EDR Is Coming For Identity (Part 3 of 5)

The days of treating identity and endpoint security as separate domains are rapidly ending out of necessity. The adversary doesn’t respect those lines, and increasingly, neither do security vendors.

In the past few years, Endpoint Detection and Response (EDR) vendors have begun aggressively moving into identity territory. They’re not just watching processes, memory, and files anymore—they’re interested in monitoring users, sessions, and access patterns. The rise in interest in this area has spawned a category known as Identity Threat Detection and Response (ITDR), and several EDR vendors are leading the charge.

Following the Threat

Why is this happening? Because modern attacks start with identity.

If the attacker logs in with stolen credentials, the breach begins before any malware is deployed. Once inside, they operate within the bounds of what the identity provider trusts: valid tokens, legitimate user sessions, approved devices.

EDR vendors realized they were starting too late in the attack chain. By the time a threat looked like malicious activity, the attacker had already gained ground.

The Rise of ITDR

Identity Threat Detection and Response (ITDR) emerged to close that gap. ITDR is a category of security focused on:

• Detecting identity-based threats pre- and post-authentication
• Monitoring lateral movement and privilege escalation
• Flagging behavior inconsistent with established user baselines
• Enriching detection with identity context (roles, entitlements, MFA behavior)

While identity providers have traditionally handled access, ITDR is about what happens next — and how to proactively detect when access becomes abuse.

Some Early Moves by EDR Vendors

• CrowdStrike + Preempt Security: Brought real-time conditional access and identity visibility to the Falcon platform. Enables policy enforcement based on user behavior and risk signals.
• SentinelOne + Attivo Networks: Gave SentinelOne deep visibility into Active Directory, credential misuse, and lateral movement tied to identity context.
• Microsoft Defender for Identity (formerly Azure ATP): A cornerstone of Microsoft’s identity-focused threat detection, now integrated into its broader XDR platform.

These moves signal a larger platform strategy to build end-to-end detection that starts with identity and extends through to the endpoint.

What This Means for Identity Providers

If EDR platforms are delivering runtime identity risk analysis, behavioral anomaly detection, and session monitoring—what role is left for traditional Identity and Access Management (IAM) vendors?

If the answer is simply "issue tokens and enforce policies," identity is at risk of becoming a commodity layer in the stack—necessary infrastructure and plumbing, but not strategic.

This shift challenges identity providers to rethink their role. Can they:

• Provide post-authentication visibility?
• Detect anomalies based on access and behavior?
• Intervene in real time when sessions go rogue?

If not, EDR will continue to fill the gap—and likely own it.

What's Next

In the next article, we’ll explore what identity providers and IAM platforms need to do to remain relevant. It’s not enough to authenticate a user. To stay strategic, they need to detect, respond, and adapt.

------------

This the 3rd article in a 5-part series.

Read: Part 1 | Part 2 | Part 3 | Part 4 | Part 5

‍