Identity Threat Detection & Response

Identity ITDR

Overview

Identity Threat Detection and Response (ITDR) represents a fundamental shift in how organizations defend against modern cyber threats. Rather than relying solely on traditional network perimeter defenses, ITDR adds a dedicated layer of monitoring and response capability specifically focused on identity-based attacks (the vector now responsible for the majority of breaches).

With 1.8 billion credentials compromised in 2025 and 86% of breaches involving stolen or weak passwords, identity has become the primary attack surface for adversaries. ITDR bridges the critical gap between conventional Identity and Access Managemement (IAM) systems, which control access, and Endpoint Detection and Response (EDR) solutions, which monitor endpoints. It does this by continuously monitoring identity behavior, detecting anomalies that indicate compromise, and orchestrating rapid response.

Why is it so important?

The credential compromise crisis has reached industrial scale. The statistics are sobering and represent a fundamental shift in the attack landscape.

In 2025 alone, infostealer malware harvested 1.8 billion credentials from 5.8 million infected devices (representing a 800% increase from 2024 levels where approximately 200 million credentials were compromised). This exponential growth reflects two converging forces: the commoditization of attack tools and the proliferation of infection vectors through phishing, malvertising and trojanized software distribution.

Parallel research found a 160% year-over-year increase in compromised credentials surfacing in 2025 compared to 2024, with major dark web markets maintaining an archive of approximately 13-15 billion stolen credentials. This creates an available inventory of compromised credentials that attackers actively exploit through credential stuffing, brute force attacks, and targeted account takeover operations.

Why Identity-Based Attacks Dominate

Identity-based attacks now account for 86% of all breaches, higher than any other attack vector. The logic is compelling from an attacker's perspective: why spend weeks developing a zero-day exploit or conducting sophisticated social engineering when you can simply purchase a stolen login for dollars and inherit the trust already granted to that legitimate account?

Once inside with valid credentials, attackers bypass most perimiter defenses, authentication systems treat them as authorized users, and traditional endpoint detection often misses their activities because they're using legitimate tools and protocols.

Stolen credentials now precede over 50% of ransomware incidents, collapsing the timeline from initial compromise to extortion. Average dwell time before detection historically averages 292 days - during which attackers establish persistence, escalate privileges, and extract high-value data. Organizations that deploy ITDR and reduce detection time to hours rather than months proportionally reduce the 4.44 million USD average breach cost.

The EDR Blindspot

A critical vulnerability exists in the current security stack: the traditional Endpoint Detection and Response solutions fail to catch 66% of advanced infostealers. EDR is endpoint-centric, focusing on process execution, file behavior and network connections. When an infostealer silently harvests credentials from a user's browser or password manager and exfiltrates them through normal HTTPS traffic to an attacker-controlled server, EDR may see nothing out of the ordinary. The credentials are compromised on the device (a failure within EDR's domain), but the behavioral indicator of compromise (an attacker later using those credentials from an anomalous location) only appears in identity logs

Core ITDR Capabilities: What it detects and prevents

ITDR operates across five interconnected capability pillars, each essential for comprehensive identity threat coverage.

1. Continuous Identity Visibility and Behavior Baselining Effective ITDR begins with pervasive visibility into all identity-related activities across the netire IT landscape -- on-premises, cloud and hybrid environments. This includes:

• Authentication attempts and login patterns (succesful and failed)
• Privilege changes and access modifications
• Directory modifications (Active Directory, Entra ID, Okta, Onelogin, JumpCloud,...)
• User behavior across applications and systems
• Non-human identities: service accounts, OAuth tokens, API keys, machine-generated credentials

The system establishes behavioral baselines for each identity by analyzing patterns such as typical login times, geographic locations where access occurs, resources commonly accessed, privilege usage patterns, and frequency of authentication. These baselines account for temporal variations (working hours differ from off-hours, seasonal business variations) and peer group context (a developer's baseline differs from a finance manager's)

2. Behavioral Analytics and Anomaly Detection (UEBA) User and Entity Behavior Analytics uses machine learning to detect deviations from established baselines. Detection operates across multiple dimensions:

• Statistical anomalies: Activities that deviate quantitatively from the norm: an administrater who typically logs in 5 times daily attempting 50 failed logins within an hour
• Contextual anomalies: Activities that deviate in context rather than volume: a user logging in from an unuzual geographic location (especially impossible travel: Brussels at 10AM, then Tokyo at 11 AM); access to resources unrelated to the user's role; privilege escalation by accounts that never previously escalated; unusual access to sensitive systems during off-hours
• Temporal anomalies: Activities at unexpected times - a junior employee accessing the CFO's financial reports at 3AM; a service account that normally runs scheduled jobs making interactive logins
• Peer group comparison: Activities that are abnormal for a user's cohort - an engineer accessing HR systems; a finance manager downloading entire customer databases.

The system assigns risk scores based on context: a sensitive resource accessed by a highly privileged user at 2 AM from an unfamiliar country scores higher than a routine business access. This contextual scoring reduces false positives compared to rule-based detection

3. Dark Web Intelligence Integration Many ITDR solutions include or integrate with dark web monitoring capabilities that continuously scan criminal forums, malware infrastructure, and breach databases for credentials associated with the organization. When an employee's credentials appear for sale on a dark web marketplace, the system immediately alerts and can trigger automated remediation:

• Immediate password reset enforcement
• Session termination for all active sessions
• Temporary account lockdown pending investigation
• Correlation with other compromised accounts to identity the breach source

This represents a critical shift from reactive breach response (detecting compromise after attackers have moved laterally and exfiltrated data) to proactive prevention (stopping abuse before it begins, sometimes hours or days before the compromised account is even used)

4. Threat-Specific Detection Patterns Beyond behavioral anomalies, ITDR implements detection logic for specific attack techniques and threat indicators

• Privilege escalation attempts: Unauthorized attempts to gain elevated access, often preceding lateral movement. This includes detection of unusual administrator activity, service account misuse, and Kerberos attack techniques
• Lateral movement: Detecting when a compromised account or an insider moves between systems. This includes unusual SMB/RDP activity between hosts, unexpected authentication between typically isolated systems, and service account usage patterns deviating from baseline
• Account takeover indicators: Multiple failed login attempts from the same source; succesful logins from impossible locations; unusual application activity following failed authentication attempts; unexpected access from new devices or browsers.
• Insider threat patterns: Bulk file downloads or email forwarding unrelated to job function; access to systems the user has no business reason to access; unusual privilege changes; creation of new administrative accounts; access to sensitive data minutes before offboarding.
• OAuth and API abuse: Unusual token refresh patterns; unexpected OAuth application permissions; API calls from unusual geographic locations; service accounts with excessive permission grants; automation integrations accessing data outside their defined scope

5. Automated and Orchestrated Resposne Upon detecting a threat, ITDR enables rapid response through both automated and manual workflows

• Immediate automated actions: include step-up authentication (requiring MFA for suspicious logins), temporarily blocking or disabling compromised accounts, revoking suspicious sessions or tokens, isolating affected systems, and forcing password resets. These actions can occur in seconds, before an attacker escalates privileges or moves laterally
• Orchestrated workflows integrate ITDR with incident response frameworks, Security Incident and Event Management (SIEM) platforms, and Security Orchestration, Automation and Response (SOAR) solutions. An ITDR alert can automatically trigger evidence collection, activate incident response playbooks, notify security teams with rich context, and in some cases initiate cross-platform response (EDR isolation of endpoints, network segmentation activation, etc.)
• Investigation and forensics provide security teams with detailed logs, behavioral context, and guided workflows for manual investigation. Teams can reconstruct attacker actions, identity what data was accessed, and determine the scope of compromise

Positioning Overview

The Microsoft play

Any organization using Entra ID has identity threat detection capabilities available, but the hones assessment is more nuanced than Microsoft's marketing suggests. Microsoft does have ITDR capabilities, but they come with material limitations that often push organizations toward supplementary dedicated solutions

What Microsoft Offers

Microsoft's ITDR suite comprises several components working in concert: Entra ID (the foundational cloud identity provider), Entra ID Protection (risk-based conditional access), Defender for Identity (specialized detection for on-premises and hybrid AD environments), Microsoft Defender XDR (cross-platform signal correlation), and Microsoft Sentinel (SIEM with UEBA and advanced hunting capabilities).

The positioning is compelling, Microsoft processes over 100 trillion security signals daily, enabling sophisticated threat correlation across identities, endpoints, email and cloud applications. Organizations using primarily Microsoft infrastructure get consolidated identity monitoring within their existing Microsoft 365 subscription, and the unified admin console provides a centralized identity security posture dashboard.

For organizations with Microsoft-centric environments, this integrated approach has genuine value. The recent June 2025 extension enabling Defender for Identity to monitor Okta identities represents Microsoft's recognition of multi-identity environments, though this capability remains new and less mature than native Entra coverage

The False Positive Crisis

However, the practical reality is far messier. Microsoft's identity protection components suffer from significant alert fatigue issues that undermine operational effectiveness. In April 2025, Microsoft's MACE Credential Revocation feature generated widespread fals positives, flagging accounts with unique, unused passwords as compromised. This wasn't a minor edge case, the incident revealed a systemic validation flaw in how Microsoft detects credential leaks.

Real-world deployments report even higher false positive rates. Security teams investigating alerts from Entra ID Identity Protection consistently find that (in the words of documented practitioners) "except for one, they have all turned out to be false positives." More problematically, alerts appear in weekly digests but cannot be located in the portal when investigated. When escalated to Microsoft Support, organizations discovered that Microsoft intentionally hides these alerts from view despite including them in reports, confirming they are false positives by design rather than actual threats.

This creates the worst operational outcome: alert fatigue leading teams to systemetically dismiss Entra ID alerts, which eventueally results in missed real threats when a genuine incident occurs. As one security analyst summarized: "It's incredibly frustrating to receive alerts that are consistently inaccurate; eventually, you start to disregard them."

Dark Web Intelligence: Still Building

One of ITDR's critical differentiators is real-time dark web monitoring to detect compromised credentials before they're weaponized. Microsoft has a Password Monitor feature that alerts individual users when their passwords appear in breaches, but this is fundementally different from organizational-level dark web intelligence that security teams need. Microsoft is still building comprehensive dark web credential monitoring capabilities at the organization level, which means the infrastructure to detect your employees' credentials being sold on criminal forums remains incomplete

Dedicated dark web monitoring solutions provide real-time scanning of dark web markets, threat actor forums, and stealer logs; automated organizational resposne; and direct engagement with criminal infrastructure. They capture exposed credentials within minutes of compromise. Microsoft's offerings don't yet match this maturity.

Positioning Reality

Microsoft positions ITDR as "complementary" to existing IAM and PAM controls, which is telling. ITDR is meant to add detection capability to what IAM manages (access control, provisioning, policy enforcement). This distinction matters: organizations deploying only Entra ID Protection without Defender for Identity plus XDR correlation receive incomplete coverage. The need to assemble multiple Microsoft products (and often still supplement with additional tools) suggests this isn't the unified "one neck to choke" solution the positioning implies.

Kappa Data approach

The Microsoft ITDR gap discussed above creates a legitimate, high-probability selling opportunity to Microsoft partners.

• Sophos emerges as the strongest ITDR position within the portfolio. Launched October 2025, it's comprehensive and production-ready with features that directly address Microsoft's documented gaps: dark web intelligence (80+ posture checks), UEBA and integrated response automation. Unlike Microsoft's fragmented approach requiring Entra ID Protection + Defender for Identity + XDR assembly, Sophos delivers a cohesive ITDR solution bundled with its MDR service for managed response. This is particularly powerful for midmarket Microsoft partners who lack SOC depth, they get managed ITDR rather than just tools
• WithSecure (France) offers a different but valuable angle: it's purpose-built specifically for detecing compromised Entra ID identities through sophisticated behavioral analyasis that learns from real incident response cases. WithSecure Elements Identity Security integrates with Entra ID logs via Event Hub, aggregates all suspicious activity from potentially compromised users into a "Broad Context Detection" that eliminates investigation fragmentation, and enables rapid response (session termination, password reset, MFA enforcement).
• Barracuda integrates ITDR within BarracudaONE, its broader unified platform. It's less a dedicated ITDR solution and more identity-first security as a component of platform consolidation. It has value for organizations wanting security tool consolidation across email, network and identity, but it's not positioned as a best-in-class ITDR competitor.

1. Sophos has better dark web intelligence than Microsoft
2. WithSecure is specifically engineered for Entra ID (Microsoft can't optimize for competition to itself)
3. One Identity integrates privilege context that Microsoft IAM-focused solutions lack
4. Barracuda offers platform consolidation (single pane of glass) vs Microsoft's multi-product assembly required

Message

NIS2 requires 'advanced authentication' and 'continuous monitoring' of identity activity with mandatory incident response (24-72 hour reporting). Microsoft's ITDR doesn't fully satisfy this requirement. Dark web monitoring is incomplete, false positive rates hamper investigation speed, and hetereogeneous environments create blind spots. Sophos/WithSecure provide comprehensive ITDR that closes compliance gaps

If your organization's credentials appear on dark web marketplaces, you have hours to react before attackers use them. Microsoft's dark web monitoring is still in development. Sophos detects compromised credentials in real-time and automatically initiates remediation (password resets, session termination) within minutes, not days

ITDR is a need

1. Attackers begin exploiting stolen credentials in just 14 minutes: Stolen credentials aren't sitting idle in dark web marketplaces waiting to be discovered. They're being weaponized at industrial scale. Once attackers capture valid credentials and authentication tokens, they begin active exploitation in an average of 14 minutes, creating immediate ransomware deployment or data exfiltration windows.

• Traditional incident response requires hours or days. Your credentials are being exploited in 14 minutes. ITDR gives you minutes to respond, not hours

2. 1.8 billion credentials were stolen in 2025 alone. A 800% surge from 2024: The credential compromise crisis has reached industrial proportions. Infostealer malware harvested 1.8 billion credentials from 5.8 million compromised devices in 2025. This inventory of stolen credentials is actively circulating on dark web markets, where threat actors purchase access to organizations at scale through specialized Initial Access Brokers.

• Your employee's credentials are likely already for sale on dark web markets. The question isn't whether you have stolen credentials in circulation; it's whether you can detect and contain abuse before your data is exfiltrated

3. Stolen Credentials are now the #1 Attack vector, causing 292-day detection times: Stolen or weak credentials featured in 86% of breaches in 2025, higher than any other attack vector. Organizations are catastrophically slow at detecting them. Breaches involving stolen credentials take an average of 292 days to detect and contain, compared to the overall average of 241 days

• You're currently blind to stolen credential abuse. Your average brach involving stolen credentials takes 292 days to detect, 9.5 months of unrestricted attacker access. ITDR reduces that from months to hours

4. Account Takeover Attacks surged 389% year-over-year and now represent 50% of all threats: Account compromise surged 389% year-over-year in 2025 and now represents 50% of all observed threats. Account takeover fraud is projected to cost organizations 17 billion USD globally in 2025, up from 13 billion in 2024. in the fintech and financial services sector specifially, ATO incidents surged 122% year-over-year, targetin loyalty rewards, saved payment methods, and sensitive financial data. What makes this worse is that 85% of organizations targeted by credential stuffing attacks already had bot detection in place, yet attackers continued to succeed

• Bot detection alone is failing. 85% of compromised organizations had detection in place. Only behavioral ITDR detects account takeover patterns that evade traditional defenses

5. Ransomware kill chains now start with stolen credentials; Over 54% of ransomware cases are preceded by credential theft: The ransomware attack lifecycle has fundamentally shifted from malware-first to identity-first. Over 54% of ransomware incidents now originate from stolen login credentials, with initial access brokers purchasing credential logs and auctioning access to ransomware gangs who then deploy encryption or exfiltrate data.

• Your ransomware protection is incomplete. 54% of ransomware cases start with stolen credentials months before encryption. ITDR is the earliest detection layer that stops ransomware before it reaches your network

Specifics

Privilege Escalation Detection

Privilege escalation represents the inflection point where a minor breach becomes a major incident. ITDR solutions specifically track suspicious escalations through:

• Unusual administrative activity (an engineer requesting and receiving admin rights)
• Group membership changes (addition to sensitive groups like Domain Admins)
• Kerberos-specific attacks (over-pass-the-hash, Kerberoasting attempts)
• Service account privilege elevation
• Unexpected sudo usage or Windows elevation attempts
• Implicit trust exploitation (compromised service account used to compromise other accounts)

Early detection of escalation attempts can stop lateral movement before it begins

Lateral Movement Tracking

Once escalated, attackers move laterally to find and exploit high-value targets. ITDR tracks this through:

• Unuzual authentication relationships (accounts authenticating to systems they never access normally)
• Correlation of authentication events across systems (did this account authenticate to the development server, then the database server, then the backup system within minutes?)
• Service-to-service authentication chains (did a compromised application service account authenticate to other services to further compromise)
• Pass-the-hash and credential reuse detection (same credentials authenticated from multiple systems in impossible time sequences)

Dark Web Intelligence Integration

Rather than passively waiting for breaches to be discovered through SIEM alerts or forensics, ITDR platforms continuously monitor criminal infrastructure for organizational credentials.

Capabilities include:

• Scanning dark web markets, forums and paste sites for credentials mentioning organizational domains, employee emails, or brand identifiers
• Real-time alerts when credentials surface (sometimes hours before attackers use them)
• Integration with existing remediation workflows to automatically reset exposed passwords or revoke tokens
• Credential enrichment (determining if the exposed credential is in plaintext or hashed, what else was exposed with it, where the exposure came from)

This represents a paradigm shift from breach response (reacting after damage occurs) to threat prevention (stopping abuse before it begins)

Insider Threat Detection

ITDR specifically addresses threats from insiders with legitimate access. Detection includes:

• Bulk data exfiltration (unusual data downloads, email forwarding rules, cloud storage uploads)
• Unauthorized access to data unrelated to job function
• Unusual privilege changes by already-privileged accounts
• Access to systems moments before offboarding
• Sharing of accounts or credential reuse indicating collusion
• Shadow IT usage through unauthorized application access

Context matters: a system administrator accessing sensitive data is normal; the same access by a support technician is suspicious

SaaS-Specific Detection

SaaS applications present unique identity challenges requiring specific ITDR capabilities

• OAuth token abuse detection (unusual token permissions, unexpected token usage, token refresh rate anomalies)
• Service account and API key misuse (automation tools accessing data outside their intended scope
• Account takeover through SaaS (attackers using legitimate credentials to access email, collaboration tools, file storage)
• Shadow IT and unauthorized integrations (unsanctioned SaaS applications connected to identity systems)
• Sharing and collaboration anomalies (unusual file sharing, external sharing of sensitive documents, modification of sharing settings)

Conclusion

The credential compromise crisis reflects a fundamental shift in the attack landscape. With 1.8 billion credentials compromised in 2025, 86% of breaches involving credential theft, and stolen credentials preceding over 50% of ransomware incidents, identity has become the primary attack vector. Traditional security tools built around network perimeter defense and endpoint monitorign miss this threat entirely.

ITDR fills this critical gap by providing continuous, behavioral monitoring of identity-based activities; real-time detection of anomalous access patterns; integration with dark web intelligence to stop abuse proactively; and orchestrated response capabilities to contain incidents in minutes rather than months. For midmarket enterprises managing complex hybrid and multi-cloud environments with limited security staff, ITDR offers disproportionate security value.

Regulatory momentum amplifies the business case. NIS2's mandatory requirements for advanced authentication, continuous monitoring, and incident response align perfectly with ITDR capabilites.

For organizations building sustainable security programs, ITDR represents not a luxury add-on but a foundational capability.