3 Steps to Take to Get Started with Identity Threat Detection and Response (ITDR)

24/10/2022 • Maya Malevich

Gartner© recently published a research report on the value of Identity Threat Detection and Response (ITDR) called:

“Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response”, published 20 October 2022, by Henrique Teixeira, Peter Firstbrook, Ant Allan, and Rebecca Archambault.

ITDR is a new acronym Gartner uses to describe the security discipline that protects the identity infrastructure. Much like network detection and response (NDR) and endpoint detection and response (EDR) protect critical infrastructure in the organization, ITDR is required to protect the systems that control identity and access across the organization. Now that identity has become the new perimeter, the detection gaps between traditional IAM solutions and infrastructure security controls are constantly exploited by malicious actors, inside and outside the organization. 

Image from: “Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response” report published 20 October 2022, by Henrique Teixeira, Peter Firstbrook, Ant Allan, and Rebecca Archambault.

Before searching for the tools to protect your identity infrastructure, we recommend identifying the gaps in your environment by following the below 3 steps:

  1. Assess identity-first security posture 
  2. Assess identity threats
  3. Examine response playbooks

Step 1: Assess Identity-First Security Posture

Examine the identity risk level across your cloud environment by reviewing actual access privileges and identifying stale accounts, over-privileges, and privilege escalation paths. The proliferation of identities and assets together with the dynamic nature of the cloud often leads to hidden, unused and excessive access. 

For example, “More than 95% of accounts in IaaS use, on average, less than 3% of the entitlements they are granted, which greatly increases the attack surface for account compromises.” Gartner Innovation Insight for Cloud Infrastructure Entitlement Management, published on 15 June 2021 by Henrique Teixeira, Michael Kelley, and Abhyuday Data.

Reviewing all cloud services and applications for illicit access can be very time consuming and error-prone. CIEM (Cloud Infrastructure Entitlement Management) solutions can help identify over-privileges in IaaS. If you wish to cover all your bases, it would be beneficial to also review cloud applications and IAM tools to identify stale access from partial offboarding as well as privilege escalations across systems (shadow administrators and federation).  

Step 2: Assess Identity Threats

Review the configurations and deployments of your IAM tools (IdP/SSO, IGA and PAM) to detect risks and threats such as exposed passwords, user impersonation, and unauthorized changes. Even mature deployments of IAM solutions may be exposed to identity threats due to misconfigurations or even by design. 

A point-in-time assessment will provide you with an estimate of your exposure level and indicate the prioritization and extent of your ITDR adoption for ongoing protection. Identifying where you are exposed will also help determine who should own ITDR in your organization. 

Step 3: Examine Response Playbooks

Your SIEM, SOAR and XDR tools are handling incident response for your security infrastructure. Chances are that some of your existing playbooks can also be used for identity risks and threats. Review your existing playbooks to identify what will work for identity and access incidents and what requires adjustments, or new playbooks. 

Some ITDR solutions will also provide automated remediation capabilities, such as disabling excessive access, and resolution recommendations (like moving from SWA to SAML). The severity and potential impact of incidents on your organization will determine the urgency and automation of your playbooks. 


ITDR is an emerging security discipline, meaning it is only now evaluated by early adopters. Having said that, we believe the growing frequency of cyberattacks that exploit the identity infrastructure will boost the sense of urgency and drive organizations to research their exposure level. And since the IAM layer touches all sensitive assets and personal data, it won’t be long before ITDR requirements find their way into standards and regulations. 

Contact us here to learn more about ITDR and about complimentary assessments provided by Authomize. 

Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Next read

Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations