Identity Threat Detection and Response (ITDR) emerged as a distinct security category in 2022 when Gartner identified it as a top security trend. The category addresses a critical gap: while IAM systems manage access and PAM protects privileged accounts, neither was designed to detect and respond to identity-based attacks in real-time. With 80% of attacks now identity-based according to CrowdStrike’s 2024 Global Threat Report, and valid credential abuse accounting for 49% of initial access, ITDR has become essential infrastructure.

The ITDR market reached $12.8 billion in 2024 and is projected to grow to $35.6 billion by 2029 at 22.6% CAGR. Significant consolidation occurred in 2024-2025 with Cisco acquiring Oort, Delinea acquiring Authomize, Silverfort acquiring Rezonate, and CrowdStrike announcing the acquisition of SGNL in January 2026.

How We Evaluated

We assessed identity attack detection including coverage of credential theft, pass-the-hash, golden ticket, MFA bypass, and other identity attack techniques. Active Directory security covered monitoring, attack path analysis, and protection for on-premises AD. Cloud identity protection evaluated coverage across Entra ID, Okta, Google Workspace, and SaaS applications. Non-human identity (NHI) security measured protection for service accounts, API keys, and machine identities. Response capabilities assessed automated and manual remediation options. XDR and SIEM integration evaluated how well the platform works within broader security operations.

1. CrowdStrike Falcon Identity Protection

Score: 95/100

CrowdStrike was named Overall Leader in the 2025 KuppingerCole ITDR Leadership Compass, ranking highest in innovation, and Leader and Outperformer in the 2025 GigaOm Radar Report with perfect 5/5 scores across all emerging feature categories. Falcon Identity Protection unifies initial access prevention, modern PAM, ITDR, and agentic identity protection within the broader Falcon platform.

Named Overall Leader in 2025 KuppingerCole ITDR Leadership Compass with highest innovation ranking. Perfect 5/5 scores in GigaOm Radar for AI-Enhanced SecOps and Non-Human Identity Security. Falcon Next-Gen Identity Security unifies identity protection across the CrowdStrike platform. Detects credential abuse techniques including golden ticket, pass-the-hash, DCSync, and MFA bypass. Unified threat graph correlates identity signals with endpoint, cloud, and network telemetry. January 2026 SGNL acquisition adds continuous identity for real-time risk-based access decisions. 14.5% market mindshare, the highest in the ITDR category.

Best for: Organizations using CrowdStrike Falcon wanting unified identity protection within their existing platform

2. CyberArk Identity Security

Score: 93/100

CyberArk was named Overall Leader across all categories (product, innovation, market) in the 2025 KuppingerCole ITDR Leadership Compass. Uniquely, CyberArk delivers ITDR natively integrated with its industry-leading PAM platform rather than as a bolted-on capability, providing unified visibility across privileged and standard identities.

Named Overall Leader in all categories in 2025 KuppingerCole ITDR Leadership Compass. Native ITDR integration with the industry-leading PAM platform creates unified privileged identity protection. AI-driven behavioral analytics with automated risk-based response actions. Deep integrations with SIEM, SOAR, ITSM, and XDR platforms. IMPACT 2025 announcements added AI Agent security and HashiCorp Vault discovery. Machine identity coverage addresses the 82-to-1 ratio of machine to human identities. Over 8,800 customers including 50%+ of the Fortune 500.

Best for: CyberArk PAM customers wanting unified privileged access management and identity threat detection

3. Microsoft Defender for Identity

Score: 91/100

Microsoft Defender for Identity provides cloud-based ITDR fully integrated into the Microsoft Defender portal, leveraging signals from both on-premises Active Directory and Entra ID cloud identities. The June 2025 Okta integration extended ITDR capabilities to non-Microsoft identity providers for the first time.

Native integration with Microsoft 365 Defender and Entra ID provides unified identity security for Microsoft environments. June 2025 Okta integration extends ITDR to non-Microsoft identity providers. November 2025 Identity Fabric enhancements add account correlation linking related identities. Coverage extends to SaaS applications including Salesforce, Jira, and GitHub. Entra natively feeds signals to Defender and vice versa, eliminating organizational silos. Included with Microsoft 365 E5 licensing, providing significant cost advantage for Microsoft shops.

Best for: Microsoft-centric organizations wanting identity protection integrated with their existing Microsoft security stack

4. Silverfort

Score: 89/100

Silverfort pioneered the Unified Identity Protection platform concept with patented agentless, proxy-less technology that extends MFA and monitoring to previously unprotectable resources including legacy applications, command-line tools, and service accounts. The November 2024 Rezonate acquisition added cloud identity and NHI security.

Patented agentless, proxy-less architecture extends protection to legacy applications and service accounts without code changes. Rezonate acquisition adds cloud identity security and NHI protection. Unified platform covers ITDR, ISPM, MFA, privileged access, and AI agent security. October 2025 launch of Access Intelligence and Identity Graph provides unprecedented visibility. Extends MFA to command-line access, file shares, and legacy systems that cannot natively support MFA. 5.6% market mindshare with 100% user recommendation rate on PeerSpot.

Best for: Organizations with legacy applications and service accounts that need identity protection without deploying agents

5. Semperis

Score: 87/100

Semperis provides the industry’s most comprehensive Active Directory security and recovery platform. Directory Services Protector (DSP) is a Gartner-recognized ITDR solution offering continuous AD monitoring, tamperproof tracking, and automatic rollback of malicious changes. The platform also covers Entra ID for hybrid environments.

Industry-leading Active Directory security with continuous monitoring and automatic rollback of malicious changes. Directory Services Protector provides tamperproof tracking that attackers cannot disable. Purple Knight free tool provides AD security assessment used by thousands of organizations. Forest Druid maps Tier 0 attack paths for AD privilege escalation. August 2025 Service Account Protection Essential monitors AD service accounts. September 2025 Cohesity partnership delivers integrated Identity Resilience. Microsoft Sentinel Partner Ecosystem integration for unified SIEM visibility.

Best for: Organizations prioritizing Active Directory security and recovery capabilities

6. Tenable Identity Exposure

Score: 85/100

Tenable Identity Exposure, formerly Alsid, uncovers misconfigurations and weaknesses in Active Directory and Entra ID. Founded by former French ANSSI incident responders, the platform is unique in requiring no deployment on domain controllers, endpoints, or Entra ID environments, needing only a standard user account for full visibility.

Unique architecture requires no agents on domain controllers or endpoints, only a standard user account. Founded by former French ANSSI incident responders with deep AD security expertise. Detects AD-specific attacks including DCShadow, DCSync, Golden Ticket, and password spraying. 2025 updates added BadSuccessor detection for Windows Server 2025 privilege escalation. Part of the Tenable One Exposure Management Platform for unified vulnerability and identity visibility. Continuous exposure assessment without performance impact on domain controllers.

Best for: Organizations wanting AD security without deploying agents on sensitive infrastructure

7. Delinea Identity Threat Protection

Score: 83/100

Delinea acquired Authomize in January 2024, integrating CIEM and ITDR capabilities into its Extended PAM platform within 90 days. The combined solution extends Delinea’s traditional PAM strengths with cloud identity threat detection and entitlement management.

Authomize acquisition integrated CIEM and ITDR into Extended PAM platform. Cloud identity threat detection across AWS, Azure, GCP, and SaaS applications. Continuous monitoring of access privileges and connections between cloud services. Least privilege enforcement with entitlement right-sizing recommendations. Integrates with Delinea Secret Server and Privilege Manager for unified PAM and ITDR. Rapid 90-day integration demonstrates execution capability.

Best for: Delinea PAM customers wanting integrated cloud identity threat detection

8. Permiso

Score: 81/100

Permiso won Most Promising Early-Stage Startup at the 2025 SC Awards. Founded by ex-Mandiant advanced practices leads, the platform delivers 1,500+ detection signals across human, non-human, and AI identities in cloud and on-premises environments.

Founded by ex-Mandiant advanced practices leads with deep threat detection expertise. 1,500+ detection signals developed by P0 Labs research team. April 2025 unified platform launch combines identity risk assessment and threat detection. September 2025 expansion added AI identity security for AI users, builders, and agents. P0LR Espresso open-source tool normalizes cloud logs for faster threat response. Coverage spans human, non-human, and AI identities across cloud and on-premises.

Best for: Cloud-forward organizations wanting emerging AI identity security capabilities

9. Cisco Identity Intelligence (Oort)

Score: 79/100

Cisco completed the acquisition of Oort in August 2023, integrating its API-driven, cloud-native ITDR platform into the Cisco Security Cloud portfolio. The technology enhances Cisco Duo IAM and XDR offerings with identity visibility and threat detection.

API-driven, cloud-native, agentless platform eliminates identity visibility gaps. Integrates with Cisco Duo, Google Workspace, Entra ID, Auth0, Okta, Salesforce, and ServiceNow. Part of Cisco Security Cloud portfolio for unified security. Oort team joined Cisco’s Security Business Group bringing identity security expertise. Enhances Duo IAM with threat detection and behavioral analytics. Cisco’s enterprise relationships provide distribution advantage.

Best for: Cisco security customers wanting integrated identity threat detection within their existing Cisco stack

10. SentinelOne Singularity Identity

Score: 77/100

SentinelOne acquired Attivo Networks to add identity security to the Singularity XDR platform. The solution provides identity attack surface reduction, detection, and response integrated with SentinelOne’s endpoint and cloud workload protection.

Attivo Networks acquisition added identity security to Singularity XDR platform. Identity attack surface management identifies credential exposures and misconfigurations. AD security with attack path analysis and privilege escalation detection. Integrates identity signals with endpoint and cloud workload telemetry. Unified console for identity, endpoint, and cloud security operations. Purple AI extends to identity-based threat hunting and investigation.

Best for: SentinelOne customers wanting identity protection integrated with their existing XDR platform

Market Outlook

ITDR is rapidly consolidating as platform vendors acquire point solutions and integrate identity protection into broader security platforms. CrowdStrike’s January 2026 announcement to acquire SGNL signals continued investment, while Silverfort’s Rezonate acquisition demonstrates the convergence of ITDR with cloud identity and NHI security.

Key trends for 2026 include non-human identity (NHI) security as machine identities now outnumber human identities 82-to-1. AI agent security is emerging as organizations deploy autonomous AI systems that require identity governance. Platform integration is accelerating with standalone ITDR being absorbed into XDR, IAM, and PAM platforms. Cloud identity is expanding ITDR coverage beyond AD to Okta, Entra ID, and SaaS applications.

Organizations evaluating ITDR should consider their existing security investments. Microsoft shops benefit from Defender for Identity’s native integration. CrowdStrike and SentinelOne customers should evaluate their vendors’ integrated offerings. Organizations with complex AD environments should prioritize Semperis or Silverfort for depth of coverage.