When it comes to definitions, ITDR is a young one in the cybersecurity universe. Coined by Gartner in their Top Security and Risk Management Trends Report back in 2022, it is still seen as a puzzle to be solved for most security teams.
That timing matters: the category emerged precisely because identity-based attacks became the dominant breach vector, and no existing tool was built to stop them. In this article we will explain the concept, highlight the security challenges it addresses and present a tool made for this new reality.
Why does ITDR exist?
As the cybersecurity landscape evolved, so did attacker strategies. Over time, the solutions available at that moment (EDR, CNAPP, NDR, ESA) were leaving a blind spot: the Identity Security. Credentials are now the leading initial access vector in breaches, involved in 38% of all incidents analyzed by Verizon's 2024 DBIR, more than phishing and vulnerability exploitation combined.
Just as EDR revolutionized endpoint security, replacing signature-based antivirus with real behavioral detection and response, ITDR is doing the same for identity. Before EDR, the endpoint was "protected" by tools that were never built for the job. The same is true for identity today: authentication logs exist, posture tools flag misconfigurations, SIEMs ingest events. But none of them were built to monitor identity behavior in real time, detect threats as they unfold, and respond before an attacker moves further into the environment.
ITDR, explained
Identity Threat Detection and Response (ITDR) is a solution that monitors identity activity, enabling detections of suspicious behaviour and responses to malicious activity, prior to the damage being done.
The framework uses data from authentication events, access control, identity management, session activity, and entitlement changes to identify anomalous access patterns, lateral movements, credential abuse, and privilege escalation attempts in real time.
ITDR sits in a gap that other tools have never filled well. ISPM (Identity Security Posture Management) - sometimes referred to as CIEM in the context of cloud infrastructure - is preventive and posture-focused: it tells you what is misconfigured, over-privileged, or exposed. SIEM ingest and correlate broadly, but lack the identity-specific depth to score and contextualize identity events meaningfully. ITDR is the necessary complement to both, bringing the real-time detection and response factor.
ITDR in a cloud environment reality
The move to the cloud has been changing the identity threat surface entirely. Accounts multiply across IdPs, permissions drift continuously, and federation paths connect systems that were never designed to talk to each other.
Threats that exploit this reality are slow and deliberate, designed to blend in over time, and the solutions available on the market share structural limitations in this scenario that ITDR was built to address. Here are three examples
The detection window problem. According to Data Stack Hub, the average time to detect a cloud breach in 2025 was 219 days, with containment taking roughly 80 more. That is nearly a year from breach to resolution. In cloud environments, identities are constantly changing: new accounts, new permissions, new federation paths. Threats move slowly and deliberately across that surface, designed to blend in over time. A well-built ITDR stores structured identity context continuously, not raw logs with an expiration date. Detecting a complex kill chain does not require reprocessing months of history. The context is already there.
The flat-rule problem. Most platforms detect at the event level: one rule fires when one threshold is crossed. Identity attacks are not single events. They are campaigns that combine credential abuse, privilege escalation, lateral movement, and data access over days or weeks. A flat-rule engine sees the individual pieces but never sees the campaign. The analyst ends up triaging five medium-severity alerts that are actually one coordinated attack, with no tool to tell them so.
The context problem. An authentication event means nothing without knowing who the user is, what they normally do, what they have access to across all identity providers, and whether there are correlated signals from weeks earlier. A tool that ingests logs without enriching them with identity context produces noise, not intelligence. Volume is not the same as insight.
Thor: ITDR Built for the Real Threat Landscape
Thor is the Identity Threat Detection and Response from 8Layers. It was built around a single conviction: identity attacks are not isolated events. They are multi-stage kill chains that unfold over time, across multiple identities, sessions, and resources. Detecting them requires depth of data, richness of context, and detection logic that is not constrained by architectural time limits.
What makes Thor unique is that It builds signals, correlates them across time, and only fires when a real kill chain emerges. The result is one alert per attack, not one alert per signal: by the time an analyst opens a case, the full story is already reconstructed. That correlation has no architectural ceiling. Thor stores identity data as continuously enriched structured context rather than a rolling log buffer.
Every alert opens with a full timeline, a causality graph, and the response actions already available in the same screen. The context a security team would otherwise spend hours assembling across tools arrives before they ask for it: who the affected identity is, what they normally touch, how they behaved in the weeks before the alert fired, and what is known about them externally.
And because Thor is part of the 8Layers platform, every investigation arrives with posture and compliance context already attached. Analysts know not just that an attack is happening, but how exposed the affected identity was, which compliance controls are at risk, and what the business impact is before deciding how to respond.
The Threat Your Tools Stopped Looking For
Identity attacks are not getting louder. They are getting slower, more deliberate, and better at looking like normal activity. The attacks that cause the most damage are rarely the ones that trigger an alert on day one. They are the ones that unfold quietly across weeks, across systems, across the gap between what your tools monitor and what they have already forgotten.
The question is not whether your environment will be targeted. It is whether your detection platform will still remember what happened three months ago when the second stage of the attack begins.
If you want to see what Thor finds in your environment, request a demo.