ITDR: A New Frontier for Cybersecurity, Not Just Identity

Identity Threat Detection and Response (ITDR) has emerged as a hot topic — but not necessarily from the usual suspects. While the identity management industry has historically focused on access controls, MFA, and user provisioning, it’s the cybersecurity players — not the IAM platforms — who are leading the charge in turning ITDR into something actionable.

Why? Because threat actors constantly seek the easiest attack vectors and they’re not being stopped at the login screen.

Attackers are increasingly exploiting valid credentials, bypassing MFA, and blending in with legitimate users. Once inside, they move laterally — living off the land, escalating privileges, and exfiltrating data — all while appearing “trusted” by the IAM system. This means the signals we traditionally relied on (successful logins, device checks, access policies) aren’t enough. We need post-authentication observability, behavioral analytics, and correlation across multiple systems to spot abuse in real time.

That’s where cybersecurity vendor heritage comes in. They’re already fluent in detection and response. SIEMs, EDR, XDR platforms — these cybersecurity tools live and breathe incident response, and now they’re increasingly being asked to pull identity signals into their orbit. The result? ITDR capabilities are now being built into security operations centers, rather than just IAM admin consoles.

We’re now seeing ITDR become less about who let the user in and more about what that user is doing. The focus is less about access control and more about real-time threat visibility across accounts, sessions, and services.

The implication: identity providers may see increasing pressure to rethink their role. ITDR isn’t just a checkbox feature to add to your SSO platform — it’s increasingly a cybersecurity discipline. And cybersecurity teams are already running with it.

As the perimeter continues to dissolve, ITDR might become less of an identity problem and more of a security strategy.