An employee at a fintech company in Jakarta resigned last month. His Microsoft 365 account turned out to still be active three weeks after his last working day, and no one on the IT team noticed until a suspicious login attempt showed up from overseas.
Cases like this are far from rare. According to the Unit 42 Global Incident Response Report 2026 from Palo Alto Networks, identity weaknesses were involved in nearly 90% of security incident investigations over the past year, and 65% of initial attacker access came from stolen credentials, phishing, or brute force. Meanwhile, the SpyCloud 2026 Identity Exposure Report recorded 65.7 billion identity records recaptured from criminal underground networks throughout 2025, a 23% increase from the year before.
These numbers explain why Identity Threat Detection and Response, commonly abbreviated as ITDR, has recently become one of the top priorities for cybersecurity teams. So what exactly is ITDR, and why should your company understand it before a similar incident happens to your own organization?
What Is Identity Threat Detection and Response (ITDR)?
Identity Threat Detection and Response is a cybersecurity approach focused on monitoring, detecting, and responding to suspicious identity activity in real time. ITDR does not stop at deciding who is allowed to access what, it goes further by watching how that access is actually used once credentials have been granted to the user.
Picture it this way. An Identity and Access Management (IAM) system determines that a finance staff member is authorized to log into the payroll application, while ITDR is what notices that the login happened at three in the morning from a country the staff member has never accessed from before, then triggers an alert or automatically locks the session. The difference is clear, IAM sets permissions upfront, ITDR watches the behavior afterward.
The following three elements set ITDR apart from conventional access control alone. First, continuous monitoring of identity behavior for both human and machine accounts. Second, machine learning-based analytics to recognize anomalous patterns compared with a user’s normal habits. Third, the ability to respond to threats automatically without waiting for a SOC analyst to open a manual ticket.
These three elements work together to shorten the gap between when a credential is stolen and when the incident is detected, a gap known in cybersecurity as dwell time. The SANS 2026 State of Identity Threats and Defenses Surveyfound a fairly concerning gap on this front. 68% of organizations can detect an identity attack within 24 hours, but only 55% actually manage to contain it within that same window. It is this gap between “knowing there’s an attack” and “actually stopping it” that ITDR tries to close.
Why Identity Has Become the Top Target of Cyberattacks
Cyberattacks used to mostly target network gaps or unpatched software. The story is different now. Attackers have realized that the cheapest and most effective way in is through the front door, using genuine stolen credentials, rather than breaking through a complex, time-consuming technical flaw. Below are several factors that make identity such a favorite target these days, and ITDR essentially exists to handle the gap each of these factors creates before it turns into an incident.
The Shift to the Cloud and Remote Work
As business applications move to the cloud and employees work from anywhere, the traditional network boundary once guarded by firewalls has practically disappeared. For example, an employee logging into Google Workspace, Salesforce, and HR systems from a home network, a café, or even airport wifi, leaves the credential as the only gatekeeper left standing.
The Explosion of Non-Human Identities
Besides human accounts, companies now manage thousands of API keys, service accounts, and authentication tokens for interconnected applications. SpyCloud reported 18.1 million API keys and 6.2 million AI tool credentials recaptured from criminal circulation throughout 2025, and machine identities like these are often missed by routine credential rotation or MFA enforcement.
Session Hijacking Techniques
Attackers do not always need a password. By stealing session cookies or authentication tokens through infostealer malware, they can log straight into an already-authenticated account without going through MFA at all, since that session is already treated as verified by the system.
Visibility Gaps Across Identity Systems
Many organizations manage identity through several systems at once, for instance Active Directory for internal use and Okta or Microsoft Entra ID for cloud applications. Security analysts end up switching back and forth between separate consoles, so attack patterns that cross multiple systems at once often go unnoticed until the damage is already done.
Increasingly Personalized Social Engineering
Phishing attacks are now harder to spot because attackers can convincingly mimic a company’s internal communication style. An email that appears to come from a direct supervisor, complete with the right tone and context about an ongoing project, makes it easier for a victim to hand over credentials without suspicion.
How Does ITDR Work?
Now that we understand why identity is such an easy target, the next question is how ITDR actually works behind the scenes. In general, the process runs through four interconnected stages.
Identity Data Collection
The first stage is collecting identity activity data from various sources, from Active Directory, Entra ID, and Okta, to the SaaS application logs a company uses. The more complete the data sources, the more accurate the picture the security team gets of who is accessing what and when.
Building a Normal Behavior Baseline
The ITDR system then learns each identity’s habitual patterns, such as typical working hours, usual login locations, and applications regularly accessed. For instance, if a marketing staff member usually logs in from Jakarta between eight in the morning and six in the evening, this baseline becomes the reference point for comparing future activity.
Anomaly Detection and Threat Prioritization
Once activity deviates from the baseline, for example logging in from two different cities within one hour, known as impossible travel, the system flags it as an anomaly and assigns a risk score. This score helps SOC analysts sort out which alerts are genuinely dangerous and which are just coincidental, so their time isn’t spent chasing false alarms one by one.
Automated Response and Further Investigation
For threats with a high risk score, ITDR can take action immediately without waiting for a human, such as terminating a login session, forcing re-verification through MFA, or temporarily freezing a suspicious account. The security team then carries out further investigation to confirm the root cause and prevent similar incidents from happening again.
Core Components of an ITDR Solution
The capabilities above don’t work in isolation. Several technical components typically make up a mature ITDR solution, and each one plays a specific role.
- Identity analytics and UEBA (User and Entity Behavior Analytics). This component builds a normal behavior profile for every account, then continuously compares it against current activity, for example flagging an IT admin who suddenly accesses customer data outside their usual job scope.
- Credential threat intelligence. This feature monitors whether employee credentials have already leaked on dark web forums or stolen databases, so the security team can force a password reset before those credentials get used by an attacker.
- Integration with SIEM and XDR. Identity data is combined with signals from endpoints, networks, and cloud environments so the security team sees the full picture of an attack, rather than separate fragments scattered across different consoles.
- Deception and honeytokens. Some ITDR solutions plant decoy accounts or fake credentials deliberately made to look appealing to attackers, so the moment anyone tries to use them, the security team immediately knows there’s an intruder inside the system.
- Non-human credential management. This component specifically monitors API keys, service accounts, and machine tokens so they don’t slip past regular rotation or strict access controls.
ITDR vs IAM and PAM: What’s the Difference?
These three terms often get mixed up, even though their functions complement rather than replace one another. IAM governs who is authorized to access what, PAM (Privileged Access Management) oversees accounts with elevated access rights, while ITDR monitors identity behavior after that access has already been granted.
| Aspect | IAM | PAM | ITDR |
|---|---|---|---|
| Main focus | Governing user access rights | Securing high-privilege accounts | Detecting suspicious identity activity |
| Nature | Preventive | Preventive and controlling | Detective and responsive |
| When it operates | When an account is created or modified | During a privileged access session | Continuously, in real time |
| Example action | Granting access to the payroll application | Requiring extra approval before accessing a production server | Locking a session when a login occurs from a suspicious location |
A simple example, IAM correctly granted a finance staff member access to the payroll system, and PAM correctly required extra approval when an IT staff member wanted to access a production server. But if that finance staff member’s credential gets stolen through phishing, it’s ITDR that notices the odd login pattern and stops it before payroll data gets exposed.
Benefits of Implementing ITDR for Organizations
Investing in ITDR isn’t simply about adding one more tool to an already crowded security stack. Below are the concrete benefits organizations typically experience after implementing it.
- Shortening attack dwell time. The faster suspicious activity is detected, the smaller the window an attacker has to steal data or move laterally to other systems.
- Protecting the growing number of non-human identities. As API and AI-based tool integrations keep multiplying, ITDR helps ensure machine credentials don’t become an overlooked weak point.
- Supporting compliance with data protection regulations. The ability to detect and thoroughly document identity incidents simplifies the audit and regulatory reporting process, including needs such as GRC governance and personal data protection.
- Reducing alert fatigue for SOC analysts. Automated risk prioritization lets the security team focus on genuinely dangerous threats, instead of drowning in thousands of notifications that are mostly coincidental.
- Providing stronger forensic evidence. When an incident does occur, detailed identity activity logs speed up the investigation process and help organizations close the same gap so it doesn’t happen again.
Research from Sophos State of Identity Security 2026, covering 5,000 organizations across 17 countries, found that small companies with 100 to 250 employees were nearly twice as likely to fail to detect an identity attack compared with companies of more than 1,000 employees. A resource gap like this is what makes ITDR a need that isn’t actually limited to large enterprises alone.
Conclusion
Stolen credentials, hijacked login sessions, and forgotten machine accounts all point to one thing, identity has now become attackers’ favorite entry point. As long as identity isn’t actively monitored and responded to, other security tools like firewalls or antivirus software won’t be enough to close that gap, especially considering that the global ITDR market is projected to grow from USD 19.66 billion in 2026 to USD 102.49 billion by 2034 as more companies recognize this urgency.
Implementing ITDR doesn’t mean tearing down every security system already in place. Quite the opposite, ITDR complements the IAM and PAM that may already be running, while closing the gap between “detected” and “actually contained” that has long been a weak spot for many organizations.
But detecting identity threats is only half the journey, because every incident involving personal data must still be documented and reported in accordance with Indonesia’s Personal Data Protection Law. This is where Adaptist PRIVE from Accelist Adaptist Consulting comes in, helping your company manage risk, compliance, and incident reporting in one integrated GRC platform, so that when ITDR successfully detects an identity threat, your team is already prepared on the governance and regulatory compliance side as well.
Optimize Your Customer Service
Schedule a demo of Adaptist Prose and see how an integrated ticketing system helps bring tickets, conversations, and customer data together in a single dashboard. With a more structured workflow, teams can respond faster, reduce operational burden, and maintain consistent service quality as the business grows.
FAQ
ITDR is a cybersecurity solution that continuously monitors, detects, and responds to suspicious identity-related activities in real time to prevent account compromise.
IAM manages user access permissions, while ITDR monitors how identities are used after access is granted and detects abnormal behavior.
ITDR is ideal for organizations using cloud or hybrid environments and managing large numbers of user accounts and non-human identities such as API keys and service accounts.




