What Is ITDR? Definition, Real Attacks & Proven Defense Strategies

What Is Identity Threat Detection & Response (ITDR)?

Identity threat detection and response (ITDR) is a fast-growing security discipline focused on identifying, detecting, preventing, and mitigating identity-related threats. An effective ITDR solution will blend many different cybersecurity toolsets as part of a holistic identity security defense-in-depth approach. ITDR not only strives to proactively improve identity posture and minimize the identity attack surface, but also effectively respond to attacks and other threats in real-time.

ITDR aims to address many of today’s most pressing identity concerns by consolidating data from across the entire identity estate, triangulating this data with various cybersecurity technologies, and offering a cohesive, end-to-end defense against identity-based threats.

Here are some key functions of identity threat detection and response:

Map out the entire identity estate across domains, including the accounts, privileges, and entitlements of human, machine, and AI identities.
Flag areas with weak security hygiene, and proactively harden identity security posture.
Detect suspicious or irregular activity related to identities and initiate responsive actions, such as heightened monitoring, restricted access, session termination, or other mitigations.
Incorporate threat intelligence and advanced technologies (AI, M/L, etc.) to continuously improve identity security posture.
Orchestrate real-time response to identity-based attacks to reduce the impact.

In recent years, ITDR has gained rapid momentum in response to the erosion of the traditional perimeter and the rapid explosion of identities. As human and non-human identities (including IoT and AI agents) have proliferated, we’ve seen a massive increase in identity-related risks (such as unmanaged, misconfigured, or exposed identities).

Today, the combination of identity sprawl and siloed tooling leaves organizations in the dark about how identities obtain and use privilege across domains. ITDR addresses challenges such as these by providing visibility into the entire identity estate, along with facilitating an end-to-end approach for preventing and responding to threats.

Read on for a more in-depth overview of identity threat detection and response, including why it is needed and how it works.

The Rise of Identity-Based Attacks and the Need for ITDR

Identity-based attacks are rising as threat actors target the sprawl of identities and entitlements driven by increased cloud adoption and the explosion of machine identities. For instance, BeyondTrust Phantom Labs™ reported uncovering dormant service accounts with privilege in over 70% of environments.

Additionally, recent IBM X-Force data shows that nearly one in three attacks use valid accounts. This pattern likely emerges because distinguishing between how a legitimate user is leveraging an identity and the misuse of that identity by an unauthorized user is highly difficult without robust ITDR capabilities.

Using several disparate systems and tooling to manage identities creates its own sprawl, blind spots, and gaps that attackers are also able to penetrate. Identity-based attacks may make use of compromised credentials, over-privileged users, and inherited permissions to escalate privileges that cross domains.

Scattered Spider is one prominent example of a recently active threat actor group that often targets identity infrastructure gaps to execute attacks. The group has used social engineering to trick the help desk into disabling MFA, then adds their own Identity Provider to Okta and uses this IdP to impersonate users and escalate privileges.

Examples of common cross-domain attack pathways uncovered by BeyondTrust Phantom Labs™ research:

Overly permissive Entra Service Principals that create direct pathways to Global Admin privileges, exposing entire Microsoft 365 environments to potential takeover
Credentials reused across multiple service accounts by human admins, enabling a single compromised password to open up access to numerous non-human accounts
Low-privileged users that can escalate to administrative access across Active Directory, Entra, AWS, Okta, and GitHub through hidden privilege escalation paths built on configuration oversights, federation, and synchronization
Active Directory Service accounts that bridge on-premises and cloud environments with Active Directory accounts holding privileged Entra roles, creating cross-platform attack vectors
Ineffective GitHub repository access management, leading to uncontrolled secrets access and unauthorized access to sensitive code, often accessible through personal GitHub accounts

Organizations also lack an understanding of which users represent the most risk, further complicating prioritization of mitigations.

Identity-based attacks may exploit hidden attack paths that are harder to detect than traditional code-based exploits. The recent explosion of AI agents is multiplying the number of such hidden pathways, and these agentic AI identities operate autonomously and invisibly, often with high and/or indirect privileges.

Even for known identities, there is a lack of understanding around the privileges and entitlements associated with them. This problem is compounded within dynamic environments where new users, systems, and integrations are constantly creating new attack paths on top of existing misconfigurations that can mask the activity of threat actors.

How ITDR Solutions Work

Comprehensive ITDR solutions work to detect identity-based vulnerabilities and threats, then provide rich context to help prioritize and mitigate them. Mitigations might include tightening security controls, identity hardening, or terminating a suspicious session, in the instance of a potential attack.

By focusing on identity signals in real time and understanding the permissions, configurations, and connections between accounts and their entitlements, ITDR can proactively reduce the identity attack surface, while also detecting and responding to ongoing identity threats. Insights offered by ITDR can be used to triage and respond to attacks in progress by identifying:

Compromised systems
Exposed identities
Where those identities can and have been used
How to revoke privileges, rotate credentials, and implement other security controls to minimize the blast radius of an attack or exposure

Visualizing Attack Pathways with ITDR

A key element of ITDR is the ability to visualize and respond to privilege pathways: the hidden or indirect paths that could enable an attacker to escalate privileges or move laterally. This idea of detecting threats by visualizing attack pathways isn’t a new concept; tools such as BloodHound already use graph theory to identify weaknesses in Active Directory (AD) configurations. The information from this tool can be used to understand likely paths of lateral movement and privilege escalation, then shut them down to improve Active Directory security.

ITDR uses this concept on a larger scale to understand where the identity attack surface exists across all systems. It can illuminate how an attacker might compromise credentials, privileges, and entitlements to move between on-premises systems into cloud containers and infrastructure. This view into privilege pathways sheds light on the identity attack paths that pose the greatest risk to the business and enables teams to proactively mitigate these risks.

Figure 1: A visualized attack pathway that crosses multiple domains to escalate privilege

Technologies that Support ITDR

A key aspect of ITDR, and factor in its effectiveness, is the breadth and depth with which it integrates with identity stores / identity infrastructure (Active Directory, Entra, Okta, Ping, etc.), clouds (AWS, GCP), identity security (IAM, PAM, CIEM, etc.) and other cybersecurity toolsets (SIEM, SOAR, etc.). The richer these integrations, the fuller the context an ITDR solution gains around an organization’s entire identity estate. The better the context, the more effectively it can prioritize and act on mitigations.

Here are a few examples of key technology sets that contribute to ITDR, and how through integration, ITDR also helps improve the effectiveness of these technologies:

Identity and Access Management (IAM): ITDR improves identity and access management (IAM) hygiene by detecting various identity vulnerabilities, such as inadequate authentication policies, orphaned accounts, or lack of MFA for a privileged account. It can highlight shortcomings and risks within the joiner-mover-leaver process. ITDR then recommends or, even initiates, mitigation steps related to identity hygiene.
Privileged Access Management (PAM): ITDR relies on PAM data intelligence to gain awareness of privileged assets, accounts, and identities, as well as over-privileged accounts, entitlement creep, potential pathways to privileged access, privileged activity, etc. It then analyzes these signals within a broader context. PAM, in turn, can operationalize ITDR findings, such as by deactivating a dormant account uncovered by ITDR, removing standing access, enforcing least privilege, rotating stale or potentially compromised privileged credentials, or even pausing or terminating activity from a potentially compromised or suspicious session.
Cloud Infrastructure Entitlement Management (CIEM): ITDR leverages CIEM solutions for cloud permissions and entitlement data. For instance, CIEM solutions could provide insight into how permissions and entitlements are used within various cloud environments. ITDR contributes a dynamic behavioral layer, such as detecting potential entitlement misuses, and initiating mitigation actions via the CIEM capabilities or other tooling.
Security Information Event Management (SIEM): ITDR implementations benefit from the increased context provided by other data-rich security intelligence solutions, such as SIEMs. ITDR also amplifies the reach of such existing detection solutions. By bridging the gap between identity administration and SOC, ITDR brings important context that typical threat detection and response solutions don’t normally flag, such as hidden escalation pathways. As a result, SOC teams can better prioritize and respond to anomalous identity behavior with full context.

Protecting Against Cross-Domain Attacks with ITDR

While the examples above shed light into how ITDR can enhance security hygiene and improve response to threats via integrations with various toolsets, an important benefit of ITDR is how it can illuminate and help address vulnerable pathways and complex attacks that cross multiple domains. This is an area where traditional and siloed security instrumentation falls short, leaving organizations at risk to modern attack vectors.

Here are a few real-world examples of threats that cross domains and how ITDR was (or could have been) leveraged to prevent or respond to these identity attack vectors.

1. Entra ID Restless Guests

The BeyondTrust Phantom Labs research team uncovered a threat model related to guest accounts in Entra ID. In this attack pathway, bad actors can either use stolen credentials or an Azure free trial to create their own Entra tenant. If invited into a victim’s tenant as a guest, the bad actor can then access their own home directory (under their complete control), add a new subscription, and set the victim’s directory as the target directory.

From that point, they can use “Owner” level permissions because they have control of their own Entra tenant. With this level of privilege, the attacker can perform a variety of malicious actions such as enumerating root management group admins, altering Azure policies, or creating a new identity in the directory to maintain persistence.

ITDR could help to defend against this type of attack vector within an Azure environment. For instance, an ITDR solution would be able to flag irregularities such as a guest account performing high-privileged actions, even if they were technically “allowed” through the loophole described above.

Additionally, ITDR could support proactive hygiene activities to prevent these types of attack vectors. For instance, it could flag that guest accounts are allowed to create their own subscriptions and recommend the organization block these permissions.

2. Okta Breach (2023)

In the 2023 Okta breach, a threat actor obtained stolen credentials associated with a service account that had permissions to make changes to customer support cases. Because the service account was highly privileged, the attacker could use it to obtain session tokens, impersonate users, and hijack legitimate Okta sessions.

ITDR could have flagged this type of identity-centric attack vector, based on early signals such as how the service account was being used to escalate privileges outside the scope of its normal role. In fact, BeyondTrust’s Identity Security Insights® flagged the suspicious activity early on, as it was able to detect an in-house Okta administrator account using one of the stolen session tokens. From there, the ITDR functionality within the platform uncovered that the IP address used was not associated with any prior authentication events or activity (as would be normal to see). The team could then take remediative action with other solutions, such as using Password Safe to rotate privileged passwords.

ITDR could have also been used to help with identity hygiene activities that might have prevented the attack from occurring in the first place. For instance, the stolen credentials were vulnerable because an employee had saved them in a personal Google account. An effective ITDR implementation could have located and flagged this vulnerability and then recommended proactive PAM strategies, such as credential obfuscation and rotation, obviating human error in this instance.

Learn more about the Okta attack.

3. A Large State Entity’s Azure Environment

As a third example of ITDR used in the real world, one of BeyondTrust’s customers, a large state entity, uncovered a significant vulnerability when it implemented Identity Security Insights®. The ITDR functionality within the solution uncovered several applications within the customer’s Azure environment that were configured with excessive API permissions.

These misconfigurations opened a direct escalation path that would enable Application Administration Administrators to elevate their privileges to Global Administrator roles. By locating and mitigating this risk via ITDR findings, the organization was able to prevent the potential repercussions of a bad actor discovering and exploiting this privilege pathway first.

BeyondTrust’s Approach to ITDR

BeyondTrust’s approach to ITDR includes our BeyondTrust Pathfinder Platform, which delivers expansive, cross-domain visibility and AI-powered detections and recommendations for securing the identities, accounts, privileges, and entitlements across your entire identity fabric. Pathfinder provides a unified experience and common console with which to manage all BeyondTrust products, while also providing rich integrations and webhooks with third-party tooling such as SIEMs.

Our approach to ITDR also incorporates a cross-domain strategy to identity security, combining PAM, CIEM, and enterprise secrets management into a single platform. We have been recognized as a leader across all of these categories in analyst reports such as the 2025 Gartner® Magic Quadrant™ for PAM, the 2025 KuppingerCole Secrets Management Leadership Radar, the 2025 GigaOm CIEM Radar, the 2025 Forrester PIM Report, 2024 KuppingerCole ITDR Leadership Compass, and more.

The contextual data from across these disciplines directly contributes to unlocking pivotal ITDR capabilities. These integrations also offer simple next steps for directly addressing security findings with proactive controls.

With BeyondTrust ITDR capabilities you can:

Leverage AI-based detection capabilities that reveal all human/non-human/AI agent identities, and their associated accounts, privileges, potential escalation paths, and access levels, in context
Gain a full picture of identity risk and actionable next steps
Implement continuous monitoring of your identity infrastructure, enabling you to respond rapidly to risky configurations and suspicious activities that could indicate attacks.
Identify and bring under control unmanaged privileged accounts, credentials, and secrets
Identify and eliminate unnecessary privileges, permissions, and entitlements
Detect potentially compromised accounts or credentials and make mitigations, such as rotating secrets, pausing or terminating the session, or implementing additional workflows for access
Uncover accounts vulnerable to attacks, such as kerberoasting, and perform hardening measures to eliminate or reduce risk
Pinpoint anomalies, such as dormant accounts trying to use privileges, and enforce heightened monitoring or restrict access
And much more

Holistically view accounts, privileges, potential escalation paths, and access levels in a single view. Get started today with our no-cost identity security risk assessment.

FAQs

ITDR stands for Identity Threat Detection and Response, a cybersecurity discipline that focuses on identifying, detecting, preventing, and mitigating identity-related threats.

An identity threat occurs when attackers exploit weaknesses or misconfigurations within an organization’s identity systems to gain unauthorized access, or to abuse access. These threats often stem from unmanaged, misconfigured, or exposed identities that create hidden access pathways.

Identity-related exposures typically arise from poor visibility and governance across human and non-human identities. Common causes include unused or stale accounts, misaligned group memberships, over-privileged users, and lack of monitoring across hybrid environments. Attackers take advantage of these exposures to escalate privileges and move laterally within systems.

While traditional security monitoring focuses on network traffic or endpoint behavior, ITDR zeroes in on identity-specific risks and attack vectors. It detects when credentials, permissions, or trust relationships are being abused, often before traditional tools recognize an intrusion.

ITDR is important because attackers increasingly “log in” rather than “break in,” making identity systems prime targets. ITDR solutions help organizations proactively uncover identity-based vulnerabilities, monitor for identity abuse, and respond quickly to minimize impact. It is a critical layer in a defense-in-depth strategy.

BeyondTrust delivers ITDR capabilities through our Pathfinder Platform, which integrates our portfolio of privileged access management (PAM) and identity security solutions within it. Through this platform approach, our customers can map direct and indirect privilege pathways, detect abnormal identity activity, and operationalize detections and recommendations to reduce exposure, such as by terminating or pausing a session, rotating passwords / secrets, tightening access, etc.

About the Author

Kyle Benson

Sr Director, Product Marketing

Kyle Benson is a customer-focused Senor Director of Product Marketing at BeyondTrust driven to make complex cybersecurity technologies easy to understand and value. Kyle has over 30 years of IT and cybersecurity experience and is an author of two For DummiesTM books about Application and Identity Security.

Watch Product Demos

Buyer's Guide for Complete PAM

Gartner® Magic Quadrant™ for PAM

See what customer success looks like

Find a Partner

Leader in Privilege-Centric Identity Security

Watch Product Demos

What Is Identity Threat Detection & Response (ITDR) and Why Is it Important?

What Is Identity Threat Detection & Response (ITDR)?

The Rise of Identity-Based Attacks and the Need for ITDR