80%+
of enterprise breaches involve identity-layer attacks, credential theft, privilege escalation, or lateral movement using legitimate authentication, according to the Verizon DBIR 2025
24 days
average dwell time for identity-based attacks before detection, compared to 11 days for malware-based intrusions, because identity attacks use legitimate credentials that do not trigger malware signatures
90%
of Active Directory environments contain at least one configuration that enables a Kerberoasting or lateral movement path to domain admin, according to BloodHound Community Edition analysis data
47%
of organizations cannot detect a Golden Ticket attack in real time using their existing SIEM and EDR tooling, the attack technique used in the 2020 SolarWinds intrusion

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Active Directory is the crown jewel of every enterprise network. When an attacker reaches domain admin, the breach is over, they can read every mailbox, access every file share, disable every security control, and encrypt every server. The path to domain admin runs almost entirely through identity: stolen credentials, abused service accounts, delegated Kerberos tickets, and replicated domain controller hashes.

The ITDR market in 2026 provides targeted detection for these identity-layer attacks. The four platforms that appear on virtually every enterprise shortlist are Microsoft Defender for Identity, CrowdStrike Falcon Identity Protection, SentinelOne Singularity Identity (formerly Attivo Networks), and Semperis Directory Services Protector. Each takes a different architectural approach and offers distinct strengths for different environments and threat profiles.

Microsoft Defender for Identity

Microsoft Defender for Identity (MDI) is the Microsoft-native ITDR platform, deployed as a sensor on domain controllers that analyzes domain controller traffic and event logs for identity attack patterns. MDI integrates tightly with the broader Microsoft Defender XDR platform, correlating identity signals from AD with endpoint signals from Defender for Endpoint and cloud identity signals from Entra ID Protection.

Strengths: Native integration with Microsoft Sentinel and Defender XDR produces the highest-fidelity identity-to-endpoint correlation available for Microsoft-stack organizations. MDI detects a comprehensive set of AD attack techniques including Pass-the-Hash, Pass-the-Ticket, Kerberoasting, AS-REP Roasting, DCSync, LDAP reconnaissance, and Skeleton Key attacks. The unified incident view that combines MDI identity alerts with Defender for Endpoint process alerts and Entra ID risky sign-in signals is the strongest cross-layer identity-to-endpoint correlation in the market.

Weaknesses: MDI is an on-premises AD sensor product, Entra ID (cloud identity) coverage is provided through Entra ID Protection, a separate product with separate licensing and a different management console. Organizations with complex hybrid or multi-cloud identity environments may find that the full MDI picture requires multiple Defender products and licenses to assemble. Non-Microsoft identity providers (Okta, Ping, Duo) receive limited native coverage.

Best fit: Microsoft-heavy enterprises with on-premises Active Directory and Entra ID, particularly those already running Defender for Endpoint and Microsoft Sentinel. The unified Defender XDR platform provides the best correlation value for organizations standardized on Microsoft security.

CrowdStrike Falcon Identity Protection

CrowdStrike Falcon Identity Protection extends the Falcon platform, best known for its EDR capabilities, with identity threat detection that correlates endpoint behavioral signals with identity authentication events to detect attacks that move between the endpoint and identity layers. Where MDI is a dedicated domain controller sensor, Falcon Identity Protection combines domain controller traffic analysis with the endpoint telemetry already collected by the Falcon EDR agent, enabling correlation between the process that performed a credential dump and the subsequent authentication attempt using those credentials.

Strengths: The strongest endpoint-to-identity correlation in the market. CrowdStrike can detect that the same process that ran Mimikatz on a compromised workstation 4 minutes ago is now authenticating as a domain admin from a different host, a connection that tools analyzing only DC traffic or only endpoint events miss independently. Real-time identity-based conditional access: Falcon Identity Protection can trigger step-up authentication requirements or block authentication attempts in real time based on risk signals, going beyond detection into active prevention. Coverage for hybrid environments including Okta and Azure AD alongside on-premises AD.

Weaknesses: Requires Falcon EDR deployment for the full correlation value, organizations without CrowdStrike as their primary EDR will not get the cross-layer correlation that differentiates Falcon Identity Protection from standalone ITDR tools. Higher total cost for organizations that need to add Falcon licensing to an existing EDR investment.

Best fit: Organizations already running CrowdStrike Falcon EDR who want to extend their existing platform investment to cover identity attacks. Excellent fit for organizations that want real-time authentication policy enforcement (blocking suspicious logins) rather than just detection and alerting.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

SentinelOne Singularity Identity

SentinelOne Singularity Identity (acquired from Attivo Networks in 2022) provides Active Directory attack detection and a unique identity deception capability: the platform deploys fake AD objects, fake user accounts, fake service account credentials, fake GPO links, throughout the AD environment that trigger high-confidence alerts when an attacker's reconnaissance tools enumerate them.

Strengths: The identity deception layer is a differentiator with near-zero false positive rates. BloodHound and similar AD reconnaissance tools enumerate Active Directory looking for privilege escalation paths. When those tools enumerate Singularity Identity's decoy AD objects, the platform generates a high-confidence alert with specific enumeration details. This provides detection coverage for the reconnaissance phase of an AD attack before the attacker has achieved any escalation, earlier in the kill chain than authentication-event-based detection. Strong integration with the SentinelOne EDR platform for customers already running Singularity Endpoint.

Weaknesses: The deception-based detection approach requires ongoing management of decoy objects to ensure they remain convincing and are not inadvertently cleaned up by AD maintenance processes. The authentication event-based detection for techniques like Pass-the-Hash and DCSync is less mature than MDI or CrowdStrike for organizations without SentinelOne EDR deployed.

Best fit: Organizations that want early-stage AD reconnaissance detection before attack escalation, and those already running SentinelOne EDR. The deception capability is particularly valuable for organizations with complex AD environments where BloodHound-style enumeration is a known threat pattern.

Semperis Directory Services Protector

Semperis specializes exclusively in Active Directory security, with two primary products: Directory Services Protector (DSP) for real-time AD threat detection and change monitoring, and Active Directory Forest Recovery (ADFR) for ransomware-specific AD recovery. Semperis has the deepest AD-specific expertise in the market, and its focus on AD recovery capability alongside detection makes it the most relevant platform for organizations whose primary ITDR concern is ransomware-driven AD destruction.

Strengths: The only ITDR vendor with a dedicated AD forest recovery product built alongside the detection platform. Ransomware groups (including BlackCat, LockBit, and Scattered Spider) specifically target Active Directory for destruction during ransomware attacks to prevent recovery, Semperis ADFR provides a dedicated recovery capability that survives ransomware encryption of domain controllers. DSP's AD change monitoring is the most granular in the market: every AD object modification is tracked with rollback capability, and tiered change risk scoring identifies which AD changes represent security risk versus routine operations. Strong coverage for both on-premises AD and Entra ID.

Weaknesses: Semperis is an AD specialist, not a unified identity platform. Coverage for non-Microsoft identity providers (Okta, Ping) is limited. Organizations whose identity threat landscape extends significantly beyond AD and Entra ID will find Semperis less comprehensive than CrowdStrike or MDI for hybrid identity environments.

Best fit: Organizations with large on-premises Active Directory environments where ransomware-driven AD destruction is a top incident response concern. Healthcare, government, and critical infrastructure operators who need the fastest possible AD recovery capability alongside detection should prioritize Semperis alongside a broader ITDR platform.

Evaluation criteria that determine deployment success

Three criteria determine whether an ITDR deployment delivers detection value or generates alert noise:

  1. Domain controller coverage completeness. ITDR sensors must be deployed on every domain controller in every domain and site, including remote sites and read-only DCs. Partial DC coverage leaves gaps where attackers can perform DCSync or perform Kerberos abuse against uncovered controllers. Verify the deployment architecture requirement for your specific AD topology before committing.

  2. Integration with your SIEM and incident response workflow. ITDR alerts need to reach analysts in the same console where they investigate EDR and network alerts. Fragmented tooling (identity alerts in one platform, endpoint alerts in another, no correlation view) reduces the attack chain visibility that makes ITDR valuable. Evaluate SIEM integration quality and bidirectional ticket creation, not just alert forwarding.

  3. Tuning requirement for your environment. AD environments vary dramatically in their normal authentication patterns, a 10,000-user enterprise with 200 service accounts in a single domain looks nothing like a 50,000-user financial institution with 15 domains, multiple forests, and a complex cross-domain trust structure. Request the tuning timeline and methodology for your specific environment size and complexity, not a demo against a clean lab environment.

The bottom line

Microsoft Defender for Identity is the right choice for Microsoft-standardized enterprises that want native XDR correlation between identity, endpoint, and cloud signals. CrowdStrike Falcon Identity Protection is the right choice for CrowdStrike EDR customers who want real-time authentication policy enforcement alongside detection. SentinelOne Singularity Identity is the right choice for organizations that want early-stage AD reconnaissance detection through identity deception, particularly on a SentinelOne EDR platform. Semperis is the right choice for organizations with large on-premises AD environments where ransomware-driven forest destruction is a top recovery concern, and it is frequently deployed alongside one of the other three platforms rather than as a replacement for them.

Frequently asked questions

What is the difference between ITDR and PAM?

Privileged Access Management (PAM) is a preventive control that manages and secures privileged credentials, storing them in a vault, enforcing just-in-time access, rotating passwords, and recording privileged sessions. ITDR is a detective control that monitors identity infrastructure for signs of attack, detecting when credentials are stolen and used, when Kerberos tickets are abused, and when Active Directory objects are manipulated. The two categories address different phases of an identity attack: PAM prevents credential theft by reducing standing privilege and protecting credentials; ITDR detects when an attacker has obtained credentials through means that PAM did not prevent (phishing, endpoint compromise, LDAP enumeration). Both controls are required for comprehensive identity security, PAM reduces the credential exposure surface, ITDR detects exploitation of the residual exposure.

What Active Directory attacks does ITDR detect?

Leading ITDR platforms detect the full range of Active Directory attack techniques documented in MITRE ATT&CK: credential access techniques including Pass-the-Hash, Pass-the-Ticket, Kerberoasting (service account password hash cracking), AS-REP Roasting (attacking accounts without pre-authentication), and DCSync (domain controller data replication abuse); lateral movement techniques including remote service creation (PsExec, WMI), SMB relay, and DCOM abuse; privilege escalation through GPO modification, AdminSDHolder manipulation, and SID history injection; and persistence techniques including Golden Ticket and Silver Ticket creation and Skeleton Key malware deployment. Detection quality varies significantly between platforms and environments, request ATT&CK coverage documentation specific to your AD configuration, not a generic technique checklist.

Does ITDR work for cloud identity (Entra ID, Okta)?

ITDR coverage for cloud identity varies significantly by platform. Microsoft Defender for Identity provides on-premises AD coverage, while Entra ID Protection and Entra ID Identity Protection handle cloud identity threat detection for Microsoft environments. CrowdStrike Falcon Identity Protection and SentinelOne Singularity Identity both support hybrid environments covering on-premises AD alongside Entra ID and Okta. Semperis focuses primarily on on-premises AD and Entra ID, with limited Okta support. For organizations with Okta as their primary identity provider and minimal on-premises AD, the ITDR market has fewer mature options: Okta's own Workforce Identity Security product and CrowdStrike's Falcon Identity Protection provide the most complete coverage for Okta-centric environments.

How is ITDR different from a SIEM with AD-focused detection rules?

A SIEM with AD-focused detection rules (Windows Event ID correlation, Kerberos anomaly rules, LDAP query pattern matching) can detect many of the same attacks as a dedicated ITDR platform, but with significantly higher analyst effort and lower fidelity. SIEM-based AD detection requires ingesting domain controller event logs at high volume, building and maintaining detection rules for each attack technique, correlating events across multiple DCs and forests, and building the behavioral baseline that distinguishes abnormal authentication patterns from legitimate spikes. ITDR platforms provide purpose-built sensors, pre-built AD-specific detection logic, behavioral baselining that accounts for AD topology, and AD-aware correlation that understands trust relationships and delegation chains, reducing the engineering effort required to achieve equivalent detection coverage to months of SIEM rule development.

What is a Golden Ticket attack and how is it detected?

A Golden Ticket attack is an Active Directory attack where an adversary who has obtained the KRBTGT account password hash (typically through DCSync against a compromised domain controller) forges Kerberos Ticket Granting Tickets (TGTs) that are accepted by any service in the domain as valid authentication. Because the tickets are cryptographically valid (signed with the real KRBTGT key), they are invisible to standard authentication log monitoring, the tickets do not go through the domain controller for validation after the initial forgery. Detection requires monitoring for specific indicators: Kerberos tickets with lifetimes that exceed domain policy maximums, tickets issued for accounts that do not exist in the domain, authentication patterns that originate from hosts not associated with the user account's normal behavior, and domain controller event 4769 (Kerberos service ticket request) patterns that suggest ticket reuse from forged TGTs.

Sources & references

  1. Gartner Innovation Insight for Identity Threat Detection and Response
  2. MITRE ATT&CK Credential Access Techniques
  3. Microsoft Defender for Identity Documentation
  4. CrowdStrike Falcon Identity Protection Product Overview
  5. SentinelOne Singularity Identity Documentation
  6. Semperis Directory Services Protector Documentation
  7. CISA Protecting Against Active Directory Attacks
  8. Verizon DBIR 2025, Identity Attack Statistics

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.