Identity Threat Detection and Response (ITDR) is a solution focused on stopping attacks that start with, or pivot through, identity – think compromised credentials, risky sign-ins, privilege escalation, and weaknesses in Microsoft Entra ID.
ITDR combines:
- Continuous monitoring of identity activity (logins, token/session behaviour, privilege changes)
- Identity posture checks (configuration gaps and risky settings)
- Detection of identity-based attack techniques (i.e. brute force, account takeover, lateral movement)
- Response actions to contain threats quickly (i.e. reset passwords, disable account, terminate sessions)
If endpoint security is the alarm system on the doors and windows, ITDR is the bit that notices someone’s copied your keys — and changes the locks before they get inside.
Why ITDR exists (the identity problem)
Attackers increasingly target identities because:
- Cloud apps are everywhere, and identity is the new control plane.
- Phishing toolkits make harvesting credentials easy, and techniques can bypass MFA.
- MFA helps, but misconfigurations and token/session abuse still get exploited.
- Once an attacker has identity access, they can often disable controls, escalate privileges, and move laterally without dropping obvious malware.
ITDR is designed to cover the gaps between “we have MFA” and “we can actually see and stop identity-led attacks in real time”.
What Sophos ITDR does
Sophos Identity Threat Detection and Response (ITDR) is Sophos’ identity security capability that:
- Continuously monitors Microsoft Entra ID tenants for identity risks and misconfigurations.
- Assesses your existing environment, reports on its findings and providers an immediate Identity Risk Posture score.
- Adds dark web intelligence to help identify compromised credentials.
- Integrates into Sophos Central, and ties directly into Sophos XDR / MDR workflows.
It’s visibility + prioritisation + response, where identity events become actionable security cases.
If you have MFA, Sophos MDR, and defender – do you need ITDR?
Even with endpoint protection, e-mail filtering and some MDR systems, blind-hosts can remain:
- Risky Entra ID settings that quietly increase your attack surface
- Early-stage identity attacks that look like “normal admin noise”
- Compromised credentials showing up externally before an obvious incident begins
With Sophos, the value is that ITDR feeds identity findings into the same operational pipeline (cases, investigations, response) – and MDR can take action when required.
95%Percentage of Microsoft Entra ID environments with critical misconfigurations.
How this maps to our ITaaS
In our ITaaS service, MDR is the default. That means customers already have:
- 24/7 monitoring and response coverage
- A team to investigate alerts and take containment steps
- A security operations “brain” that doesn’t clock off
Adding Sophos ITDR strengthens the MDR outcome in a very specific way:
- Fewer identity-related surprises: posture issues and risky identity configurations are surfaced and prioritised early.
- Faster containment: identity events can be actioned (e.g., session termination / password resets) as part of response playbooks.
- More complete investigations: identity becomes a first-class signal alongside endpoint and network telemetry, which improves confidence when deciding “is this real?” and “how far did it go?”.
What customers should expect during onboarding
Onboarding is really easy.
- Connect Sophos ITDR to the customer’s Microsoft Entra ID tenant
- Rapid initial assessment producing:
- prioritised findings
- an identity posture score
- Ongoing monitoring + cases routed into MDR where applicable
When ITDR is most valuable
ITDR resonates best with organisations that:
- Rely heavily on Microsoft 365 / Entra ID (let’s be honest, that’s most companies!)
- Have remote work, contractors, or lots of SaaS access
- Want to reduce ransomware risk by cutting off identity-based entry paths
- Have compliance pressure to demonstrate continuous monitoring and improvement of access controls
Find out more
If you’d like a plain-English walkthrough of what Sophos ITDR covers (and how it complements MDR in our ITaaS), we’re happy to share a quick overview and typical rollout approach – no pitch, just clarity.
