TL;DR: SIEM, XDR, and ITDR solve different parts of the detection stack, but only ITDR is built to continuously inspect identity behaviour, privilege drift, and session misuse across human and machine accounts, according to Unosecur. The critical issue is that generic telemetry tools still assume identity abuse will appear as an obvious event, which is often too late.
At a glance
What this is: This is a comparison of SIEM, XDR, and ITDR, with the key finding that identity attacks need identity-specific detection rather than broad event correlation alone.
Why it matters: It matters because IAM, NHI, and security teams need to know where generic monitoring stops and where identity-specific controls must take over for meaningful risk reduction.
👉 Read Unosecur's ITDR analysis of SIEM and XDR gaps for identity security
Context
Identity security now depends on detecting misuse of credentials, privilege, and sessions, not just watching for endpoint or network anomalies. SIEM and XDR can collect and correlate useful signals, but they are still general-purpose detection layers, which means they often miss the low-and-slow identity abuse that matters most in IAM and NHI programmes.
ITDR exists because identity attacks do not always look like obvious intrusion events. The operational question for practitioners is where a programme needs continuous identity context, especially for service accounts and other non-human identities that can appear legitimate while still being abused.
Key questions
Q: How should security teams decide where SIEM ends and ITDR begins?
A: Security teams should use SIEM for broad log collection, correlation, and forensic support, then use ITDR where the risk depends on identity behaviour rather than infrastructure events. If the threat involves privilege drift, account misuse, or session-level anomalies, SIEM alone is usually too coarse. ITDR should handle identity-specific detection and response.
Q: Why do XDR platforms still miss some identity attacks?
A: XDR often sees the event but not the identity context. It can correlate endpoint, network, and cloud signals, yet still miss whether a login, token use, or access request is unusual for that identity. Without entitlements, lifecycle state, and behavioural history, XDR may classify identity abuse as routine activity.
Q: What breaks when identity monitoring is treated as a generic alert problem?
A: Teams lose the ability to distinguish legitimate access from abuse that unfolds inside normal-looking events. That is especially dangerous for service accounts and privileged users, where activity may remain technically valid while still being operationally suspicious. Generic alerting creates noise, but it does not create identity understanding.
Q: When should organisations prioritise ITDR over additional SIEM tuning?
A: Organisations should prioritise ITDR when identity misuse, session abuse, or privilege escalation is a realistic attack path and current monitoring cannot explain those behaviours quickly enough. If alerts arrive after the identity event has already played out, tuning SIEM is usually not enough. Identity-native detection becomes the better investment.
Technical breakdown
Why SIEM misses identity abuse patterns
SIEM platforms are designed to normalise and correlate logs from many sources, which makes them useful for audit trails and post-incident reconstruction. The weakness is that they depend on rules, thresholds, and ingestion latency, so identity abuse that unfolds gradually can stay below the alert line. A service account that slowly changes behaviour or a token that is reused in a way that looks technically valid may never trip a conventional SIEM rule. The result is broad visibility without identity precision.
Practical implication: Use SIEM as a visibility and forensic layer, not as the primary detector for subtle identity misuse.
Where XDR helps and where it still falls short for identities
XDR improves cross-domain correlation by combining endpoint, network, and cloud telemetry into one incident narrative. That helps with lateral movement and malware propagation, but identity signals are still often secondary to system events. Without rich identity context, XDR may see a login or API call but not understand whether the behaviour reflects privilege creep, token misuse, or session impersonation. In practice, XDR narrows the noise but does not fully solve identity-specific detection.
Practical implication: Feed identity-enriched signals into XDR if you want it to distinguish normal access from suspicious identity behaviour.
How ITDR adds identity context in real time
ITDR is built to monitor identity behaviour continuously, including access patterns, privilege changes, and session activity across human and machine identities. Its value is not just detecting anomalies but understanding whether an identity is drifting outside its normal behavioural envelope. That includes dormant accounts waking up, service accounts touching unfamiliar resources, or sessions that show signs of impersonation. ITDR closes the gap between access granted and abuse detected by keeping the identity itself in view.
Practical implication: Prioritise ITDR where identity misuse can move faster than manual review or rule-based correlation.
NHI Mgmt Group analysis
Identity security now needs a purpose-built control layer, not just more telemetry. SIEM and XDR were built for broad detection and correlation, while identity abuse often depends on nuance such as privilege context, session continuity, and account behaviour. That mismatch is why identity-specific monitoring has become a distinct programme requirement, not a feature request. Practitioners should treat identity as its own detection domain.
Service accounts are where general-purpose monitoring most often loses fidelity. A machine identity can look legitimate at the event level while still behaving outside its intended scope, especially when access is persistent or poorly contextualised. Broad tools tend to register activity, not intent or entitlement drift. That leaves NHI governance exposed unless the monitoring layer understands identity state as well as event content.
ITDR is best understood as the bridge between IAM governance and detection operations. It adds behavioural context to access and privilege decisions, which makes it materially more relevant to identity teams than endpoint-centric response alone. That does not make SIEM or XDR obsolete, but it does change their role in the stack. The practitioner conclusion is that identity protection needs an identity-native layer.
_Identity context is the missing operational signal in many breach paths._ The article’s core lesson is that attackers and abuse patterns increasingly exploit legitimate identities rather than obviously malicious infrastructure. That means the control question shifts from whether telemetry exists to whether the telemetry can explain identity behaviour well enough to act on it. Teams should align monitoring design with that reality.
Identity perimeter thinking is now a practical operating model, not a slogan. Once human and machine identities become primary attack surfaces, the boundary of detection moves from network edges to identity state, session state, and entitlement state. That requires tighter coordination between IAM, SOC, and NHI governance functions. Practitioners should redesign accountability around identity evidence, not just alert volume.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- That same research found that 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
- For the wider operating model, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the governance steps that sit behind identity visibility and control.
What this signals
Identity telemetry is becoming a governance input, not just a detection input. As organisations add more machine and service identities, the practical question is whether the control stack can explain identity behaviour well enough to support access decisions, not just incident response. The best next step is to connect monitoring, lifecycle state, and entitlement context in one operating model, then map that model to the NIST Cybersecurity Framework 2.0.
With 1.5 out of 10 organisations highly confident in securing NHIs, the gap is not subtle tooling preference but programme maturity. That confidence deficit means identity teams should expect more reliance on specialised detection layers and tighter governance around service accounts, tokens, and delegated access.
Identity perimeter: the practical boundary where access, entitlement, session state, and behavioural context must all be considered together. Once that boundary is defined, ITDR becomes easier to place in the stack because it is meant to watch the identity state that broad correlation tools cannot fully interpret. Practitioners should use this model to decide where IAM ends and operational detection begins.
For practitioners
- Separate identity detection from generic event correlation Keep SIEM for log aggregation, compliance, and investigation, but do not rely on it alone for subtle identity abuse. Define which identity signals require a purpose-built layer that can interpret privilege changes, session anomalies, and account behaviour.
- Baseline both human and machine identities Create behavioural baselines for service accounts, API-driven workloads, and privileged users, then compare access patterns against those baselines continuously. This is the only way to spot drift that looks normal to a broad monitoring tool.
- Enrich XDR with identity context Feed entitlement data, identity metadata, and lifecycle state into XDR so cross-domain correlation can distinguish ordinary logins from suspicious credential or token use. Without that context, XDR remains strong on scope and weak on identity.
- Use ITDR to shorten identity exposure windows Trigger response on identity anomalies that indicate token misuse, privilege escalation, or session impersonation before the activity becomes a wider incident. The goal is to reduce the time between suspicious identity behaviour and containment.
Key takeaways
- SIEM and XDR are useful for broad correlation, but neither is built to understand identity behaviour with enough granularity on its own.
- Identity abuse often looks legitimate at the event level, which is why service accounts, tokens, and privileged sessions need identity-native monitoring.
- ITDR matters because it moves identity security from retrospective analysis to continuous behavioural detection and faster containment.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is central to identity threat detection. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential and token misuse sit behind the identity attacks discussed here. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Identity context is essential to access decisions in zero trust. |
Map identity telemetry to DE.CM-1 and ensure alerting covers privilege and session anomalies.
Key terms
- Identity threat detection and response: Identity threat detection and response is a security approach focused on spotting misuse of identities, credentials, and sessions rather than just malicious network activity. It uses behavioural and entitlement context to detect abuse early and support fast containment across human and machine accounts.
- Identity context: Identity context is the extra information that explains what an identity is allowed to do and what it normally does. That includes role, privilege level, lifecycle state, and recent behaviour, which together help distinguish legitimate access from suspicious use.
- Session impersonation: Session impersonation is when an attacker or malicious actor uses an existing authenticated session or session token to act as if they are the real user or workload. The activity may look valid to basic monitoring because the session itself is authenticated, even though the actor behind it is not.
- Identity perimeter: The identity perimeter is the operational boundary where access decisions are governed by identity state, entitlement state, and session behaviour rather than by network location alone. It is increasingly important because both human and non-human identities can be the primary entry point into systems and data.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- A side-by-side breakdown of SIEM, XDR, and ITDR use cases for detection, response, and forensic review
- Examples of identity anomalies that ITDR is designed to catch, including privilege escalation and session impersonation
- Implementation detail on how enriched identity metadata changes alert quality and response speed
- A documented financial-sector case showing automated remediation after subtle credential abuse
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
