ITDR: Identity Threat Detection and Response in CIAM
Updated 2026-05-07 · 10 min read · By @guptadeepak
Key takeaways
- ITDR, Identity Threat Detection and Response, is the security category for detecting and responding to identity-based attacks in real time, distinct from traditional auth analytics.
- The 2026 attack surface that ITDR addresses: token theft, session hijacking, OAuth consent phishing, MFA bypass, lateral movement after initial compromise.
- Workforce ITDR (Push, Permiso, Silverfort, Microsoft Defender for Identity) and CIAM-side ITDR (Auth0 Adaptive MFA, Descope risk, Authsignal, Castle.io) are both growing categories.
- ITDR overlaps with adaptive auth at the entry point but extends through the entire session lifecycle, every action gets risk-scored, not just the login.
- Most CIAM ship ITDR-adjacent features (anomaly detection, breached credential alerts, suspicious session detection); dedicated ITDR tools layer on top for deeper detection and SOC integration.
Why ITDR exists
ITDR became a recognized security category around 2022-2023 as Gartner formalized the gap between EDR (endpoint) and traditional IAM analytics. By 2026 it's a mature category with workforce-focused vendors, CIAM-integrated capability, and a clear operational pattern.
What ITDR detects
The detection categories that matter:
Token / session theft. A session cookie issued to Alice on her laptop is now being used from a different IP, different fingerprint, different geography. Possible cookie theft via malware or phishing kit.
OAuth consent phishing. A user clicks a link, lands on a real OAuth consent screen for a malicious app requesting broad scopes (mailbox read, file access). Once granted, the malicious app has API access without ever touching the user's password. Detection: anomalous consent scope, unfamiliar app, unusual user behavior pre-consent.
MFA bypass / fatigue. Attacker has the password (from breach, phishing, infostealer); spams push notifications until the user approves to make it stop. Detection: rapid push notification volume, user behavior inconsistent with intentional sign-in.
Suspicious session activity. A normal user suddenly performs admin actions, queries unusual data, or accesses resources they don't normally touch. Detection: behavioral baseline plus anomaly scoring.
Credential reuse from breach. A user logs in with credentials matching a recent third-party breach. Detection: breached-credential database check at sign-in.
Lateral movement. Initial compromise of one account followed by privilege escalation, role changes, or access to other accounts. Detection: identity graph analysis across the account population.
Where the signals come from
Modern ITDR composites several signal classes:
- Device fingerprinting, browser fingerprints, mobile device IDs, behavioral biometrics
- Network signals, IP reputation, geo/velocity, ASN, VPN/Tor detection
- Authentication metadata, factor used, recovery flows triggered, MFA bypass indicators
- Session telemetry, token reuse patterns, refresh behavior, idle/active patterns
- OAuth telemetry, consent grants, scope changes, app reputation
- Behavioral baselines, per-user normal patterns of login times, locations, action types
- Threat intelligence, known phishing kits, breached credentials, malicious IPs
- Identity graph, relationship between accounts, privilege levels, ownership
The risk score is the composite. A login from a new device in an unusual country at an unusual time using a credential that appears in a breach database is high-risk; the same login from the user's normal device on their normal IP is low-risk.
ITDR vs adaptive auth
The two overlap; the distinction is scope:
- Adaptive auth scores the login event. The decision is "challenge for additional verification?" The signals end at session establishment.
- ITDR scores the entire identity runtime. Every action, token use, consent grant, role change, admin operation, gets risk-scored. The decision is "allow / challenge / block / alert" continuously.
For the entry-point details, see the adaptive risk-based authentication guide. For the broader ATO context, see the account takeover defense guide.
Two market segments
The ITDR market has roughly bifurcated:
Workforce ITDR, focused on the employee identity surface. Dominant vendors: Push Security, Permiso, Silverfort, Microsoft Defender for Identity, Crowdstrike Falcon Identity, Oort (acquired by Cisco). Integrates with workforce IdPs (Okta, Microsoft Entra) plus SIEM and EDR.
CIAM-side ITDR, focused on the customer identity surface. Either built into the CIAM (Auth0 Adaptive MFA, Descope risk, AWS Cognito Advanced Security) or as a CIAM-adjacent product (Authsignal, Castle.io, Kasada). Integrates with the CIAM's authentication and session management.
What CIAM ships natively
Most modern CIAM ship ITDR-adjacent features without calling them ITDR:
- Geo/velocity anomaly detection
- Breached credential alerts (HaveIBeenPwned integration)
- Device-fingerprint-based suspicious session detection
- Adaptive MFA challenge based on risk score
- Token revocation and session invalidation APIs
For most mid-market deployments, this native capability is sufficient. Dedicated ITDR is justified when:
- The security team has a SOC and needs deep telemetry integration
- The business is in a regulated industry with explicit ITDR requirements
- A documented incident has shown the gap between native CIAM capability and the actual attack surface
Operational pattern
A working ITDR deployment includes:
- Telemetry pipeline. All identity events (auth, session, consent, role change) flow to a central store with structured fields. CIAM audit logs are the source.
- Detection rules. Both vendor-provided (built-in detection) and custom (organization-specific patterns).
- Risk scoring. Composite score per session, per action.
- Response actions. Auto-revoke session, force step-up MFA, alert SOC, page on-call. Different triggers for different score thresholds.
- Incident workflow. Triage queue, investigation tools, response playbooks. SOC team owns this.
For the technical session-management primitives that ITDR builds on, see the session management guide.
Vendor selection
For most B2B SaaS in 2026:
- Use the CIAM's native ITDR-adjacent features first. Auth0 Adaptive MFA, Descope risk, Cognito Advanced Security, Microsoft Entra Risky Sign-ins.
- Layer dedicated CIAM-side ITDR if the native isn't enough. Authsignal for B2B SaaS adding deeper risk; Castle.io for B2C.
- Workforce ITDR for the employee side. Push, Permiso, Silverfort, separate from the CIAM choice.
ITDR is best understood as a maturing layer on top of the CIAM, not a replacement. The CIAM provides identity primitives and entry-point auth; ITDR extends the same security posture through the entire session lifecycle.
Related vendors
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Authsignal
Authsignal is the strongest identity orchestration layer in 2026, designed to sit in front of any underlying CIAM (Auth0, Cognito, Keycloak, custom-built) and add the passkey orchestration, adaptive risk decisioning, and step-up MFA logic that most full-platform vendors do badly. For teams with an existing CIAM that want to fix passkey adoption or harden against account takeover without replacing the primary platform, Authsignal is the singular pick. Not a full CIAM, pick one of those first if greenfield.
Descope
Descope is the orchestration-first CIAM in 2026, its Flows visual editor is the most capable no-code auth designer in the market, paired with above-average passkey orchestration and an early MCP-native posture for AI agents. For mid-market B2C and B2B SaaS that wants modern auth without writing the orchestration layer, Descope is one of the strongest picks. Compliance breadth and ecosystem maturity still favor Auth0 above 500k MAU.
FAQ
- How is ITDR different from adaptive auth?
- Adaptive auth scores the login event, should we challenge for MFA? ITDR extends the same scoring through the session: is this token being used from a different device than it was issued to? Is this OAuth consent flow suspicious? Is this admin action consistent with normal user behavior? Adaptive is the entry point; ITDR is the whole runtime.
- Do I need a dedicated ITDR tool?
- Most CIAM ship enough ITDR-adjacent capability (anomaly detection, geo/velocity scoring, breached credential checks, suspicious session detection) for the typical mid-market deployment. Dedicated ITDR (Push Security, Permiso, Silverfort) is justified at enterprise scale, regulated industries, or after a documented incident drove the need.
- What attacks does ITDR catch that login MFA misses?
- Stolen sessions reused from a different device (cookie theft via malware), OAuth consent phishing (user grants a malicious app excessive scopes), MFA fatigue attacks (push notification spam to coerce a yes), token theft via phishing kits (Evilginx, Modlishka), and lateral movement after the first account compromise.
- Where do detection signals come from?
- Device fingerprinting, IP reputation, geo/velocity analysis, behavioral biometrics, OAuth scope analysis, breached credential databases, threat-intel feeds, anomaly detection on login times and patterns. Modern ITDR composites these into a continuous risk score per session.
Sources
- Gartner ITDR market guide (2024)
- Microsoft Defender for Identity documentation
- Push Security threat reports
- Auth0 Adaptive MFA documentation