What is ITDR? Why identity is the new perimeter.

What ITDR is

ITDR — identity threat detection and response — is the discipline of protecting identities against attack. By identity we mean the accounts and logins that let people into your systems: your users in Microsoft Entra ID (formerly Azure AD), your Active Directory accounts, the privileged admin accounts that can change everything.

It works much like EDR does for devices, but pointed at a different target. Instead of watching processes and memory on a laptop, ITDR watches sign-in behaviour, token activity and account changes — and detects, then responds to, anything that looks like an identity is being abused.

Why identity is the new perimeter

It used to be that defending a business meant defending its network. There was an inside and an outside, with a firewall between them, and an attacker had to break through the edge to reach anything valuable.

That model is gone. Your email, your files, your line-of-business apps now live in the cloud and in SaaS. There is no edge to breach — the data is reachable from anywhere, by anyone with a valid login. So the thing an attacker targets is no longer the network; it’s the credentials.

Why pick the lock when you can sign in? A stolen login or session token gives an attacker your access, from anywhere, without tripping a single network defence.

That’s what people mean when they say identity is the new perimeter. The login is the line that has to hold — and most breaches confirm it. The majority of SMB compromises start with phishing or stolen credentials, not exotic zero-days.

What ITDR detects

These are the identity attacks ITDR is built to spot — and crucially, the ones endpoint tools are blind to, because no malware runs on a device when someone simply logs in as you:

• Impossible travel. A sign-in from London and another from another continent minutes later — physically impossible, and a clear sign a credential is being used in two places.
• Token theft. An attacker steals a valid session token and replays it to bypass the login and even MFA entirely.
• MFA fatigue. Approval prompts spammed at a user over and over until, tired or confused, they tap “approve” on one.
• Legacy-auth abuse. Old authentication protocols that don’t support MFA being used as a quiet back door.
• Privileged-account compromise. An admin account behaving abnormally — the single most damaging identity to lose.

How ITDR relates to EDR and M365 MDR

ITDR doesn’t replace your other security — it covers a blind spot. EDR watches your devices; ITDR watches your identities. An attacker who steals a login and signs into your tenant from a browser never touches an endpoint, so EDR alone would never see them. ITDR is what closes that gap.

It also sits naturally alongside Microsoft 365 MDR, which brings detection and response to your tenant as a whole — mailboxes, sign-ins and configuration. And because identity attacks almost always begin with a phishing email, strong email security is the partner control that stops many of them before a credential is ever exposed. Together, these turn identity from your weakest point into a monitored one.

What SMBs should do

Start with the fundamentals, which cost little and block a great deal: enforce strong MFA everywhere, disable legacy authentication, and tighten who holds privileged access. These alone shut the most common doors.

Then add monitored Managed ITDR so that identity attacks are detected and responded to around the clock — because, like all attacks, identity compromise tends to happen out of hours, when nobody’s watching. For most SMBs the strongest position is ITDR working together with Microsoft 365 MDR and email security: the three controls that cover how breaches actually begin.