ITDR in zero trust: what IAM teams need to know

TL;DR: Identity Threat Detection and Response, or ITDR, is positioned as a real-time layer for spotting identity abuse after authentication, especially where over 90% of breaches now involve compromised credentials, according to Permiso Security. The practical shift is that zero trust and governance controls must be paired with continuous identity behaviour monitoring, not just stronger sign-in controls.

NHIMG editorial — based on content published by Permiso Security: 15 Questions Everyone Asks About Identity Threat Detection and Response (ITDR)

By the numbers:

• With over 90% of breaches now involving compromised credentials, organizations are scrambling to understand how to protect their identity infrastructure.

Questions worth separating out

Q: How should security teams use ITDR alongside PAM and IGA?

A: Security teams should use PAM and IGA to reduce identity exposure, then use ITDR to detect misuse that still occurs.

Q: Why do service accounts need separate ITDR baselines?

A: Service accounts need separate baselines because they are expected to behave predictably and usually lack human-like patterns such as working hours, interactive logins, or varied application use.

Q: What breaks when identity monitoring does not span cloud and on-premises systems?

A: When monitoring stops at environment boundaries, attackers can pivot through trusted identity relationships without triggering a clear alert.

Practitioner guidance

• Baseline identity behaviour across critical account types Build separate behavioural profiles for human users, privileged admins, service accounts, and machine identities.
• Integrate ITDR into SIEM and SOAR response paths Route high-confidence identity detections into automated actions such as session revocation, account suspension, and step-up authentication, while sending lower-confidence events to analyst review with enriched identity context.
• Prioritise service account and orphaned identity coverage Inventory non-human identities, identify owners, and compare active accounts against actual application and workload dependencies.

What's in the full article

Permiso Security's full blog post covers the operational detail this post intentionally leaves for the source:

• A full comparison of ITDR, EDR, XDR, PAM, and IGA with concrete use cases for each control class.
• Detailed integration patterns for SIEM and SOAR, including response actions such as session revocation and account suspension.
• Expanded guidance on behavioural analytics, UEBA signals, and identity baselines across AD, Azure AD, and cloud IAM.
• Practical selection criteria for choosing an ITDR platform and designing an incident response workflow around it.

👉 Read Permiso Security's guidance on identity threat detection and response →

ITDR in zero trust: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →