What Is Identity Threat Detection & Response (ITDR) and Why Is it Important?

Identity threat detection and response (ITDR) is a fast-growing security discipline focused on identifying, detecting, preventing, and mitigating identity-related threats. An effective ITDR solution will blend many different cybersecurity toolsets as part of a holistic identity security defense-in-depth approach. ITDR not only strives to proactively improve identity posture and minimize the identity attack surface, but also effectively respond to attacks and other threats in real-time.

ITDR aims to address many of today’s most pressing identity concerns by consolidating data from across the entire identity estate, triangulating this data with various cybersecurity technologies, and offering a cohesive, end-to-end defense against identity-based threats.

Here are some key functions of identity threat detection and response:

• Map out the entire identity estate across domains, including the accounts, privileges, and entitlements of human, machine, and AI identities.

• Flag areas with weak security hygiene, and proactively harden identity security posture.

• Detect suspicious or irregular activity related to identities and initiate responsive actions, such as heightened monitoring, restricted access, session termination, or other mitigations.

• Incorporate threat intelligence and advanced technologies (AI, M/L, etc.) to continuously improve identity security posture.

• Orchestrate real-time response to identity-based attacks to reduce the impact.

In recent years, ITDR has gained rapid momentum in response to the erosion of the traditional perimeter and the rapid explosion of identities. As human and non-human identities (including IoT and AI agents) have proliferated, we’ve seen a massive increase in identity-related risks (such as unmanaged, misconfigured, or exposed identities).

Today, the combination of identity sprawl and siloed tooling leaves organizations in the dark about how identities obtain and use privilege across domains. ITDR addresses challenges such as these by providing visibility into the entire identity estate, along with facilitating an end-to-end approach for preventing and responding to threats.

Read on for a more in-depth overview of identity threat detection and response, including why it is needed and how it works.

Identity-based attacks are rising as threat actors target the sprawl of identities and entitlements driven by increased cloud adoption and the explosion of machine identities. For instance, BeyondTrust Phantom Labs™ reported uncovering dormant service accounts with privilege in over 70% of environments.

Additionally, recent IBM X-Force data shows that nearly one in three attacks use valid accounts. This pattern likely emerges because distinguishing between how a legitimate user is leveraging an identity and the misuse of that identity by an unauthorized user is highly difficult without robust ITDR capabilities.

Using several disparate systems and tooling to manage identities creates its own sprawl, blind spots, and gaps that attackers are also able to penetrate. Identity-based attacks may make use of compromised credentials, over-privileged users, and inherited permissions to escalate privileges that cross domains.

Scattered Spider is one prominent example of a recently active threat actor group that often targets identity infrastructure gaps to execute attacks. The group has used social engineering to trick the help desk into disabling MFA, then adds their own Identity Provider to Okta and uses this IdP to impersonate users and escalate privileges.

Comprehensive ITDR solutions work to detect identity-based vulnerabilities and threats, then provide rich context to help prioritize and mitigate them. Mitigations might include tightening security controls, identity hardening, or terminating a suspicious session, in the instance of a potential attack.

By focusing on identity signals in real time and understanding the permissions, configurations, and connections between accounts and their entitlements, ITDR can proactively reduce the identity attack surface, while also detecting and responding to ongoing identity threats. Insights offered by ITDR can be used to triage and respond to attacks in progress by identifying:

• Compromised systems

• Exposed identities

• Where those identities can and have been used

• How to revoke privileges, rotate credentials, and implement other security controls to minimize the blast radius of an attack or exposure

Visualizing Attack Pathways with ITDR

A key element of ITDR is the ability to visualize and respond to privilege pathways: the hidden or indirect paths that could enable an attacker to escalate privileges or move laterally. This idea of detecting threats by visualizing attack pathways isn’t a new concept; tools such as BloodHound already use graph theory to identify weaknesses in Active Directory (AD) configurations. The information from this tool can be used to understand likely paths of lateral movement and privilege escalation, then shut them down to improve Active Directory security.

ITDR uses this concept on a larger scale to understand where the identity attack surface exists across all systems. It can illuminate how an attacker might compromise credentials, privileges, and entitlements to move between on-premises systems into cloud containers and infrastructure. This view into privilege pathways sheds light on the identity attack paths that pose the greatest risk to the business and enables teams to proactively mitigate these risks.

While the examples above shed light into how ITDR can enhance security hygiene and improve response to threats via integrations with various toolsets, an important benefit of ITDR is how it can illuminate and help address vulnerable pathways and complex attacks that cross multiple domains. This is an area where traditional and siloed security instrumentation falls short, leaving organizations at risk to modern attack vectors.

Here are a few real-world examples of threats that cross domains and how ITDR was (or could have been) leveraged to prevent or respond to these identity attack vectors.

1. Entra ID Restless Guests

The BeyondTrust Phantom Labs research team uncovered a threat model related to guest accounts in Entra ID. In this attack pathway, bad actors can either use stolen credentials or an Azure free trial to create their own Entra tenant. If invited into a victim’s tenant as a guest, the bad actor can then access their own home directory (under their complete control), add a new subscription, and set the victim’s directory as the target directory.

From that point, they can use “Owner” level permissions because they have control of their own Entra tenant. With this level of privilege, the attacker can perform a variety of malicious actions such as enumerating root management group admins, altering Azure policies, or creating a new identity in the directory to maintain persistence.

ITDR could help to defend against this type of attack vector within an Azure environment. For instance, an ITDR solution would be able to flag irregularities such as a guest account performing high-privileged actions, even if they were technically “allowed” through the loophole described above.

Additionally, ITDR could support proactive hygiene activities to prevent these types of attack vectors. For instance, it could flag that guest accounts are allowed to create their own subscriptions and recommend the organization block these permissions.

Read more about the Restless Guests attack vector.

2. Okta Breach (2023)

In the 2023 Okta breach, a threat actor obtained stolen credentials associated with a service account that had permissions to make changes to customer support cases. Because the service account was highly privileged, the attacker could use it to obtain session tokens, impersonate users, and hijack legitimate Okta sessions.

ITDR could have flagged this type of identity-centric attack vector, based on early signals such as how the service account was being used to escalate privileges outside the scope of its normal role. In fact, BeyondTrust’s Identity Security Insights® flagged the suspicious activity early on, as it was able to detect an in-house Okta administrator account using one of the stolen session tokens. From there, the ITDR functionality within the platform uncovered that the IP address used was not associated with any prior authentication events or activity (as would be normal to see). The team could then take remediative action with other solutions, such as using Password Safe to rotate privileged passwords.

ITDR could have also been used to help with identity hygiene activities that might have prevented the attack from occurring in the first place. For instance, the stolen credentials were vulnerable because an employee had saved them in a personal Google account. An effective ITDR implementation could have located and flagged this vulnerability and then recommended proactive PAM strategies, such as credential obfuscation and rotation, obviating human error in this instance.

Learn more about the Okta attack.

3. A Large State Entity’s Azure Environment

As a third example of ITDR used in the real world, one of BeyondTrust’s customers, a large state entity, uncovered a significant vulnerability when it implemented Identity Security Insights®. The ITDR functionality within the solution uncovered several applications within the customer’s Azure environment that were configured with excessive API permissions.

These misconfigurations opened a direct escalation path that would enable Application Administration Administrators to elevate their privileges to Global Administrator roles. By locating and mitigating this risk via ITDR findings, the organization was able to prevent the potential repercussions of a bad actor discovering and exploiting this privilege pathway first.

Read more about this customer’s success with Identity Security Insights.

BeyondTrust’s approach to ITDR includes our BeyondTrust Pathfinder Platform, which delivers expansive, cross-domain visibility and AI-powered detections and recommendations for securing the identities, accounts, privileges, and entitlements across your entire identity fabric. Pathfinder provides a unified experience and common console with which to manage all BeyondTrust products, while also providing rich integrations and webhooks with third-party tooling such as SIEMs.

Our approach to ITDR also incorporates a cross-domain strategy to identity security, combining PAM, CIEM, and enterprise secrets management into a single platform. We have been recognized as a leader across all of these categories in analyst reports such as the 2025 Gartner® Magic Quadrant™ for PAM, the 2025 KuppingerCole Secrets Management Leadership Radar, the 2025 GigaOm CIEM Radar, the 2025 Forrester PIM Report, 2024 KuppingerCole ITDR Leadership Compass, and more.

The contextual data from across these disciplines directly contributes to unlocking pivotal ITDR capabilities. These integrations also offer simple next steps for directly addressing security findings with proactive controls.

With BeyondTrust ITDR capabilities you can:

• Leverage AI-based detection capabilities that reveal all human/non-human/AI agent identities, and their associated accounts, privileges, potential escalation paths, and access levels, in context

• Gain a full picture of identity risk and actionable next steps

• Implement continuous monitoring of your identity infrastructure, enabling you to respond rapidly to risky configurations and suspicious activities that could indicate attacks.

• Identify and bring under control unmanaged privileged accounts, credentials, and secrets

• Identify and eliminate unnecessary privileges, permissions, and entitlements

• Detect potentially compromised accounts or credentials and make mitigations, such as rotating secrets, pausing or terminating the session, or implementing additional workflows for access

• Uncover accounts vulnerable to attacks, such as kerberoasting, and perform hardening measures to eliminate or reduce risk

• Pinpoint anomalies, such as dormant accounts trying to use privileges, and enforce heightened monitoring or restrict access

• And much more

Holistically view accounts, privileges, potential escalation paths, and access levels in a single view. Get started today with our no-cost identity security risk assessment.