What Is ITDR?

Identity Threat Detection and Response (ITDR) is a set of security measures designed to detect and respond to identity-related security threats. ITDR adds a new layer to the identity fabric, enabling organizations to secure data even after their perimeter has been breached.

What is ITDR in a SaaS Environment?

Like traditional ITDR, SaaS Identity Threat Detection and Response looks at identity-centric threats that could lead to breaches within the application or enable threat actors to misuse the app.

ITDR includes monitoring user activity, detecting anomalies in human and non-human user behavior to identify deviations from normal behavior, and taking appropriate actions in response to threats.

There are three types of identity vulnerabilities that are monitored with an ITDR:

Unmanaged Identities

Identities that aren’t managed in the IDP and can include high privilege and admin accounts

Misconfigured Identities

These can include any type of user account, as well as things like weak passwords and poor encryption practices

Exposed Identities

These include identities that were compromised through some type of social engineering attack and othe

Is ITDR a standalone tool?

ITDR is not a tool, it’s a methodology. As part of the ITDR process, companies should encompass information from multiple sources and look for anomalies within the data. Those sources include audit logs from SaaS applications, native user behavior analytics from each application alone and combined (correlated), and user or device data where applicable.

The data is analyzed by an AI tool, and any anomalies that indicate potential threats are highlighted and shared with the security team.

Why is ITDR Important for Businesses?

Loss of Trust

Partners and customers often lose faith in businesses that are not careful with their data

Customer Churn

Customers often look for alternative service providers when their data is handled irresponsibly

Financial Loss

Companies are stung by several different forms of financial loss. When personal identifiable information (PII) is exposed, companies may be hit with onerous fines from government organizations. They frequently experience operating losses and reduced sales. They may also be exposed to litigation.

Loss of Competitive Edge

Corporate secrets that are stolen and sold to competitors or published on the internet can weaken an organization’s competitive advantage

Monitoring the SaaS stack with ITDR tools helps protect an organization’s interests, as it prevents these and other consequences.

Why should ITDR be a priority today?

As organizations move from on-premises solutions to cloud-based SaaS software, identity has become a key piece of the digital perimeter. Threat actors have taken notice and are putting more pressure on user identities to breach systems.

ITDR addresses security gaps that were left exposed by traditional security solutions:


Secure SaaS and cloud applications through high-posture techniques


Precisely detect when identities are being attacked


Develop a plan that will address an attack underway and secure the application for future attacks

With so much data sitting on the public cloud behind an identity-based perimeter, protecting that perimeter with an ITDR is of paramount importance.

How Does ITDR Work in a SaaS Environment?

Identity threat detection and response systems work by combining data from multiple sources to identify threats. Those data sources include, among others:

SaaS app logs and activity monitors

IP data

User behavior analytics

Using an AI engine, it scans the audit logs to identify indications of compromise (IoC). When suspicious behaviors are detected, it alerts the SOC team, who follow incident response plans to secure the applications and prevent the breach.

What are some threats that an ITDR can detect?

ITDRs are able to detect a number of different responses, including:

Compromised Admin Account

Able to identify high-privilege accounts that appear to be compromised based on behavior and login data. Examples include logins from unknown IP addresses or sudden increases in downloading SaaS data.

Unlikely User

Identifies a user logged in to a SaaS application from different geographic areas over a time period that would make it unlikely to be one person

API Anomaly

Identify unusual patterns or deviations from expected API activity that indicate suspicious activity is underway

Malware Detection

Identify malicious files stored on SaaS apps or downloaded by users, and detect malicious third-party applications that are connected to the SaaS apps

Password Attacks

Use IP data to detect access that followed a password spray or brute force attack

Indications of Compromise

 Combine multiple data points, each of which would seem innocent on its own, to detect a potential breach. This might include multiple failed login attempts followed by the creation of a new admin account

Is ITDR More Effective When Using Data From Across the SaaS Stack?

ITDRs rely on data to detect threats. Expanding the source data to include all applications presents the security team with a far richer data set capable of finding threats that may be impossible to detect otherwise.

For example, if an ITDR solution is monitoring the entire SaaS stack, it would be able to identify an IP address where threat detectors were conducting dictionary attacks on a niche app. When the threat actor then tried to use the password it had discovered on a more important application from the same IP address, the threat would be detected, and the security team alerted.

Another example of this would be a user who accessed one application from an IP address in the United States and another app from an Asian IP address at the same time. A single-app data set would not detect anything wrong with the two logins, while comprehensive app-wide monitoring would quickly recognize that an identity had been compromised.

What are Some ITDR Key Terms and Concepts?

Here are some key terms and concepts related to identity threat detection and response that businesses should be familiar with:

Identity and Access Management (IAM)

The processes, policies, and technologies used to manage digital identities and control access to IT resources.

Multifactor Authentication (MFA)

A security mechanism that requires users to provide two or more forms of authentication to access IT resources.

Identity Theft

The act of stealing personal information, such as usernames, passwords, or social security numbers, to impersonate someone else or gain unauthorized access to IT resources.


A type of social engineering attack in which an attacker attempts to trick users into sharing sensitive information, such as usernames and passwords.

User and Entity Behavior Analytics (UEBA)

The use of machine learning and other advanced analytics techniques to detect anomalous behavior and potential security threats based on user activity and behavior patterns.

Threat Intelligence

Information about potential cyber threats and the actors behind them, including indicators of compromise (IoCs) and other threat-related data.

Security Information and Event Management (SIEM)

A type of security technology that collects and analyzes security event data from multiple sources to identify potential security threats.

Incident Response (IR)

The process of responding to a security incident, such as a data breach, to contain the incident, investigate the cause, and take steps to prevent future incidents.

Zero Trust

A security model that assumes all users, devices, and network traffic are potentially malicious and requires continuous verification of identity and authorization for access to IT resources.

What is the relationship between ITDR and Identity Fabric?

Identity Fabric is essentially a number of identity tools that lay on top of each other to create a strong security mesh. In practical terms, if a company’s identity fabric includes a username, password, and MFA, the company’s SaaS app remains secure even if a user’s login credentials are compromised, as MFA still prevents access.

ITDR is used to maintain the strength of the identity fabric. It recognizes when settings within IAM tools are changed, such as new admin accounts, the creation of local accounts, or recognizing when an emergency or dormant account is suddenly in use. By alerting the security team, they are able to review the changes, and determine whether there are threat actors at play.

Do ITDR and SSPM Work Together?

ITDRs work together with SaaS Security Posture Management (SSPM) tools as part of the SaaS security ecosystem. SSPMs enable organizations to upgrade their security posture by automating the monitoring of security configurations.

Once the apps are secured in a way that prevents unauthorized access, ITDR tools are able to effectively detect anomalous behaviors indicating a threat.

Adaptive Shield’s threat detection capabilities are built directly into its platform. Any threatening event is listed in the platform’s Threat Center, and includes supplemental information to help guide an organization’s response.




Identity Threat Detection & Response: Solution Brief


Offboarding Users from Your SaaS Stack in 7 Steps


The Step-by-step Guide to Kickstarting Your SaaS Security Program