Tech topics

What is identity threat detection and response?

Learn about the current state of ITDR Discover our products

Illustration of IT items with focus on a question mark

Overview

Identity threat detection and response (ITDR) is a cybersecurity approach designed to identify, mitigate, and respond to threats that continue to get more sophisticated with time. Its rise in importance is driven by the growing risk and cost of identity-based attacks. These attacks are made possible by successfully targeting user credentials and privileged accounts. ITDR helps organizations enhance their security posture by mitigating insider threats, compromised accounts, and privilege misuse.

Identity threat detection and response

What cybersecurity trends led to the development and adoption of identity threat

As platforms, systems, and applications continue to close their vulnerabilities, nascent outsiders often find it easier to exploit other weaknesses like credentials, misconfigurations, or exposed APIs. Various phishing techniques, key loggers, and other automated tools are all used and have proven easier to execute than directly going up against applications and system-level security. Whereas vulnerability research requires quite a bit of time, skill, and extensive testing to identify exploitable weaknesses, increasingly, attackers have opted instead to focus more on credential stuffing for quick access to these services. Along with their credential-based approach, attackers have honed their skills to identify privileged accounts and ways to promote other compromised accounts. These attacks can be persistent threats lasting months or even years. Of course, the most damaging and sought-after identities are information owners and other similar accounts with special access privileges. As such, the increasing risk for organizations was not just credential-based accounts, but attacks on the most privileged users. They were, and still are, the most complex threats to protect against because the outsider has the information traditionally relied upon for a person or process to identify themselves.

The road to ITDR

Year	Event
2000s	Rise of credential-based attacks (phishing, brute-force).
2010s	Major identity breaches via stolen credentials continue their growth trend both in frequency as well as loss of value of the victim organization. Growth of IAM, MFA, and PAM solutions.
2021	MITRE ATT&CK framework expands to identity-based threats.
2022	Gartner coins ITDR, emphasizing the need for identity-centric threat detection.
2023+	ITDR gains traction to becoming a core cybersecurity strategy for enterprises.

How were ITDR practices formalized?

In 2022, Gartner introduced ITDR as a cybersecurity practice. In that introduction, Gartner described ITDR as a way for organizations to be a more effective approach to responding to the increasing threats targeting identity systems, credentials, and privileged access. Emphasizing the need for organizations to elevate their ability to detect, investigate, and mitigate identity-based attacks more effectively. Unlike traditional approach to security tools, ITDR integrates identity and access management (IAM), user and entity behavior analytics (UEBA), and extended detection and response (XDR) to proactively defend against credential misuse, privilege escalation, and lateral movement. Since current security methodologies haven’t been able to stem the tide of cyber threats, ITDR helps organizations enhance visibility, detect anomalies, and enforce stronger authentication and access controls, all of which reduce the risk of identity-driven breaches.

What Makes ITDR different?

Gartner’s 2022 recognition of ITDR signified a meaningful milestone of coalescing IT technologies into a synergistic new security level, bringing together what is too often independent practices to power an expanded scenario. Together, IAM and security information and event management (SIEM) can identify and more accurately assign risk to related events, as well as execute an application, service, or other digital resource-level response to secure protected information. As such, ITDR has since gained momentum as a critical cybersecurity category for preventing identity-based attacks. Some key ITDR drivers include:

Rise of identity-based attacks: Credential theft, lateral movement, and privilege escalation became primary attack methods. Current security protection is ineffective. ITDR incorporates XDR type information that identifies activity indicating elevated risk for users and resources.
IAM and PAM gaps: The overall intent of identity and access management is to ensure that people and services have the right access to protected resources at the right time. Today’s IAM tools-controlled access but lacked real-time threat detection, and privileged access management (PAM) focused on privileged accounts but not general identity threats.
Zero trust adoption: Organizations moved toward identity-first security, requiring continuous monitoring and response for identity threats.

What are key ITDR components?

While TDR can excel at real-time monitoring and automated responses, it’s inability to attach attacks to specific identities over time does limit its effectiveness. More components are needed to expand TDR’s ability to identify suspicious behaviors.

Extended detection and response
Extended detection and response (XDR) is an advanced cybersecurity solution that integrates multiple security tools and data sources to provide a unified approach to threat detection, investigation, and response across an organization's entire attack surface.

Unlike traditional SIEM or EDR solutions, XDR collects and correlates threat data across multiple security layers, including cross-layered detection and correlation. Unlike traditional SIEM or EDR solutions, XDR collects and correlates threat data across multiple security layers, including endpoints (EDR), networks (NDR), emails, cloud workloads, and identity and access management (IAM). This improves visibility into complex attacks that span multiple entry points.

Automated threat investigation and response—XDR automatically prioritizes alerts and connects related security incidents to reduce alert fatigue. It uses AI and machine learning to identify attack patterns and mitigate threats faster.

Proactive threat hunting—security analysts can search for hidden threats using historical data and behavioral analytics. MITRE ATT&CK framework is often integrated into XDR to map adversary tactics and techniques.

Integration with security stack—XDR works with SIEM, SOAR, ITDR, and EDR solutions to streamline security operations (SOC). It also provides real-time alerts and automated remediation actions across different security tools.

XDR as it relates to other security solutions
The table below lists technologies used today by IT security teams to enhance their threat detection and automated responses. By themselves, they're not as complete or integrated as XDR is.

Security solution	Focus area	Key difference
EDR (endpoint detection and response)	Endpoints (e.g., laptops, servers)	Detects threats on individual devices but lacks network/cloud visibility
NDR (network detection and response)	Network traffic	Detects threats within network environments but does not cover endpoints or cloud
SIEM (security information and event management)	Log management & analysis	Collects security logs but lacks built-in threat response capabilities
SOAR (security orchestration, automation, and response)	Incident response automation	Automates security workflows but does not have native detection capabilities
XDR (extended detection and response)	Cross-domain security visibility	Unifies endpoint, network, cloud, and identity-based detections for better correlation and faster response

What response mechanisms does ITDR have?

When suspicious behavior emerges—such as an unusual login, rapid privilege changes, or access from untrusted locations—XDR triggers automated actions such as compromised accounts being locked, MFA being enforced, or unauthorized sessions being terminated instantly. ITDR, which correlates identity information to XDR drivers, leverages XDR-derived information and automates the response needed to prevent attackers from exploiting stolen credentials by restricting access and enforcing dynamic authentication controls. Privileged activity is continuously monitored, and unauthorized escalations are blocked before they lead to a breach. XDR’s orchestration capabilities ensure ITDR seamlessly integrates with SIEM, SOAR, and IAM systems, streamlining automated remediation workflows. This ITDR-powered automated response fortifies security teams with an automated proactive defense, stopping identity-driven attacks before they escalate into full-scale breaches.

Identity security posture management
A core component of ITDR’s response engine is the ability to continuously manage (assess and respond) an organization’s security landscape identity security posture management (ISPM) at the identity level. As enterprises expand their digital ecosystems, the sheer volume of human and machine identities creates an ever-expanding attack surface. ISPM provides real-time visibility into identity risks, misconfigurations, and policy violations, enabling proactive defense against identity-based threats. By leveraging automation, risk analytics, and policy enforcement, ISPM ensures that identities adhere to security best practices, reducing exposure to credential-based attacks, privilege escalation, and unauthorized access.

At the core of ISPM is the ability to dynamically analyze identity posture across various environments, including on-premises, cloud, and hybrid infrastructures. This involves monitoring access entitlements, enforcing least privilege principles, and detecting anomalous behaviors indicative of compromise. Integrated with identity threat detection and response, ISPM enhances an organization’s ability to preemptively address identity vulnerabilities before they are exploited. Cyber threats are often based on compromised credentials, so identity-based ISPM serves as a critical layer of defense, aligning security posture with evolving risk landscapes. This is done by defining the level of risk the organization is willing to tolerate and then continuously evaluating the environment to respond when that level is reached. ISPM is a key component of ITDR because it enables organizations to maintain resilience against sophisticated cyber adversaries.

Empowering threat response with identity
Identity and access management solutions allow organizations to tie breach or threat indicator events to identities, as well as target response at the most effective level – that session(s) or application(s). IAM is the ‘I’ of ITDR. To effectively automate responses, these two technologies must work together seamlessly. When they do, the integration enhances visibility and threat detection and quickly responds to identity-based attacks.

OpenText™ IAM solutions generate authentication logs, access requests, and privilege changes. OpenText’s advanced threat detection & insider threat management solution correlates them with data from endpoints, networks, and cloud environments. Additionally, OpenText TDR offers additional user and entity behavior analytics (UEBA) beyond what is typically available in identity-based risk services. They detect risk through breach indicators derived from access and application usage when brought together. Traditional identity and access-based risk metrics are limited to prescribed criteria, such as whether or not the browser instance or the physical device is known and whether login attempts are unsuccessful. These same adaptive controls put conditions or limits on time ranges and geolocations, as well as identify impossible travel scenarios. While traditional adaptive access controls can also leverage the history of these prescribed conditions, XDR metrics can be far more sophisticated.

XDR technologies monitor a much broader spectrum of information than what is available in IAM infrastructure. From that data, XDR automation can correlate observed data into behavior patterns that are more discerning than rules-based controls. They discern which sessions are indicating risk factors from anomalies or attack patterns. When XDR monitoring capabilities are merged with identity information that forms an ITDR level of security, activities can be correlated and calculated into patterns—patterns that span long periods. With identity, the activity data collected from networks, devices, and session information is correlated to higher levels of interaction that identities (people or processes) have with digital services extending over a longer period. This persistent identity-based activity data empowers risk engines to calculate the risk of breach-related activities that are used to penetrate typical security practices. These patterns grow stronger over time in ways that make ITDR more effective in identifying user anomalies or potential breaches as the model of each active user grows. Beyond strengthening threat models, ITDR can respond through its security orchestration, automation, and response (SOAR) platforms—far more than what is available in an IAM environment. Additionally, IT can use this expanded security platform to initiate predefined workflows, such as blocking malicious IPs, alerting security analysts, or isolating affected devices.

What role should ITDR play in your organization?

Since each environment is unique, the road to an ITDR level of security is unique. This means that the need for ITDR may or may not exist for a specific environment, and the level of ITDR sophistication will vary. The makeup of your current environment will influence what you implement.

Some of the dynamics that may help determine how much to invest in an ITDR form of security include the following:

Risk—the full spectrum of risk should be a dominating factor. What are the complete costs of a breach? What are the business consequences of failing a compliance audit or falling short of a cyber insurance requirement?
Cost and expertise—in the existing ITDR components in today's environment, some of the most underestimated barriers to ITDR are cost and domain expertise. Organizations with robust IAM, PAM, and SIEM solutions will find it easier to upgrade to an ITDR security layer. However, IAM may be a more immediate need if identity security is incomplete or weak.
Putting the pieces together—an organization's ability to integrate ITDR with its existing security stack is another determining factor. Seamless integration with IAM, SIEM, SOAR, and EDR/XDR solutions ensures that ITDR can provide real-time monitoring and incident response without creating operational silos.
Scalability—with organizations increasingly adopting hybrid and multi-cloud environments, ITDR must cover cloud identities, privileged access, and federated authentication. It becomes particularly valuable for enterprises managing large remote workforces and extensive third-party access, ensuring secure identity verification across dispersed environments.
Zero trust priority and budget—place ITDR at the forefront of modern cybersecurity strategies. ITDR enables continuous identity verification, behavioral analytics, and risk-based responses—core principles of a zero-trust model. As organizations move away from traditional perimeter-based security, ITDR plays a crucial role in safeguarding identities as the new perimeter.

Is ITDR the new access security layer?

ITDR has evolved from traditional identity security into a dedicated security discipline, addressing modern identity-driven cyber threats. As cybercriminals continue increasingly targeting credentials, privileged accounts, and identity systems, ITDR may become a standard security layer of an organization’s security strategy.

Aviator AIAviator AI

Analytics CloudAnalytics Cloud

Data Lakehouse & AnalyticsData Lakehouse & Analytics

BI, Visualization & ReportingBI, Visualization & Reporting

eDiscovery with AIeDiscovery with AI

OpenText™ Aviator Search

Business Network CloudBusiness Network Cloud

Supply Chain AutomationSupply Chain Automation

B2B IntegrationB2B Integration

Secure CollaborationSecure Collaboration

Supply Chain TraceabilitySupply Chain Traceability

Supply Chain InsightsSupply Chain Insights

Industry Applications and ServicesIndustry Applications and Services

OpenText™ Business Network Aviator

Content CloudContent Cloud

Document ManagementDocument Management

AI Content ManagementAI Content Management

Capture and Intelligent Document ProcessingCapture and Intelligent Document Processing

Process AutomationProcess Automation

Business IntegrationsBusiness Integrations

Information ArchivingInformation Archiving

Industry SolutionsIndustry Solutions

Information GovernanceInformation Governance

OpenText™ Content Aviator

Cybersecurity CloudCybersecurity Cloud

Application Security TestingApplication Security Testing

Data SecurityData Security

Security OperationsSecurity Operations

Identity and Access ManagementIdentity and Access Management

Digital Forensics and Incident ResponseDigital Forensics and Incident Response

OpenText™ Cybersecurity Aviator

DevOps CloudDevOps Cloud

DevOps PlatformDevOps Platform

Functional TestingFunctional Testing

PPM and Strategic Portfolio ManagementPPM and Strategic Portfolio Management

Quality ManagementQuality Management

Performance EngineeringPerformance Engineering

OpenText™ DevOps Aviator

Experience CloudExperience Cloud

Web & Mobile ExperiencesWeb & Mobile Experiences

Contact Center AnalyticsContact Center Analytics

Messaging & FaxMessaging & Fax

Customer CommunicationsCustomer Communications

Digital Asset ManagementDigital Asset Management

Customer Journey and DataCustomer Journey and Data

OpenText™ Experience Aviator

Observability and Service Management CloudObservability and Service Management Cloud

Service ManagementService Management

ObservabilityObservability

AIOpsAIOps

Automation and Vulnerability RemediationAutomation and Vulnerability Remediation

CMDB and Asset ManagementCMDB and Asset Management

OpenText™ Service Management Aviator

OpenText™ ThrustOpenText™ Thrust

OpenText™ Thrust bundleOpenText™ Thrust bundle

OpenText™ Aviator Thrust

Device and Data ProtectionDevice and Data Protection

Enterprise Data Backup and Disaster Recovery SolutionsEnterprise Data Backup and Disaster Recovery Solutions

Unified Endpoint Management ToolsUnified Endpoint Management Tools

Hybrid Work, Email, and Team Collaboration Hybrid Work, Email, and Team Collaboration

Email Archiving, E-Discovery, Data Archiving ComplianceEmail Archiving, E-Discovery, Data Archiving Compliance

Connectivity and Document ManagementConnectivity and Document Management

Information reimaginedInformation reimagined

Artificial IntelligenceArtificial Intelligence

IndustryIndustry

Enterprise ApplicationsEnterprise Applications

Your journey to successYour journey to success

Customer SupportCustomer Support

Customer Success ServicesCustomer Success Services

Consulting ServicesConsulting Services

Cloud MigrationCloud Migration

NextGen ServicesNextGen Services

Latest product releasesLatest product releases

Learning ServicesLearning Services

Managed ServicesManaged Services

Find an OpenText PartnerFind an OpenText Partner

Find a Partner SolutionFind a Partner Solution

Grow as a PartnerGrow as a Partner

Become a Partner

Resource libraryResource library

Aviator AI

Analytics Cloud

Data Lakehouse & Analytics

BI, Visualization & Reporting

eDiscovery with AI

Business Network Cloud

Supply Chain Automation

B2B Integration

Secure Collaboration

Supply Chain Traceability

Supply Chain Insights

Industry Applications and Services

Content Cloud

Document Management

AI Content Management

Capture and Intelligent Document Processing

Process Automation

Business Integrations

Information Archiving

Industry Solutions

Information Governance

Cybersecurity Cloud

Application Security Testing

Data Security

Security Operations

Identity and Access Management

Digital Forensics and Incident Response

DevOps Cloud

DevOps Platform

Functional Testing

PPM and Strategic Portfolio Management

Quality Management

Performance Engineering

Experience Cloud

Web & Mobile Experiences

Contact Center Analytics

Messaging & Fax

Customer Communications

Digital Asset Management

Customer Journey and Data

Observability and Service Management Cloud

Service Management

Observability

AIOps

Automation and Vulnerability Remediation

CMDB and Asset Management

OpenText™ Thrust

OpenText™ Thrust bundle

Device and Data Protection

Enterprise Data Backup and Disaster Recovery Solutions

Unified Endpoint Management Tools

Hybrid Work, Email, and Team Collaboration

Email Archiving, E-Discovery, Data Archiving Compliance

Connectivity and Document Management

Information reimagined

Artificial Intelligence

Industry

Enterprise Applications

Your journey to success

Customer Support

Customer Success Services

Consulting Services

Cloud Migration

NextGen Services

Latest product releases

Learning Services

Managed Services

Find an OpenText Partner

Find a Partner Solution

Grow as a Partner

Resource library

Blogs

Events

Communities

Customer stories

OpenText Navigator

Marketplace