CISO Budget Builder
Back to KPI Dashboard

Identity Threat Detection & Response

Effectiveness of detecting and responding to identity-based attacks including credential theft, MFA bypass, privilege escalation, and impossible travel anomalies

Budget Domain: Identity & Access
Adjust in Budget Calculator →

Industry Benchmark

94%

+6.8% from previous period

Industry average: 87%

Calculation Method

Composite score of: identity anomaly detection coverage (% of identity providers monitored), mean time to detect identity attacks (MTTD-I), alert fidelity rate (true positives ÷ total identity alerts), and automated response coverage (% of playbooks automated)

Significance

Identity is the new perimeter. 80% of breaches involve compromised credentials (Verizon DBIR 2025). ITDR has emerged as a critical control category as attackers bypass perimeter and endpoint tools by abusing legitimate identities.

What is ITDR?

Identity Threat Detection & Response (ITDR) is a security discipline focused on protecting identity infrastructure from attack. Unlike IAM (which manages access), ITDR detects when identities are being misused — through stolen credentials, MFA bypass, token theft, Kerberoasting, pass-the-hash, and directory service attacks. It combines behavioral analytics with automated response playbooks.

Key threat patterns ITDR detects

  • Credential stuffing & password spray — Mass authentication attempts against common credentials
  • MFA fatigue / push bombing — Overwhelming users with MFA push notifications
  • Token theft — Stealing OAuth/SAML tokens post-MFA to bypass authentication
  • Impossible travel — Authentication from geographically impossible locations
  • AD/Entra ID attacks — Kerberoasting, DCSync, Golden Ticket attacks on directory services
  • Privilege escalation — Lateral movement via permission abuse toward admin accounts

Why it matters in 2026

MFA bypass acceleration: Adversary-in-the-middle (AiTM) phishing toolkits (Evilginx, Modlishka) trivially bypass SMS and push-based MFA. Detection requires behavioral analytics, not just MFA logs.

Service account blind spots: 85% of organizations have significant service account credential exposure. Non-human identities now outnumber human accounts by 45:1 on average.

Dwell time reduction: Organizations with mature ITDR reduce dwell time for identity-based attacks from 146 days (industry average) to under 24 hours.

ITDR maturity stages

  • Level 1 (0–60%): Basic SIEM rules on authentication logs; no behavioral analytics
  • Level 2 (61–75%): Dedicated ITDR tooling (Silverfort, Illusive, etc.); manual response
  • Level 3 (76–90%): Automated containment (account lockdown, MFA step-up); integrated with SOAR
  • Level 4 (91–100%): Full identity graph analysis; service account discovery and protection; real-time lateral movement blocking