ITDR vs. EDR: EDR (endpoint detection and response) monitors process activity, file system changes, memory, and network connections on managed devices. ITDR (identity threat detection and response) monitors authentication events, behavioral patterns, and access activity across identity systems. When attackers operate through cloud services without touching a managed endpoint, EDR has no visibility—ITDR does.
Key takeaways
- EDR monitors managed endpoints; ITDR monitors identity systems—they watch completely different attack surfaces
- When attackers operate through cloud services and APIs without touching a managed device, EDR has zero telemetry—ITDR does
- The two tools have a hard coverage boundary: EDR ends where the managed device ends; ITDR picks up at the authentication layer
- Modern attacks increasingly cross that boundary—starting at the endpoint and pivoting through identity, or bypassing the endpoint entirely
- Organizations with strong EDR and no ITDR have excellent endpoint visibility and a structural blind spot on cloud-only and identity-layer attacks
EDR is one of the most mature detection capabilities in enterprise security—monitoring endpoints for malicious process activity, lateral movement via endpoint, and file system manipulation. But EDR has a hard boundary: the managed device. When an attacker authenticates with stolen credentials and operates entirely through cloud applications and APIs, EDR has nothing to report. There’s no process to monitor, no file system change to detect, no network connection on a managed device to flag. This is the detection gap identity threat detection and response (ITDR) was built to close. ITDR and EDR monitor different attack layers—and modern attacks increasingly span both.
What does EDR monitor, and where does it fall short?
EDR agents run on managed endpoints—laptops, servers, workstations—and monitor:
- Process execution: What processes are running, what spawned them, and what they’re doing
- File system activity: File creation, modification, deletion, and access patterns
- Memory: Process injection, credential dumping from LSASS, in-memory malware execution
- Network connections: Outbound connections from endpoints to external destinations
- Lateral movement via endpoint: Pass-the-hash, pass-the-ticket, remote code execution on managed devices
EDR excels at detecting attacks with an endpoint footprint: malware execution, credential dumping, ransomware staging, and lateral movement between managed devices.
The limitation is structural: EDR requires an agent on a managed device. When attackers access cloud services, SaaS applications, or cloud IAM systems directly—without first compromising a managed endpoint—EDR has zero visibility. An attacker who phishes credentials, authenticates to Microsoft 365 from an unmanaged device, and pivots to Azure from there produces no EDR telemetry whatsoever.
What does ITDR monitor that EDR can’t?
ITDR monitors the identity layer—authentication events, access patterns, privilege changes, and behavioral baselines—across cloud IAM, SaaS applications, and on-premises directories. It operates independently of whether a managed endpoint was involved in the attack.
ITDR detection signals that EDR can’t surface:
- Authentication anomalies from unmanaged or unknown devices
- Cloud-native attacks operating entirely through APIs (no endpoint footprint)
- SaaS account compromise with no on-premises or endpoint component
- Impossible travel detected via authentication geography, not endpoint location
- Privilege escalation in cloud IAM systems (AWS IAM, Azure Entra ID role assignments)
- OAuth application abuse (malicious third-party apps granted access to cloud data)
- MFA bypass via AiTM phishing or push bombing (no malware, no endpoint activity)
What attack types does each tool detect?
| Attack type | EDR detects? | ITDR detects? |
|---|---|---|
|
Malware execution on managed endpoint |
✅ | ❌ |
|
Credential dumping |
✅ | Partial (ITDR detects subsequent use) |
|
Ransomware staging via endpoint |
✅ | ❌ |
| Pass the hash/pass the ticket | ✅ (on endpoint) | ✅ (at auth layer) |
| Credential stuffing/password spraying | ❌ | ✅ |
| MFA bypass (push bombing, AiTM) | ❌ | ✅ |
| Cloud-only access (no endpoint) | ❌ | ✅ |
| SaaS account compromise | ❌ | ✅ |
| Privilege escalation in cloud IAM | ❌ | ✅ |
| Lateral movement via identity/token | Partial (endpoint pivot only) | ✅ |
| Impossible travel detection | ❌ | ✅ |
| Service account behavioral deviation | ❌ | ✅ |
The pattern is clear: EDR owns endpoint-layer attack detection. ITDR owns identity-layer attack detection. Attacks that span both layers—compromising an endpoint to dump credentials, then using those credentials to attack cloud systems—require both.
The attack chain split: where EDR ends and ITDR begins
Modern attacks rarely stay in one layer. They start somewhere EDR can see—or somewhere it can’t—and move across the boundary between endpoint and identity. Understanding where that boundary sits is what determines whether your detection stack has a gap.
Attacks that start in EDR’s layer and cross into ITDR’s: An attacker gains a foothold through malware on a managed endpoint. EDR catches the process execution, the memory injection, or the LSASS credential dump. But once the attacker takes those dumped credentials and uses them to authenticate to Azure, Okta, or AWS from a separate device, they’ve crossed the boundary. EDR’s telemetry ends at the endpoint. ITDR picks up the authentication event, detects the anomaly against the account’s behavioral baseline, and surfaces the identity-layer activity that EDR can’t see.
Attacks that start in ITDR’s layer and never touch EDR’s: An attacker phishes credentials through an AiTM proxy. No malware lands on any device. The attacker authenticates to Microsoft 365 from an unmanaged machine, pivots to SharePoint, and exfiltrates data through the browser. EDR has nothing to report—there’s no managed endpoint involved anywhere in the chain. ITDR detects the impossible travel, the new device anomaly, and the anomalous access scope.
Attacks that cross the boundary in both directions: The most sophisticated attacks deliberately move across layers to exploit detection gaps. Attackers who know an organization has strong EDR coverage will deliberately avoid endpoint activity—authenticating through cloud services, operating through browser sessions, and using legitimate SaaS features to move laterally. The boundary between EDR and ITDR is exactly where they operate.
This is why the tools are complementary, not redundant. EDR and ITDR together cover the full attack chain. Separately, each has a hard boundary the other side of which it’s blind.
The telemetry gap: what EDR logs vs. what ITDR logs
The structural difference between EDR and ITDR isn’t just what they detect—it’s what they record. Understanding the telemetry each tool produces explains why the two can’t substitute for each other.
What EDR logs:
- Process creation and termination events (parent/child process trees)
- File system reads, writes, deletions, and permission changes
- Registry modifications
- Network connections initiated from the endpoint (source IP, destination, port, process)
- Memory access events (process injection, credential access patterns)
- User account activity on the endpoint (logon events, privilege use on-device)
EDR telemetry is endpoint-centric and process-centric. It answers: what happened on this device, by which process, at what time?
What ITDR logs:
- Authentication events across cloud IAM, SaaS, and IdP platforms (success, failure, MFA outcome, device, IP, geolocation)
- Session activity post-authentication (what was accessed, at what volume, from where)
- Privilege changes (role assignments, group membership changes, permission grants)
- API calls from service accounts and machine identities (what service, what operation, from where)
- Identity configuration changes (MFA enrollment, password resets, policy modifications)
- Behavioral baselines per identity (what’s normal for this account across all the above dimensions)
ITDR telemetry is identity-centric and behavior-centric. It answers: what did this identity do, across which systems, and does that match its historical pattern?
The gap between these two telemetry sets doesn’t overlap—it’s a hard boundary. An EDR log of a credential dump tells you credentials were stolen from a device. An ITDR log of an impossible travel event tells you those credentials are now being used by someone in a different country. Neither log alone tells the full story. Together, they do.
Do I need ITDR if I already have EDR?
Yes, for any organization with a meaningful cloud or SaaS footprint. EDR and ITDR have complementary but non-overlapping coverage areas. An organization with best-in-class EDR and no ITDR has excellent endpoint visibility and a structural blind spot on everything that happens through the identity layer without touching a managed device.
The most dangerous modern attacks—cloud account compromise, SaaS-native ransomware, cloud IAM privilege escalation—operate entirely above the endpoint layer. EDR doesn’t see them. Identity-based initial access techniques (phishing, credential stuffing, MFA bypass) don’t require malware and leave no endpoint footprint. These are exactly the attacks ITDR was built to detect.
For organizations with hybrid environments, where some attacks start at the endpoint and pivot to cloud, having both tools enables full-kill-chain visibility that neither provides alone.
How do ITDR and EDR work together?
In a mature SOC, ITDR and EDR provide complementary detection coverage across the endpoint and identity attack surfaces. When an attack crosses both layers, the two tools together tell the full story.
Example: An attacker phishes credentials from a user’s unmanaged personal device (no EDR telemetry), authenticates to the corporate Azure environment (ITDR detects the impossible travel and new device anomaly), pivots to a managed server via RDP using a privileged account (EDR detects the lateral movement and unusual process activity), and attempts to dump credentials from LSASS (EDR detects and blocks).
In this scenario, ITDR surfaces the initial compromise; EDR surfaces the on-premises pivot. Neither tool alone tells the complete attack story. Together, they provide full-kill-chain visibility from the identity-layer entry point to the endpoint-layer lateral movement.
Expel’s MDR services integrate both detection layers—identity telemetry through ITDR and endpoint telemetry through EDR—providing 24×7 analyst-led response across the full attack surface. For more on how Expel’s MDR capability integrates identity detection, see managed detection and response.
Expel’s take
The gap between EDR and ITDR is one of the most consequential coverage gaps in enterprise security right now—and one of the least discussed, because both tools carry the words “detection and response.” EDR excels at exactly what it was designed for: monitoring managed endpoint processes, detecting credential dumping, surfacing lateral movement between devices. But when an attacker uses stolen credentials to authenticate to Azure from an unmanaged device, pivots through Microsoft 365, and exfiltrates data through the browser, EDR has nothing to report—no process to monitor, no managed device in the chain, no endpoint telemetry at all. That entire attack plays out in ITDR’s layer.
Frequently asked questions
What is the difference between ITDR and EDR?
EDR monitors managed endpoints—process activity, file system changes, memory, and network connections on devices with an installed agent. ITDR monitors the identity layer—authentication events, behavioral patterns, and access activity across cloud IAM, SaaS, and on-premises directories. EDR has no visibility into cloud-only attacks; ITDR has no visibility into endpoint-layer malware execution.
Does EDR detect identity-based attacks?
Only partially. EDR detects credential dumping from endpoints and lateral movement between managed devices. It can’t detect cloud-only attacks, SaaS account compromise, MFA bypass, credential stuffing, impossible travel, or privilege escalation in cloud IAM systems—all of which require identity-layer behavioral detection.
Do I need ITDR if I already have EDR?
Yes, for any organization with cloud or SaaS workloads. EDR and ITDR have non-overlapping coverage areas. EDR can’t detect attacks that operate through cloud services without touching a managed endpoint. ITDR fills that gap. Together, they provide full-kill-chain visibility across endpoint and identity attack surfaces.
How do ITDR and EDR work together?
ITDR surfaces identity-layer initial access: credential stuffing, MFA bypass, cloud account compromise. EDR surfaces the subsequent endpoint-layer activity: lateral movement via RDP, credential dumping, ransomware staging. When attacks cross both layers, ITDR and EDR together tell the complete kill-chain story that neither provides alone.