What is ITDR? Identity Threat Detection & Response, explained for SMBs

For years, security advice for small businesses centered on the endpoint: put antivirus on every laptop and you’re covered. That advice is now out of date. Attackers have figured out that the fastest way into a modern SMB isn’t a laptop — it’s a login.

What is ITDR?

Identity Threat Detection & Response (ITDR) is the discipline of detecting and responding to threats against user identities — across your identity provider (Microsoft Entra ID, Google Workspace, JumpCloud) and the SaaS apps connected to it. Instead of asking “is this file malicious?”, ITDR asks “is this login real, and should this account be doing this?”

Why identity became the #1 surface

The shift is documented across every major threat report:

• Coveware’s Q4 2025 data states plainly that “identity is the primary intrusion surface, not endpoints or malware.”
• 97% of all identity attacks are simple password attacks — password spraying, credential stuffing, brute force — and MFA blocks over 99% of them. (Microsoft Digital Defense Report 2025)
• Stolen credentials are the #2 initial-access vector at 16%, driven by an explosion in infostealer malware. (Mandiant M-Trends 2025)
• Credential abuse is the #1 initial-access vector industry-wide at 22%, and credentials are the #1 data type stolen in SMB breaches. (Verizon 2025 DBIR)

In short: the attacker often doesn’t need to hack anything. They log in with a password they bought.

The threats ITDR catches

A good ITDR layer watches for the signals that distinguish a real user from an attacker wearing their credentials:

• Impossible travel — a sign-in from London 20 minutes after one from New York.
• MFA fatigue / push bombing (MITRE T1621) — flooding a user with approval prompts until they tap “yes” to make it stop.
• Token theft and session hijacking — replaying a stolen session cookie to bypass MFA entirely.
• Risky OAuth grants — a user (or attacker) authorizing a third-party app with broad mailbox or drive access.
• Breach exposure — a user whose credentials just appeared in a public breach dump.

ITDR vs. MFA: you need both

MFA is the single most effective control you can deploy — but it’s not bulletproof. MFA fatigue, token theft, and OAuth abuse all route around it. ITDR is what catches the attacks that survive your MFA. Think of MFA as the lock and ITDR as the camera that notices someone picking it.

How Centeye does ITDR

Centeye’s Identity/ITDR surface integrates with Entra, Google Workspace, and JumpCloud to detect impossible travel, MFA fatigue, token theft, and OAuth app risk — plus a daily MFA-posture audit and nine reversible response actions (force reset, revoke sessions, step up MFA, and more). It also cross-references dark-web breach exposure per user, so a leaked credential triggers a response before it’s used.

And because Kavach correlates identity events with email and endpoint signals, an MFA-fatigue attack that precedes a suspicious wire request becomes a single incident — the way a human analyst would see it.

New to these terms? Our security glossary has plain-English definitions. Want to see ITDR running against a live identity provider? Get a demo.

Figures cited from Microsoft Digital Defense Report 2025, Mandiant M-Trends 2025, Verizon 2025 DBIR, and the Coveware Q4 2025 Ransomware Report.