Identity Threat Detection & Response (ITDR)
35% of cloud intrusions in 2025 started with valid account credentials. Attackers who compromise credentials do not announce themselves. They create mailbox forwarding rules, register new devices, and exfiltrate data over days, while your identity tools log it without anyone watching. Our managed ITDR service monitors every sign-in, every privilege change, and every anomalous authentication event across your Microsoft estate, 24/7.
Azure AD P2 Generates Alerts.
ITDR Operationalises Them.
Cyber insurers and auditors now distinguish between identity prevention (MFA, Conditional Access) and identity threat detection and response. Azure AD P2 satisfies the former. ITDR, as defined by Gartner, requires active monitoring, behavioural baselining, and a response capability.
Your Azure AD P2 licence generates the signals. Without a team monitoring and responding to those signals around the clock, your insurer's questionnaire answer is incomplete. We provide the detection and response layer: 24/7 SOC analyst coverage from £900/month.
Book a Scoping CallThree Moments That Precede
Every Purchase
ITDR purchases are not routine budget cycles. They are triggered by specific incidents, external pressures, and operational gaps. Which one brought you here?
“The compromise was logged. Nobody was watching.”
Your CEO's account was accessed from Lagos at 11:47pm on a Friday. Within four minutes, a mailbox forwarding rule was created to an external Gmail address. By Saturday morning, three supplier payment requests had been sent.
With ITDR monitoring active, the Lagos sign-in triggers an impossible travel alert. Our analyst reviews, confirms the risk, and initiates containment: session revocation, account disable, your security contact notified by phone. Attacker access cut short, not 60 hours later.
“Your insurer asked for ITDR capability. Azure AD P2 is not the same thing.”
Cyber insurers now distinguish between identity prevention (MFA, Conditional Access) and identity threat detection and response. Azure AD P2 satisfies the former. ITDR, as defined by Gartner, requires active monitoring, behavioural baselining, and a response capability.
We provide documented response procedures and post-incident reporting you can share with your underwriter. Your Azure AD P2 licence generates the alerts. We provide the team that monitors and responds to them around the clock.
“Your E5 estate generates thousands of identity alerts. Who is triaging them at 2am?”
Azure AD Identity Protection flagged 47 high-risk sign-ins last month. Your team investigated 3. One of the 44 uninvestigated was a real compromise: a service account accessed from a Tor exit node, automatically remediated with a password reset, but the attacker had already registered a new device and granted OAuth consent to a third-party application that retained SharePoint read access for six weeks.
We operationalise your Microsoft identity estate: triaging every alert, baselining behaviour, and correlating identity events with endpoint and network telemetry.
If your team cannot investigate identity alerts at 3am, the detection gap is already open.
Book a scoping callWhat ITDR
Monitoring Covers
ITDR monitoring covers the full identity attack surface: cloud identity providers, on-premise Active Directory, MFA bypass techniques, account takeover patterns, and privilege escalation through your Microsoft estate.
Azure AD & Entra ID Monitoring
Real-time monitoring of Azure Active Directory (Entra ID) sign-in logs, audit logs, and identity protection signals. Detects suspicious sign-ins, MFA bypass attempts, consent grant attacks, and risky user behaviour across your Microsoft identity estate.
Impossible Travel Detection
Identifies sign-ins from geographically impossible locations within an observed timeframe, flagged against each user's established baseline. Covers VPN exit nodes, Tor, and residential proxies used to mask attacker origin.
Privileged Account Monitoring
Enhanced monitoring of Global Admins, Domain Admins, and service accounts. Alerts on off-hours sign-ins, new device registrations, role assignments from non-standard accounts, and permission changes outside change windows.
MFA Bypass & Fatigue Detection
Detects MFA fatigue attacks by tracking anomalous push request volumes per user. More than three requests within ten minutes from a new or anomalous IP triggers analyst review. Also covers legacy auth protocol bypass (IMAP, POP3, SMTP AUTH) and token replay.
Account Takeover & Credential Stuffing
Identifies patterns consistent with account takeover: multiple failed logins followed by success, new device registration, mailbox forwarding rule creation, and OAuth consent grants to third-party applications with excessive permissions.
Why Azure AD Identity Protection
Is Not ITDR
Azure AD P2 generates the signals. ITDR operationalises them. The distinction matters to your insurer and your auditor.
| Capability | Azure AD Identity Protection (P2) | Precursor Managed ITDR |
|---|---|---|
| Risk scoring for sign-ins | Yes | Yes, enhanced with external threat intel |
| 24/7 human analyst triage | No | Yes |
| On-prem Active Directory coverage | No | Yes |
| Cross-source correlation (endpoint, network, identity) | No | Yes |
| MFA fatigue detection | Limited | Yes (anomalous push request monitoring) |
| Response: session revocation, account disable | Automated only (risk-based CA) | Human-reviewed, with your authorisation |
| Threat hunting | No | Yes (monthly proactive hunts) |
| Post-incident forensic report | No | Yes |
All monitoring is conducted by CREST-accredited analysts in Precursor's UK-based Security Operations Centre. CREST accreditation satisfies procurement requirements for public sector, healthcare, and financial services organisations.
How Managed ITDR Works
Read-only integration to 24/7 detection in under two weeks.
Identity Source Integration
Read-only API connection to Azure AD (Entra ID), Active Directory, Okta, or Google Workspace. Logs ingested into our SIEM for correlation with network, endpoint, and cloud telemetry. Operational in under 10 business days.
Baseline and Risk Profiling
We establish normal sign-in patterns for each user: typical locations, devices, applications, and sign-in times. High-risk accounts (executives, IT admins, service accounts) receive enhanced monitoring baselines and stricter anomaly thresholds.
Continuous Threat Detection
24/7 monitoring for identity-based attack indicators: impossible travel, new device enrolments, OAuth consent grants, privilege escalations, MFA fatigue patterns, legacy auth bypass, and suspicious mailbox rule changes.
Analyst-Reviewed Response
When a compromised account is confirmed, our SOC analyst initiates containment with your authorisation: session revocation, account disable, password reset, and forensic investigation of attacker access. Post-incident report provided for audit or insurance use.
Procurement Requirements
Fixed monthly pricing with no per-incident fees. Read-only API integration requires no changes to your identity infrastructure. All monitoring, triage, and incident response is performed by CREST-certified, UK-based analysts in our Newcastle SOC. Identity telemetry never leaves the UK.
Identity Attack Detection Matrix
A complete reference of identity-based attack types and the specific detection mechanisms our SOC uses to identify each one.
| Attack Type | Category | Detection Mechanism |
|---|---|---|
| Account takeover via stolen credentials | Credential Theft | Impossible travel, new device registration, anomalous sign-in time |
| MFA fatigue (push notification bombing) | MFA Bypass | Anomalous MFA request volume per user per session |
| Business email compromise setup | Email Compromise | New inbox forwarding rule created post-compromise sign-in |
| OAuth consent phishing | Consent Abuse | New application consent grant with excessive permissions |
| Pass-the-hash / Golden Ticket (on-prem) | Lateral Movement | Windows Event Log correlation (4768, 4769, 4776) |
| Privilege escalation | Privilege Abuse | Global Admin role assignment from non-standard account |
| Impossible travel | Anomaly Detection | Sign-in from geographically impossible locations within observed timeframe |
| Legacy authentication bypass | Legacy Auth | Sign-ins via IMAP, POP3, SMTP AUTH from modern-MFA-enrolled accounts |
Identity Is One Layer.
Build the Full Programme.
Identity monitoring works best when paired with endpoint detection, Microsoft 365 monitoring, and offensive security validation. Our penetration testers use SOC threat intelligence to test your identity controls against live attack patterns your ITDR should detect.
Explore Full MDR PlatformMicrosoft 365 Security
Identity threats often start in M365. Pair ITDR with M365 monitoring.
Endpoint Protection (EDR)
Close the ITDR + EDR gap with managed endpoint detection.
AD Security Assessment
Test your identity controls before deploying monitoring.
Incident Response
Pre-agreed access to CREST-accredited IR team.
Full Services Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
Ready to stop monitoring
identity alerts in a spreadsheet?
Book a free scoping call. We review your identity infrastructure, confirm platform compatibility, and provide a fixed monthly quote within 48 hours. No obligation. No sales pressure.
ITDR Service: Common Questions
Pricing, platforms, onboarding, and how managed ITDR compares to Azure AD Identity Protection.
ITDR stands for Identity Threat Detection and Response. It is a security category formalised by Gartner in 2022 to describe the discipline of monitoring identity infrastructure (including Active Directory, Azure AD (Entra ID), and SSO platforms) for signs of compromise, credential theft, and privilege abuse. ITDR extends beyond identity prevention (MFA, Conditional Access) to provide active detection and response: real-time monitoring, analyst-reviewed alerts, and containment actions when a threat is confirmed. Precursor's managed ITDR service satisfies the detection and response requirement: 24/7 SOC analyst coverage, documented response procedures, and post-incident reporting you can share with your underwriter or auditor.
Gartner first defined Identity Threat Detection and Response (ITDR) in 2022, identifying a critical gap in security architectures that focused heavily on identity governance and prevention (IAM, PAM, MFA) but lacked detection and response capability for identity-based attacks. Gartner positioned ITDR as a required layer in mature security programmes, noting that 80% of breaches involve compromised credentials. Gartner's ITDR framework covers three capability areas: identity threat intelligence, identity posture management, and identity-specific detection and response. Cyber insurers and auditors now reference the Gartner ITDR category when assessing whether an organisation has adequate identity security controls.
EDR (Endpoint Detection and Response) monitors endpoint behaviour: processes, file system changes, and network connections from devices. ITDR monitors identity infrastructure: sign-in logs, authentication events, permission changes, and account behaviour across Azure AD, Active Directory, and SaaS platforms. The two are complementary. EDR detects post-compromise activity on devices; ITDR detects the initial credential compromise and lateral movement through identity systems. Many attacks now bypass endpoint controls entirely by using stolen credentials. ITDR is specifically designed to catch this class of attack. Precursor provides both as part of a combined Managed SentinelOne EDR and ITDR service for clients who want closed-loop coverage across identity and endpoint.
Identity threat detection and response pricing ranges from £900 to £4,000+ per month depending on user count and identity sources. Small organisations (up to 250 users, single Azure AD tenant) average £900 to £1,500 per month including 24/7 monitoring and incident response. Mid-sized organisations (250 to 1,000 users, hybrid AD environment) typically cost £2,000 to £3,000 per month. Large enterprises (1,000+ users, multiple tenants, on-prem AD forests) typically cost £3,500 to £4,000+ per month. All pricing includes Azure AD/Entra ID integration, on-premise AD (if required), impossible travel detection, MFA bypass monitoring, and privileged account surveillance. We provide fixed monthly quotes after a scoping call to understand your identity infrastructure.
Azure AD Identity Protection generates alerts. It does not investigate them, and it does not watch them at 3am. Specifically: it only monitors Microsoft's cloud ecosystem and misses attacks that pivot through on-premise AD, third-party SaaS, or VPN; it cannot correlate identity events with endpoint or network telemetry to detect multi-stage attacks; MFA fatigue attacks and sophisticated credential phishing often bypass Identity Protection's automated risk scoring; and out-of-hours attacks will not be investigated until your team returns on Monday morning. Cyber insurers and auditors now distinguish between Azure AD P2 (prevention) and ITDR (detection and response). Azure AD P2 satisfies the former. Without 24/7 analyst triage, it does not satisfy the latter. Most organisations use Identity Protection as a telemetry source and outsource 24/7 monitoring to a specialist SOC.
Yes. MFA push notifications are not phishing-resistant. An attacker who has obtained a user's password will send MFA push requests repeatedly, often at 10pm or 11pm, until the user approves one to make the notifications stop. The average time from first push to user approval in a fatigue attack is under four minutes when the user is tired. Our ITDR monitoring detects MFA fatigue attacks by tracking anomalous MFA request volumes per user: more than three push requests within ten minutes from a new or anomalous IP triggers an analyst review. If the user then approves, session containment can be initiated before the attacker completes their objective. We also monitor for legacy authentication protocol bypass (IMAP, POP3, SMTP AUTH) that circumvents MFA entirely for accounts enrolled in modern auth. MFA is necessary. It is not sufficient without detection.
Yes. We monitor both cloud identity providers (Azure AD, Okta) and on-premise Active Directory. For on-prem AD, we ingest Windows Event Logs (4624, 4625, 4768, 4769, 4776) to detect pass-the-hash, Golden Ticket attacks, DC replication abuse, and lateral movement through the domain. On-prem AD monitoring is included in standard pricing, not an add-on. If you are concerned about your Active Directory security posture before onboarding monitoring, our Active Directory security assessment provides a full attacker-perspective review of your domain configuration.
Our SOC analyst immediately alerts your designated contacts and, with your pre-authorisation, can execute containment actions: revoking all active sessions, forcing password reset, disabling the account, and blocking sign-ins from suspicious locations. We then provide forensic analysis showing the attacker's access window, what data or systems were reached, and what persistence mechanisms were created (device registrations, OAuth consents, forwarding rules). The post-incident report is formatted for use with your cyber insurer or auditor.