What is Identity Threat Detection and Response (ITDR)

Traditional perimeter-based defenses can’t easily block attackers from logging in using legitimate credentials.

Sophos ITDR continuously monitors for identity misconfigurations, risks, and exposed credentials, detecting attacks that evade traditional identity controls such as Identity and Access Management (IAM) tools.
It helps organizations reduce their identity attack surface and respond to threats with speed and precision, with full coverage of MITRE ATT&CK Credential Access techniques.

While IAM and MFA help control access, they don’t detect or respond to identity misuse. ITDR fills that gap by actively monitoring for credential access anomalies, such as forced authentication and privilege escalation, enabling analysts to rapidly execute response actions like session revocation or password resets.

Sophos ITDR strengthens IAM systems including Microsoft Entra ID, to close gaps that attackers exploit.

ITDR protects against the full spectrum of identity attacks, including:

• Compromised credentials and account takeover.
• Privilege escalation and lateral movement.
• MFA fatigue and token theft.
• Password spraying, brute-force, and kerberoasting attacks.

Sophos X-Ops Counter Threat Unit (CTU) observed a 106% increase in stolen credentials sold on the dark web (June 2024 – June 2025), underscoring the growing risk that Sophos ITDR directly addresses.

Sophos ITDR is fully integrated with Sophos Extended Detection and Response (XDR) and Sophos Managed Detection and Response (MDR)

When used with Sophos MDR, identity threat detections and high-risk findings are automatically escalated to our expert team of security analysts, who investigate and execute response actions to neutralize threats on the customer’s behalf.

Sophos ITDR continuously performs 80+ cloud identity posture checks, going beyond basic hygiene.

Core capabilities include:

• Identity Catalog: Full visibility across all identities to eliminate blind spots.
• Posture Dashboard: Prioritized view of identity risks and exposed credentials.
• Continuous Assessment: Ongoing detection of misconfigurations and dormant accounts.
• Dark Web Intelligence: Alerts when stolen credentials appear on the dark web and in breach databases.
• User Behavior Analytics (UEBA): Identifies insider threats and abnormal activity early.

These features help uncover and prioritize risks in minutes, not days.

ITDR strengthens compliance with NIST, ISO 27001, and GDPR by improving visibility into access patterns and reducing identity-related vulnerabilities.

Sophos ITDR supports compliance initiatives by enabling continuous monitoring and identity posture baselines, helping security teams demonstrate control effectiveness and reduce the likelihood of a breach.

Fully integrated, Sophos XDR and Sophos ITDR use AI-driven detections and behavioral analytics to identify various advanced identity-based attack patterns.

AI/ML models continuously learn from user behavior and integrate with Taegis XDR or Sophos XDR telemetry to correlate identity and endpoint activity for high-fidelity detections. Contact Sophos to determine which integration is best for your environment.

Key metrics include:

• Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to identity threats.
• False positive rate and coverage of privileged identities.
• Reduction in misconfigurations and credential exposures over time.

Sophos ITDR allows users to benchmark their identity attack surface and track their risk posture score over time through the Identity Posture Dashboard.

Mature organizations integrate ITDR into their Zero Trust and incident response playbooks to achieve continuous verification and automated containment.

With Sophos ITDR, teams can:

• Execute remediation actions like password resets and session terminations.
• Leverage Sophos MDR analysts for 24/7 monitoring and human-led response.
• Continuously assess Microsoft Entra ID environments to close configuration gaps.