changes to federation or MFA settings.

The response side turns detection into containment: forcing re-authentication or step-up verification, revoking active sessions and tokens, disabling the account, and alerting security teams with the context needed to investigate.

Why ITDR matters

Identity has become the most common initial access vector. Stolen credentials, phishing, and MFA bypass feature in a large share of modern breaches, and once an attacker signs in with valid credentials, traditional network and endpoint tools see legitimate-looking activity. The malicious behavior is visible only in identity telemetry — where the sign-in came from, on what device, and what the account did next.

Preventive controls such as MFA and conditional access raise the cost of attack but do not eliminate it; adversary-in-the-middle phishing kits and session token theft demonstrate that determined attackers get through. ITDR provides the detection layer for exactly those cases.

It also protects the identity infrastructure itself: tampering with federation settings, registering rogue MFA methods, or creating backdoor admin accounts are high-impact techniques that only identity-focused monitoring reliably catches.

Building ITDR capability in practice

A practical starting point is hygiene: knowing which accounts are privileged, removing dormant ones, and ensuring identity systems produce complete logs. Detection is only as good as the telemetry beneath it.

Next, centralize sign-in and directory events, enable the identity-attack detections available in existing tools, and define response playbooks in advance — which alerts justify killing sessions, which require disabling accounts, and who decides. Automating the first containment step, such as forcing step-up verification on a risky sign-in, buys time without waiting for an analyst. Regular tabletop exercises against scenarios like account takeover keep the playbooks honest.

Identity providers contribute useful signals to this picture; platforms like Monosign surface events such as new-device sign-ins, impossible travel, and brute-force attempts that can feed an ITDR workflow.

Frequently asked questions

How is ITDR different from EDR or SIEM?
EDR watches endpoints and SIEM aggregates logs from everywhere, but neither specializes in the identity layer. ITDR focuses specifically on identity systems and attack patterns like credential misuse, token theft, and directory tampering. In practice ITDR complements both, often feeding its detections into the SIEM.
What is an impossible travel detection?
It flags an account that signs in from two locations too far apart to travel between in the elapsed time — for example, Istanbul and Singapore within an hour. It usually indicates credential compromise or proxy use, and is a classic trigger for step-up verification or session revocation.
Do small organizations need ITDR?
The threats apply at every size — credential theft does not discriminate. Small teams rarely need a dedicated ITDR product, though: enabling the identity-protection detections built into their existing identity provider and defining a simple response playbook covers the most likely scenarios.