The days of treating identity and endpoint security as separate domains are rapidly ending out of necessity. The adversary doesn’t respect those lines, and increasingly, neither do security vendors.
In the past few years, Endpoint Detection and Response (EDR) vendors have begun aggressively moving into identity territory. They’re not just watching processes, memory, and files anymore—they’re interested in monitoring users, sessions, and access patterns. The rise in interest in this area has spawned a category known as Identity Threat Detection and Response (ITDR), and several EDR vendors are leading the charge.
Why is this happening? Because modern attacks start with identity.
If the attacker logs in with stolen credentials, the breach begins before any malware is deployed. Once inside, they operate within the bounds of what the identity provider trusts: valid tokens, legitimate user sessions, approved devices.
EDR vendors realized they were starting too late in the attack chain. By the time a threat looked like malicious activity, the attacker had already gained ground.
Identity Threat Detection and Response (ITDR) emerged to close that gap. ITDR is a category of security focused on:
While identity providers have traditionally handled access, ITDR is about what happens next — and how to proactively detect when access becomes abuse.
These moves signal a larger platform strategy to build end-to-end detection that starts with identity and extends through to the endpoint.
If EDR platforms are delivering runtime identity risk analysis, behavioral anomaly detection, and session monitoring—what role is left for traditional Identity and Access Management (IAM) vendors?
If the answer is simply "issue tokens and enforce policies," identity is at risk of becoming a commodity layer in the stack—necessary infrastructure and plumbing, but not strategic.
This shift challenges identity providers to rethink their role. Can they:
If not, EDR will continue to fill the gap—and likely own it.
In the next article, we’ll explore what identity providers and IAM platforms need to do to remain relevant. It’s not enough to authenticate a user. To stay strategic, they need to detect, respond, and adapt.
------------
This the 3rd article in a 5-part series.
Read: Part 1 | Part 2 | Part 3 | Part 4 | Part 5