Tools
CrowdStrike Named a Leader in Identity Threat Detection and Response
CrowdStrike has been recognized as a leader in the Identity Threat Detection and Response (ITDR) market by both Frost & Sullivan and GigaOm in their latest independent evaluations. The reports highlight CrowdStrike's integrated approach to identity security within the Falcon platform, combining endpoint telemetry with identity-specific threat detection to identify attacks that leverage compromised credentials and identity infrastructure. ITDR has emerged as a critical security category as attackers increasingly bypass traditional perimeter defenses by targeting identity systems directly. The analyst recognition validates CrowdStrike's strategy of converging identity protection with broader endpoint and cloud security telemetry to detect attack patterns that siloed identity tools miss.
View on Graph
What is Identity Threat Detection and Response?
Identity Threat Detection and Response (ITDR) is the security discipline focused on detecting, investigating, and responding to attacks that target identity infrastructure itself — Active Directory, Entra ID, Okta, the underlying authentication protocols, and the credentials and sessions they manage. It’s a category that emerged from a blunt operational reality: attackers stopped trying to punch through firewalls and started logging in.
The analyst recognition from Frost & Sullivan and GigaOm validates what SOC teams have observed for years — identity is now the primary attack surface, and protecting it requires dedicated detection capabilities that go far beyond what IAM and traditional EDR provide.
Why ITDR emerged as a distinct category
For decades, identity security meant Identity and Access Management (IAM): provisioning accounts, enforcing MFA, managing roles. IAM is about prevention — making sure the right people have the right access. ITDR is about detection and response when those controls fail, which they inevitably do.
Consider the attack chain: an adversary phishes credentials, bypasses MFA via token theft or MFA fatigue, authenticates as a legitimate user, and moves laterally using built-in tooling. From the IAM perspective, everything looks authorized. From the EDR perspective, no malware signature fires. The attacker is living off the land using valid accounts — and ITDR is the capability set that catches this.
Key differences from adjacent categories:
| Capability | IAM | EDR | ITDR |
|---|---|---|---|
| Focus | Access governance | Endpoint behavior | Identity infrastructure |
| Detects | Policy violations | Malware, process anomalies | Credential abuse, session hijacking |
| Responds | Access revocation | Process termination, isolation | Session termination, credential rotation |
| Blind spot | Legitimate credential use | Living-off-the-land attacks | East-west movement via protocols |
Core ITDR detection techniques
Effective ITDR requires telemetry from the identity plane itself — authentication logs, directory replication traffic, token issuance events, and privileged access management audit trails. Key detection patterns include:
Credential abuse detection
Anomalous authentication patterns are the bread and butter of ITDR. Impossible travel (logins from geographically distant locations within an impossible timeframe), unusual TGT/TGS request patterns (Kerberoasting indicators), and authentication from devices never previously associated with the account are all high-signal detections. These map to MITRE ATT&CK techniques T1078 (Valid Accounts), T1003 (OS Credential Dumping), and T1558 (Steal or Forge Kerberos Tickets).
Session hijacking and token theft
Attackers increasingly target session tokens and OAuth artifacts rather than passwords. Detecting token replay across disparate IP addresses, anomalous API consent grants, and unauthorized token issuance requires continuous monitoring of the identity provider’s audit trail. Relevant techniques: T1539 (Steal Web Session Cookie), T1527 (Access Token Manipulation).
Privilege escalation through identity paths
The most dangerous attacks aren’t the initial compromise — they’re what happens after. Attack graphs that map “who can become who” across group nesting, admin delegation, and cloud role assignments are essential ITDR primitives. Techniques to watch: T1484 (Domain Policy Modification), T1098 (Account Manipulation), T1078.002 (Domain Accounts).
Integration with SIEM and SOAR
Raw identity telemetry is noisy. The value of ITDR compounds when identity signals are correlated with endpoint and network telemetry in the SIEM. An impossible-travel login (identity alert) that coincides with a suspicious process execution on the target endpoint (EDR alert) creates a high-fidelity incident worth investigating — where either signal alone might be dismissed.
SOAR playbooks should include identity-specific response actions: forced session revocation, temporary account disablement, credential rotation, and MFA re-registration requirements. These actions need to be pre-authorized and tested — you can’t afford to debate whether to kill an active session during an incident.
What analysts and practitioners should take away
The ITDR market maturing to the point of independent evaluations is a signal: if your SOC doesn’t have dedicated identity detection logic in its detection engineering pipeline, you have a gap. Start with the identity data you already have — Active Directory event logs, Entra ID sign-in logs, Okta system logs — and build detection rules targeting the high-value ATT&CK techniques above. The tooling will follow; the detection logic needs to come first.
Sources
Related
- Identity threat detection covering AD attack paths — detection and response for T1484 techniques
- SIEM integration patterns for identity threat telemetry — detection and response for TA0040 techniques
- Credential Stuffing — detection and response for T1110 techniques