Identity threat detection and response (ITDR) is a security discipline that monitors identity systems—cloud IAM, SaaS applications, and on-premises directories—for behavioral anomalies that signal credential abuse, privilege escalation, and lateral movement. Unlike IAM governance tools, ITDR detects active attacks in real time and triggers a response.
Key takeaways
- ITDR monitors identity systems—cloud IAM, SaaS, and on-premises directories—for behavioral anomalies that signal active attacks, not just policy violations
- Unlike IAM governance tools, ITDR operates at runtime: detecting attacks during and after authentication, not before it
- The IAM-ITDR gap is where most identity breaches happen—an attacker with valid credentials passes every IAM policy check undetected
- Traditional tools (firewalls, EDR, SIEM) have no per-identity behavioral baseline and can’t detect credential abuse that produces a successful login
- ITDR complements SIEM by feeding enriched, pre-investigated identity alerts that reduce triage volume and improve detection fidelity
Identity is the primary attack surface in enterprise security. Attackers don’t break in—they log in. When credentials are compromised, traditional perimeter and endpoint tools have no visibility into what happens next: which accounts are accessed, which privileges are escalated, which systems are reached. Identity threat detection and response fills that gap, providing the behavioral detection and response layer that IAM governance tools were never designed to deliver. This page covers what ITDR detects, how it differs from IAM, and why it’s become a core component of modern SOC strategy.
What does ITDR detect?
ITDR monitors identity telemetry across cloud IAM, SaaS platforms, and on-premises directories to detect attacks that succeed at the authentication layer. Because these attacks often produce valid-looking log entries—successful MFA, legitimate credentials, expected IP ranges—rule-based tools miss them. ITDR uses behavioral baselines to surface what the logs hide.
The seven attack patterns ITDR is purpose-built to detect:
- Credential stuffing and password spraying: Automated attempts to authenticate with stolen or guessed credentials across accounts
- MFA bypass: Push bombing, adversary-in-the-middle (AiTM) phishing, SIM swapping, and session token theft that circumvent multi-factor controls
- Impossible travel: Authentications from geographically implausible locations within a timeframe no human could achieve
- Privilege escalation: Accounts suddenly granted elevated permissions outside normal change windows or approval workflows
- Lateral movement via identity: Attackers pivoting between systems using stolen tokens, pass-the-hash, or pass-the-ticket techniques
- Shadow admin creation: New accounts or service principals created with elevated permissions, often outside standard provisioning
- Anomalous API access: Service accounts or OAuth tokens accessing resources at unusual times, volumes, or from unexpected locations
How is ITDR different from IAM?
This is the question security teams ask most often—and the distinction is fundamental.
| IAM | ITDR | |
|---|---|---|
| Primary function | Govern who has access | Detect when access is being abused |
| When it acts | Before authentication (provisioning, policy) | During and after authentication (behavioral monitoring) |
| What it monitors | Access rights, roles, policy compliance | Authentication events, behavioral baselines, anomalies |
| Threat response | Not designed for active threat response | Purpose-built for real-time detection and response |
| Blind spots | Compromised valid credentials, post-auth activity | Account provisioning and governance |
IAM tools like Okta, Azure Entra ID, and CyberArk govern identity at rest—who has access to what, under what policies. They’re essential. But they have no mechanism for detecting that a valid, policy-compliant account is being operated by an attacker. ITDR provides that runtime detection layer. The two disciplines are complementary, not competing.
The IAM-ITDR gap is where most identity breaches happen. An attacker with valid credentials passes every IAM policy check. ITDR is the layer that asks: does this behavior match what this account normally does?
Why traditional tools miss identity attacks
Firewalls monitor network perimeters. EDR monitors endpoint processes. SIEM correlates log data from across the environment. None of these tools were built to establish behavioral baselines for individual identities—which is exactly what detecting credential abuse requires.
When an attacker authenticates with a stolen password and valid MFA token, the auth log records a success. The SIEM sees an expected event type. The firewall sees traffic from a known IP. Only a tool with a behavioral baseline for that specific account—what it typically accesses, when, from where, at what volume—can flag the anomaly.
This is the detection gap ITDR closes. For more on how ITDR fits into the broader detection stack, see ITDR vs. SIEM: what’s the difference and do you need both? and ITDR vs. EDR: Two different security layers.
How does ITDR work with a SIEM?
ITDR and SIEM are complementary layers—not alternatives. SIEM aggregates and correlates log data from across the environment: network, endpoint, application, identity. ITDR goes deeper on the identity signal, applying behavioral analytics that SIEM wasn’t designed to perform.
In a mature identity security stack, ITDR feeds enriched, pre-investigated identity alerts into the SIEM or SOAR, reducing the raw volume of identity-related events the SOC has to triage. SIEM provides the correlation context; ITDR provides the identity specificity.
For a full breakdown of how the tools compare and when to prioritize each, see ITDR vs. SIEM.
Why is ITDR important for cloud security?
Cloud environments have fundamentally changed the identity attack surface. Where on-premises environments had a relatively bounded set of identity systems—Active Directory, VPN—modern enterprises run identity across dozens of cloud services: AWS IAM, Azure Entra ID, GCP IAM, Okta, Salesforce, Microsoft 365, and more.
Each platform has its own authentication events, permission model, and audit logs. Attackers exploit the gaps between them—authenticating through a less-monitored SaaS application to pivot toward a cloud environment with more sensitive data. ITDR that spans cloud, SaaS, and on-premises identity telemetry closes those gaps.
For the full picture of identity security in multi-cloud deployments, see how to secure identities in multi-cloud environments.
Expel’s take
The most common mistake we see organizations make with identity security is assuming that IAM governance—Okta policies, Entra conditional access, well-configured MFA—is the same as identity threat detection. It isn’t. In 2025, 68.6% of all incidents Expel’s SOC investigated involved identity, and the vast majority succeeded not because IAM controls were missing, but because the attacker had valid credentials that satisfied every policy check. The IAM-ITDR gap is where most identity breaches actually happen: valid credentials pass every governance check undetected until behavioral anomalies surface the attack.
Frequently asked questions
What is the difference between ITDR and IAM?
IAM governs who has access to what—provisioning accounts, enforcing policies, managing roles. ITDR detects when valid access is being abused in real time. IAM operates before authentication; ITDR operates during and after it. They’re complementary: IAM controls access, ITDR detects when that access is weaponized by an attacker with stolen credentials.
What does ITDR detect?
ITDR detects behavioral anomalies in identity systems that signal active attacks: credential stuffing, MFA bypass techniques (push bombing, AiTM phishing, session hijacking), impossible travel, privilege escalation, lateral movement via stolen tokens, shadow admin account creation, and anomalous API or service account activity.
Why is ITDR important for cloud security?
Cloud environments multiply the identity attack surface across dozens of IAM systems—AWS, Azure, Google Cloud, Okta, SaaS applications. Each has separate auth events and audit logs. Attackers exploit the visibility gaps between them. ITDR that spans cloud and SaaS identity telemetry detects attacks that single-platform tools miss.
How does ITDR work with a SIEM?
ITDR and SIEM are complementary. SIEM correlates broad log data across the environment; ITDR applies behavioral analytics specifically to identity telemetry. In practice, ITDR feeds enriched, pre-investigated identity alerts into the SIEM or SOAR, reducing triage volume and improving detection fidelity on identity-layer attacks.
What is ITDR in cybersecurity?
ITDR—identity threat detection and response—is the security discipline focused on detecting and responding to attacks that target identity systems: compromised credentials, MFA bypass, privilege escalation, and lateral movement. It complements IAM governance and SIEM by providing behavioral detection specifically tuned to identity attack patterns.

