ITDR Vendor Landscape
Status: Final
The ITDR market formalized after Gartner coined the term in 2022, but many vendors had been building identity threat detection capabilities for years under different labels (UBA, UEBA, identity security). This page maps the current landscape — what each vendor detects, where their telemetry comes from, and how they position relative to each other.
Market Structure
ITDR vendors come from three origins:
| Origin | Examples | Core Strength |
|---|---|---|
| Security platform vendors (EDR/XDR expanded) | Palo Alto Networks, CrowdStrike, Microsoft | Cross-domain correlation (endpoint + identity + cloud) |
| Identity-native vendors | Silverfort, Semperis | Deep AD/identity protocol expertise |
| Cloud identity specialists | Permiso, Push Security, Astrix, Veza | Cloud identity, SaaS, NHI-focused |
Vendor Deep-Dives
Palo Alto Networks — Cortex XDR / Prisma Access ITDR
Market position: Part of the Cortex XDR platform; identity protection integrated into the broader security operations platform.
| Capability | Detail |
|---|---|
| Identity threat detection | Cortex XDR analyzes authentication events, credential access, lateral movement |
| ITDR module | Dedicated identity analytics on top of XDR telemetry |
| Telemetry | Endpoint (agent), network (NGFW), cloud (Prisma), identity logs |
| On-prem AD coverage | Sensor-based collection from DCs + endpoint agents |
| Cloud coverage | Entra ID, Okta, AWS, GCP via API integration |
| Detection approach | ML baseline + rule-based detection + threat intelligence |
| Key differentiator | Single platform for SOC covering endpoint + network + identity + cloud |
Identity-specific capabilities:
- Credential theft detection (Pass-the-Hash, Kerberoasting, LSASS access)
- Lateral movement via identity
- Cloud identity anomalies
- Workforce/workload identity coverage
Cortex XDR ITDR use cases:
- Impossible travel detection
- Token theft and reuse
- Service account abuse
- Privilege escalation detection
- Hybrid attack chain correlation (on-prem → cloud pivot)
CrowdStrike — Falcon Identity Threat Detection (FITD)
Market position: Best-in-class AD identity threat detection; acquired Preempt Security in 2020 to build this capability.
| Capability | Detail |
|---|---|
| Core strength | Real-time AD authentication stream analysis |
| Agent-based | Falcon sensor on endpoints + Falcon AD connector on DCs |
| AD coverage | Every Kerberos and NTLM authentication, in real time |
| MFA enforcement | Can enforce MFA at the authentication layer (even for protocols that don't natively support it) |
| Conditional access for AD | Policy-based blocking/challenging at the authentication layer |
| Cloud coverage | Entra ID, Okta via API |
| Key differentiator | Speed (real-time auth analysis), depth (raw Kerberos/NTLM), MFA enforcement capability |
FITD detection examples:
- Kerberoasting in progress (real-time RC4 ticket storm)
- Pass-the-Hash (hash-based auth from unexpected source)
- Lateral movement via PsExec/WMI/DCSync
- Golden/Silver Ticket anomalies
- Brute force / password spray
- Anomalous service account authentication
Microsoft — Microsoft Defender for Identity (MDI) + Entra ID Protection
Market position: Native integration with the Microsoft stack; unmatched depth for Windows AD and Entra ID environments.
| Component | Coverage |
|---|---|
| Microsoft Defender for Identity (MDI) | On-premises AD; sensor on DCs captures Kerberos/NTLM/LDAP traffic |
| Entra ID Identity Protection | Cloud sign-in risk + user risk scoring |
| Microsoft Sentinel | SIEM with identity-focused analytics rules + UEBA |
| Microsoft Defender XDR | Cross-domain correlation (identity + endpoint + email + cloud) |
| Entra ID Conditional Access | Enforcement layer for risk-based access control |
MDI key detections:
- DCSync (Event 4662 pattern)
- Kerberoasting
- AS-REP Roasting
- Pass-the-Hash, Pass-the-Ticket
- Reconnaissance (LDAP enumeration, DNS enumeration)
- Lateral movement
- Domain dominance activities
Advantage: Deepest native Windows AD coverage. No other vendor has access to the same level of Windows internals. Integrates identity risk directly into Conditional Access enforcement.
Silverfort
Market position: Authentication-layer security — sits in-line or near the authentication path to enforce MFA and detect threats at the protocol level.
| Capability | Detail |
|---|---|
| Core innovation | Proxy/agentless integration — analyzes authentication traffic without agents on every machine |
| MFA everywhere | Enforce MFA on protocols that don't natively support it: NTLM, Kerberos, LDAP |
| Service account protection | Profile service account behavior; alert/block anomalies |
| Lateral movement detection | Detect credential-based lateral movement in real time |
| Ransomware protection | Block compromised account from mass authentication (pre-encryption stage) |
| Non-human identity | Automated discovery and protection of service accounts |
Key differentiator: Can enforce MFA on legacy systems and protocols (RDP, file shares via NTLM) without modifying those systems. This is significant for organizations that cannot deploy agents everywhere.
Semperis
Market position: AD-specific security and resilience — AD attack path analysis, forest recovery, and threat detection focused on the AD control plane.
| Capability | Detail |
|---|---|
| Purple Knight | Free AD security assessment tool (attack path analysis, misconfiguration detection) |
| Directory Services Protector (DSP) | Real-time AD change monitoring and rollback |
| Forest Druid | Attack path analysis focused on Tier 0 blast radius |
| AD security posture | Continuous misconfiguration scanning |
| Attack simulation | BloodHound-class path analysis for defenders |
| Incident response | AD forensics, forest recovery assistance |
Key differentiator: Deepest AD-specific expertise. Best for organizations focused on AD security posture and resilience.
Permiso Security
Market position: Cloud identity threat detection — specializes in AWS, Azure, GCP, SaaS identity events.
| Capability | Detail |
|---|---|
| Focus | Cloud control plane identity activity (CloudTrail, Entra ID, GCP Audit Logs) |
| Service principal / managed identity | Detects anomalous NHI behavior in cloud |
| Cloud lateral movement | Identity-based pivoting across cloud services |
| Entity timeline | Per-identity timeline of all cloud activity |
| Detection library | Pre-built detections for cloud identity attacks |
Veza
Market position: Identity authorization graph — "what can every identity do?" across all systems.
| Capability | Detail |
|---|---|
| Core product | Authorization graph across cloud, SaaS, infrastructure |
| Non-human identity | Discovers and analyzes service accounts, OAuth apps, API keys |
| Access intelligence | Answers "which identities have admin in production?" in real time |
| IGA integration | Feeds into access certification workflows |
| Overprivilege detection | Finds identities with more access than their role requires |
Astrix Security
Market position: Non-human identity (NHI) and third-party integration security.
| Capability | Detail |
|---|---|
| OAuth app discovery | Discovers all OAuth apps connected to corporate M365/Google/Slack |
| API token inventory | Maps all API keys, service accounts, OAuth tokens |
| Risk scoring | Scores NHIs by permissions, last used, owner |
| Offboarding | Revokes NHI access when employees leave |
Key use case: Large organizations with hundreds of OAuth apps connected to M365 or Google Workspace — Astrix discovers them and surfaces over-privileged or dormant integrations.
Push Security
Market position: Browser-native identity security for SaaS.
| Capability | Detail |
|---|---|
| Delivery | Chrome extension deployed across the workforce |
| SaaS discovery | Discovers all SaaS apps used (shadow IT) |
| Identity-centric | Maps which identities access which SaaS apps |
| Phishing detection | Detects AiTM phishing via browser-level signals |
| Credential exposure | Detects reused or breached credentials in browser |
| MFA gaps | Identifies SaaS apps without MFA |
Feature Matrix
| Vendor | On-prem AD | Entra ID / Cloud | SaaS / NHI | Real-time blocking | MFA enforcement |
|---|---|---|---|---|---|
| Palo Alto Cortex | ✓ | ✓ | ✓ | Via playbooks | No |
| CrowdStrike FITD | ✓✓ | ✓ | Partial | ✓ (block auth) | ✓ (MFA enforcement) |
| Microsoft MDI + Sentinel | ✓✓ | ✓✓ | Partial | Via CA | Via Entra CA |
| Silverfort | ✓✓ | ✓ | No | ✓ (inline) | ✓✓ (protocol-level) |
| Semperis DSP | ✓✓ | Partial | No | ✓ (AD rollback) | No |
| Permiso | No | ✓✓ | ✓✓ | No (detect only) | No |
| Veza | No | ✓ | ✓✓ | No (posture) | No |
| Astrix | No | Partial | ✓✓ (NHI) | No | No |
| Push Security | No | Partial | ✓✓ | No | No |
Choosing an ITDR Vendor
| If you need… | Consider |
|---|---|
| Deep AD detection + real-time blocking | CrowdStrike FITD or Silverfort |
| Native Microsoft stack integration | Microsoft MDI + Sentinel |
| Single platform (endpoint + cloud + identity) | Palo Alto Cortex XDR |
| AD security posture + forest recovery | Semperis |
| Cloud identity anomalies (AWS/Azure/GCP) | Permiso |
| NHI / OAuth app / API key governance | Veza, Astrix |
| SaaS shadow IT + browser identity | Push Security |
Cross-Links
| Topic | Link |
|---|---|
| What is ITDR? | what-is-itdr |
| PAM | pam-overview |
| Detection Framework | detection-framework |
| AD Attacks | kerberoasting |