Behavioral detection
A baseline of normal for every identity, with deviations flagged in real time.
Data, Identity & Privacy
Identity Threat Detection. Catch the attacker who has a valid login.
The modern attacker does not break in, they log in. With a stolen credential they look exactly like your user, until you watch for what they do that your user never would. ITDR is the layer that spots the identity being abused.
Why identity is the new perimeter
Firewalls and endpoints assume the threat comes from outside or from malware. But a stolen credential carries none of those signs, it simply signs in. When the attacker is a valid user, only their behavior gives them away.
Identity Threat Detection and Response watches the identity layer itself: the directory, the sign-ins, the privilege changes, the token grants. It learns what normal looks like for each account and flags the deviations that signal an account takeover or an attacker moving through your identity fabric. Detections feed the iTDC, so a compromised identity is investigated and contained like any other threat.
The chain
An account takeover, link by link
A real takeover is a chain of small moves, each one quiet on its own. Here is one morning, reconstructed: what the attacker did, what gave them away, and where the chain was cut.
Case IT-2210 · account takeover, reconstructedIllustrative
- 09:41The phish lands
A convincing invoice-portal clone harvests Priya's password. One click, no malware, nothing for an endpoint agent to see.
SilenceA stolen password alone makes no noise. This is why passwords are never the last line.
- 09:58MFA fatigue
Push prompts flood her phone during a meeting until one gets approved just to make it stop.
The storm is the signal14 prompts in 2 minutes, then an approval from a device never seen before.Risk 41
- 10:03The session moves
The attacker signs in with the fresh token, from a hosting-provider address on another continent.
A person cannot be in two placesImpossible travel plus an ASN no employee has ever used. The score crosses the line.Risk 87
10:07 · The chain is cut
26 min end to endThe session is revoked and a step-up challenge fails. A Security Analyst approves the disable through the Human-In-Loop gate, with the whole timeline already assembled in the iTDC.
- ·Dormant admin reactivated
The next move: wake a forgotten privileged account and dig in.
Never happenedWould have firedDormant-account activity is a standing high-severity detection.
- ·Mailbox rules and payment redirect
The endgame: hide replies, reroute a real invoice to a new account.
Never happenedWould have firedNew forwarding rules on a finance mailbox page the iTDC immediately.
What you get
The identity layer, watched and defended
Directory monitoring
Changes to accounts, groups, and privileges watched, the moves attackers make to dig in.
Human, Machine & Agent
Coverage across every identity type, including the non-human accounts that often go unwatched.
Human-In-Loop response
A risky identity can be challenged or disabled through a gate a Security Analyst approves.
Fed to the iTDC
Identity detections sit alongside endpoint, cloud, and network signals in one investigation.
Forensic trail
A clear record of identity activity for investigation, audit, and post-incident review.
Part of the loop
Where ITDR sits in VIGILE
Watch and respond
Identify the threat, Implement the response
IdentifyIdentity Threat DetectionImplement
ITDR is the Identify and Implement motions applied to the identity layer. We detect the account being abused and drive the response, with the iTDC investigating it like any other threat. It complements the governance and privileged controls of Unified Access Management.
See the Autonomous SOC ›FAQ
Top 10 questions, frequently asked
MFA is essential and it is not invincible. Attackers defeat it with MFA fatigue, token theft, session hijacking, and social engineering. ITDR is the layer that catches what happens after a login, legitimate or not, by watching for behavior the real user would never exhibit. It backs up MFA rather than replacing it.
EDR watches endpoints and SIEM aggregates logs. ITDR is purpose-built for the identity layer: the directory, sign-ins, tokens, and privilege changes, with detections tuned to identity attack patterns. Those signals then flow into the broader investigation in the iTDC, so identity is covered as a first-class domain rather than an afterthought.
Yes. Service accounts, Machines, and AI Agents are prime targets precisely because they are rarely watched. ITDR baselines and monitors them alongside human accounts, so an abused Machine identity is as visible as a compromised user.
The detection feeds the iTDC, where AI investigates and a Security Analyst decides. A risky identity can be challenged for re-authentication or disabled through a Human-In-Loop gate. The full identity activity trail comes with it, so containment and investigation happen together.
Sign-in patterns, privilege changes, token use, session anomalies, dormant account activity, and impossible travel, across Human, Machine, and Agent identities.
Identity telemetry streams into the iTDC continuously, so risky behavior surfaces in near real time. Containment speed depends on the Human-In-Loop gate for consequential actions like revocation.
Containment is proportionate: step-up authentication or session termination first, full revocation only on strong evidence and analyst approval. False-positive lockouts are treated as detection bugs and tuned out.
No. It reads the signals your IdP, cloud, and SaaS already produce and adds the detection and response layer on top.
By identity count and telemetry volume, usually as part of a managed detection retainer alongside the broader SOC service.
It is the Implement motion for identity: continuous watch in the iTDC, with Learn tuning identity detections from each case.
Related work
Spot the login that should not be
Book a session with a Principal Engineer. We show you how a stolen identity moves and how ITDR catches it.