GigaOm Radar for Identity Threat Detection and Response (ITDR) v2

Identity is an essential part of any organization's IT infrastructure, acting as the means for organizations to control access to the applications and data that hold their most critical business information. It is thus a high-value target for modern cyber attackers, and a compromised identity can significantly impact a business. Finding effective ways to identify threats and swiftly mitigate their risks must therefore be a priority in any diligent IT security leader's cybersecurity strategy. 

An identity, whether human or machine, grants system and data access privileges, making it a target for cyber attackers. Identity theft attempts are increasingly common and sophisticated; identifying and stopping these attacks is challenging. Modern identity-based attacks go beyond poorly worded emails and phishing attempts; they now leverage AI for reconnaissance and automation for large-scale strikes. Additionally, the vast attack surface that security teams must protect is significant. Identities are visible across all aspects of an organization’s infrastructure, from cloud services to endpoints, complicating the defenders' task while simplifying it for attackers.

The frequency of attacks necessitates a proactive approach that can autonomously detect and mitigate threats faster than human teams. This demand has spurred the creation of identity threat detection and response (ITDR) solutions. These systems leverage broad telemetry, extensive analytics, and intelligence to swiftly and accurately identify threats and automate responses. 

ITDR solutions leverage a variety of security tools and best practices to detect and respond to identity-related issues, like credential theft and data breaches. This capability is crucial in reducing identity security threats. Evaluating tools that enhance identity security should be a priority since breaches enable attackers to disrupt services and steal sensitive data, negatively impacting businesses. 

Addressing this challenge requires financial investment and time, potentially prompting organizations to rethink identity management. However, the benefits of enhanced security are significant. Ignoring this risk increases vulnerability to identity compromise and business disruption.

This is our second year evaluating the ITDR space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines 16 of the top ITDR solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading ITDR offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well ITDR solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of small and medium-sized organizations. Here, ease of use and deployment are more important than extensive management functionality and feature set.

• Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category strongly focus on flexibility, performance, scalability, and the ability to integrate into existing environments effectively.

In addition, we recognize the following deployment models:

• SaaS: These solutions exist only in the cloud and are managed by the service provider. Their advantages include simplicity, rapid scaling, and flexible licensing. Although some components like scanners may require physical installation, for this report, a SaaS solution is where the central management and intelligence features are available as SaaS.

• Self-hosted - on-premises: With these solutions, the main management and intelligence elements are installable wholly on-premises, either in the customer’s data center or a co-location facility. They are not shared and are specific to a single customer.

• Self-hosted - cloud: These solutions have the main management and intelligence elements installable on cloud-based machines within a customer's cloud tenant. They are not shared and are specific to a single customer. 

• Vendor-managed service: In this model, the vendor carries out all management and operations. For this report, this means fully managed by the vendor directly and not by one of its partners. However, co-managing (operations shared between provider and customer) is also acceptable.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Posture assessment

• Common identity provider (IdP) integration

• Central dashboard 

• Central alerting

• Manual incident response

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating an ITDR solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating ITDR Solutions.”

Key Features

• Risk prioritization:  ITDR tools can generate a lot of alerts, so to avoid alert fatigue, solutions should be capable of identifying the most significant risks and prioritizing them to aid with more effective responses

• Proactive protection: Responding to a threat is valuable, but proactively reducing it is crucial. Platforms offering proactive capabilities, like gathering intelligence on potential account sharing or using deception technology to identify attacks, can lower the chances of actual incidents.

• Extended IdP integration: Discovering identity threats can be complex, as identities exist in multiple locations. Consequently, solutions offering a wide range of integrations with various identity platforms can provide a more comprehensive understanding of risk. 

• Enterprise security infrastructure integration: Solutions must integrate with tools like XDR, EDR, SIEM, SOAR, and ITSM. This integration facilitates adoption, makes the solution central to security technology, and ensures ITDR is part of the daily security workflow. 

• Compliance management: Solutions should be able to measure identity threats against established compliance and governance standards. Mapping identity risk to standards such as MITRE ATT&CK will assist organizations in using consistent terminology to describe threats and risks.

• Enterprise security reporting: Gaining suitable insight into identity threats will benefit all organizations. Solutions ought to provide a comprehensive array of reports covering topics such as benchmarking, risk analysis, audit logging, and risk scoring.

• Automated incident response: For effectiveness, ITDR solutions must automate threat response, isolate attacks, and prevent their spread through actions such as sign-out, access blocking, and account disabling, either natively or via third-party tools.

• Incident response analysis: Organizations must investigate incidents to identify threats, understand their occurrence, and mitigate future risks. Solutions should log the actions leading to events, enabling detailed investigations by security teams. 

Table 2. Key Features Comparison 

Emerging Features

• AI-enhanced SecOPS/copilot: The use of AI assistants in ITDR solutions will help make them more proactive by detecting threats before they cause significant damage, more accurate by reducing false positives and improving threat detection, and more efficient by automating tasks and reducing the workload on security teams.

• Non-human identity security: Non-human identities in security refer to digital identities assigned to applications, services, scripts, bots, and other processes. These identities are an essential part of machine-to-machine communication, API integrations, cloud workloads, and various automated tasks. Unfortunately, these identities are increasingly subject to risk and require mitigation actions, just as human accounts do. 

Table 3. Emerging Features Comparison 

Business Criteria

• Flexibility: Customer needs are dynamic, requiring equally adaptable solutions. They must integrate with existing systems, provide a range of deployment models, and be sufficiently versatile to meet a business's changing demands.

• Scalability: Organizations need adaptable solutions that can scale with and evolve as needs change. This can mean scaling to meet increasing user numbers or evolving technical and business requirements, like new applications or the acquisition of new businesses.

• Ease of management: Identity security is challenging; solutions should ease management and reduce operational overhead. Intuitive interfaces, helpful support, training, and guidance facilitate this, along with strong commercial support to assist customers in adopting the technology. 

• Cost: Solutions should offer clear pricing, enabling customers to quickly gauge the potential investment they will have to make. Vendors that provide this facilitate adoption and enhance product value, boosting customer return on investment. Other factors that can add to cost, such as the ability to integrate easily into existing environments, should also be considered. Additionally, solutions leveraging automation can help drive cost efficiency and lower overall expenses.

• Ecosystem: Many ITDR vendors offer additional value through management tools, reporting platforms, and threat analysis solutions, along with nontechnical options such as educational events and professional services. Organizations should also consider the range of available partners in a vendor ecosystem. 

Table 4. Business Criteria Comparison

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Identity Threat Detection and Response

Since our previous report, the ITDR landscape has continued to mature, with solutions becoming more consistent in their approach. This is evident, as several vendors have moved into the Maturity half of the Radar, either due to technology stabilization or the successful integration of acquisitions into broader platforms. As a result, customers are now less likely to experience significant changes in ITDR platforms during their contract lifecycle.

As you can see in Figure 1, the majority of the vendors we reviewed fall within the Platform Play half of the Radar, offering broad capabilities that appeal to multiple market sectors. A smaller group appears in the Feature Play half, providing specialized ITDR approaches. Acalvio, for example, focuses on deception technology, while Microsoft and Quest specialize in ITDR for Microsoft directory environments.

Most vendors deliver comprehensive solutions that perform well against our metrics, leading several to be recognized as Leaders in this report. At the same time, strong Challengers continue to develop their offerings to compete with these established Leaders. Key differentiators between Leaders and Challengers include proactive threat mitigation, automation of responses, and investment in AI-driven assistants.

This report also features approximately 50% more vendors than last year’s, reflecting the continued growth of identity security solutions designed to combat increasingly sophisticated attacks. This underscores the scale of identity-related threats facing organizations and the growing demand for effective ITDR solutions.

Looking ahead, vendors are expected to further invest in AI and automation to support security teams in mitigating identity-based threats. Additionally, ITDR solutions will likely expand into adjacent areas such as privileged access management (PAM), identity lifecycle management, and threat detection across endpoints, cloud environments, and SaaS platforms.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Acalvio: ShadowPlex Identity Protection

Solution Overview
Acalvio is an industry leader in preemptive security based on cyber deception. Its ITDR solution combines security posture assessment with deception-based threat detection to protect against a wide variety of identity attacks.

Acalvio’s ShadowPlex Identity Protection prioritizes deception technology over typical telemetry and analytics. It features two main capabilities: Identity Security Posture Management (ISPM), which provides proactive visibility into attack surfaces, and ITDR, which detects identity threats and facilitates response actions. Response actions do require integration with third-party tools for execution. Its internal policy engine allows for simple orchestrations to be built that can trigger more complex responses in those external tools. The solution supports both SaaS and on-premises deployments. Integration with SaaS infrastructure is agentless. A sensor is required for on-premises deployments. Cloud integrations are available for Azure, AWS, and GCP. 

ShadowPlex operates by scanning identity and endpoint environments to identify high-value, high-risk assets. It then deploys its deception technology through honey accounts and tokens to deceive attackers and protect production identities. It employs AI to create realistic deceptions that seamlessly integrate into the enterprise environment. AI is also used to provide clear threat descriptions to aid operations teams. 

ShadowPlex can also integrate with CrowdStrike and Microsoft identity defense solutions. This integration allows it to add improved automation and management to those vendors' native solutions. It can also use those solutions’ on-premises telemetry to feed its threat engine rather than using an on-premises sensor. 

ShadowPlex is a well-established solution, so customers can expect to see continued development within existing solutions. 

Acalvio is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the ITDR Radar report.

Strengths
Acalvio scored well on a number of decision criteria, including:

• Proactive protection: Acalvio’s deception technology is designed to preemptively safeguard an organization by setting traps to lure attackers to harmless “honey trap” identities. These traps anticipate threats, generating immediate alerts upon detection. This strategy ensures effective proactive protection against identity threats. With high-fidelity alerts from deception, security teams can use ShadowPlex for automated isolation of compromised endpoints.

• Enterprise security infrastructure integration: ShadowPlex boasts a rich array of prebuilt integrations with leading SIEM, SOAR, EDR, and XDR platforms. This includes connections with CrowdStrike, Microsoft, Palo Alto Cortex XDR, Google Chronicle, and Splunk. Additionally, it features a flexible and extensible integration framework that allows customers and partners to develop custom integrations, which are created using a plugin-based model.

• Incident response analysis: Acalvio leverages AI to automate event summarization, correlation, and enrichment of threat information. It automates the mapping of incidents to the MITRE ATT&CK framework, providing a standardized framework and language for SOC analysts to utilize. Acalvio Copilot enhances incident analysis and investigation through generative AI and an LLM, enabling incident response teams to adopt a natural interactive approach to threat investigation and incident response. 

Opportunities
Acalvio has room for improvement in a few decision criteria, including:

• Compliance management: Acalvio’s compliance reporting is limited to analysis against the NIST and CIS global frameworks currently, rather than taking a broader look at a wider range of compliance frameworks. 

• Extended IdP integration: Acalvio has roadmapped adding additional IdP integrations. Support currently is limited to Active Directory and Cloud IAM stores, including Entra ID, AWS IAM, GCP IAM. It does have a flexible integration framework that enables custom integrations to be defined during implementation. 

• Automated incident response: The vendor possesses automated capabilities; however, it relies heavily on third-party integration to implement many of them. Its deception technology ensures the accuracy of threat identification is high, resulting in precise automated responses. Customers using CrowdStrike Identity Protection or Microsoft Defender for Identity can leverage this integration for the automated blocking of at-risk IDs. Additionally, the platform can automate the deception technology of these vendors.  

Purchase Considerations
Licensing for ShadowPlex Identity Protection uses a per-user annual subscription model. Pricing is published in cloud marketplaces and is also accessible via its channel partners or directly from the vendor. 

The vendor asserts that its high level of automation and prebuilt integration diminishes the need for field programming and associated professional services costs, thereby reducing both time and expenditure for deployments. Its integrations with a wide array of EDR and other endpoint automation tools also alleviate deployment burdens. 

While the solution is technically suitable for smaller businesses, the vendor primarily focuses on large enterprises (over 2,000 endpoints and 1,000 employees) and MSPs. Acalvio addresses the SMB market through its partners. 

Use Cases
Acalvio’s primary use case is detecting various forms of attacks, such as Active Directory (AD) attacks, including stealth attacks such as Kerberoasting and Silver Ticket, and AI-driven attacks used to find novel vulnerabilities, zero-day exploits, and custom, polymorphic malware that evades traditional security solutions. Its deception technology also helps provide early warning of identity attacks in the cloud, enabling users to prepare an effective defense. 

BeyondTrust: Identity Security Insights*

Solution Overview
BeyondTrust is a cybersecurity company specializing in identity and access security, offering solutions for privileged access management (PAM), remote access, and vulnerability management to help organizations protect against cyberthreats and data breaches.

BeyondTrust provides a platform approach to ITDR, which encompasses its privileged access and password management tools. Its ITDR management is driven through its Identity Security Insights SaaS platform, which integrates with on-premises, cloud, and SaaS systems to uncover hidden threats and provide recommendations for enhanced security posture. This platform continuously auto-detects risky configurations and uses AI for actionable recommendations as threats evolve. It operates in real time to alert on ongoing attacks and suspicious activities, such as dormant accounts leveraging privileged access and excessive secret safe reads. The newly released Pathfinder Platform aims to enhance insights using AI for better management. Pathfinder’s True Privilege Graph maps privilege relationships for every identity, continuously updating access paths and exposing attack vectors, including identity misconfigurations. It also integrates widely with enterprise security tools for risk telemetry. 

BeyondTrust’s overall approach is based on its modular platform. Security Insights is an addition to that platform to provide additional identity threat intelligence that is key to driving ITDR.

Customers should expect to see continued development delivered within the existing product framework. 

BeyondTrust is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ITDR Radar chart.

Strengths
BeyondTrust scored well on a number of decision criteria, including:

• Extended IdP integration:  BeyondTrust has a good range of integrations with leading IdPs, including Active Directory, Entra ID, Okta, PingOne, AWS, Azure, Google Cloud, and a range of SaaS applications. 

• Proactive protection: With its ability to integrate with a wide range of platforms, BeyondTrust can collect risk telemetry across on-premises, cloud, and SaaS environments and use this information to develop a comprehensive understanding of risk. Through integration with its other ecosystem tools, it can provide clear recommendations for proactive actions to mitigate risk and automate those actions.

• Incident response analysis: BeyondTrust provides comprehensive details on high-risk activities. Via its developing AI platform, it is now aggregating recommendations and offering more detailed insights. Its new True Privilege Graph presents a visual representation of the effective privileges of any identity, including how attackers can exploit obscure interconnections between accounts, privileges, and configurations to escalate privileges.

Opportunities
BeyondTrust has room for improvement in a few decision criteria, including:

• Compliance management: BeyondTrust aligns its risks with the MITRE framework. However, there are no published details of reporting against other compliance frameworks or the ability to build custom compliance reports. 

• Automated incident response: BeyondTrust does offer automation capabilities, including enforcing just-in-time access to privileged accounts and the ability to pause, terminate, or review sessions. However, its Identity Security Insights is primarily a reporting platform. Automating many of the responses requires the use of other modules, such as Password Management and PAM, to deliver them. 

• Risk prioritization: BeyondTrust provides risk prioritization by assessing risks from a wide range of identity telemetry platforms, including IdPs and other tools. However, it is not clear whether risk priorities can be customized to meet specific business needs. 

Purchase Considerations
BeyondTrust Identity Insights is a SaaS platform that is licensed on a per-user, per-month subscription basis. It appears that Identity Insights requires additional BeyondTrust modules to provide comprehensive insights and implement its mitigation actions, and this means additional costs. Licensing packs are not shown on the website so will require contact with the vendor or one of its partners.

As a SaaS platform with a wide array of integrations, the deployment of Identity Insights should not be complicated. While other modules are necessary, its Pathfinder platform should integrate the management of these into a single interface to simplify management.

BeyondTrust offers products that are technically suitable for organizations of all sizes, though they may not be appropriate for the smallest customers. 

Use Cases
BeyondTrust helps in preventing attacks on identity systems by enhancing identity security posture with recommendations that identify risks and their implications. It also aids in detecting identity-driven threats and active attacks by analysing user behavior, access patterns, and common attacker techniques to tackle new attack methods in real time. Additionally, it assists with responses to identity-driven risks and threats through its own platform, as well as integrations with SIEM, SOAR, ticketing, and collaboration tools, enabling efficient incident response. 

CrowdStrike: CrowdStrike Falcon Identity Protection

Solution Overview
CrowdStrike provides cybersecurity solutions that detect and prevent advanced threats, offering real-time defense for customers. Its solutions take an adversary-centric approach, ensuring visibility into attack paths to stop breaches by helping organizations respond to threats before escalation.

The Falcon platform is a modular SaaS solution with a number of modules designed to address a wide range of security challenges. Its flexible architecture allows organizations to adopt only the security features they need. Falcon Identity Protection plays a key role in CrowdStrike’s ITDR strategy, seamlessly integrating with other Falcon modules.

By enabling data sharing across all CrowdStrike modules, the platform provides a comprehensive view of identity threats and correlates insights from multiple telemetry sources, including endpoints and cloud environments. Integration with cloud directories is achieved via API, while on-premises directories, such as Active Directory, require a single agent deployed on domain controllers.

The solution includes a powerful automation engine via the free Fusion SOAR platform and offers Charlotte AI, an advanced AI assistant, as an optional add-on. Organizations can tailor their deployment based on specific needs, ranging from basic detection to a fully integrated, end-to-end approach that includes posture management and automated threat mitigation.

CrowdStrike enhances the Falcon solution with a mix of new features via in-house development, as well as through acquisitions, and aims to ensure all new features are delivered through the existing familiar platform. 

CrowdStrike is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the ITDR Radar report.

Strengths
 CrowdStrike scored well on a number of decision criteria, including:

• Proactive protection: CrowdStrike’s Falcon Identity Protection enables security teams to monitor and analyze identities, access rights, and authentication across all identities. It offers a prioritized risk list to reduce vulnerabilities and respond to threats with measures like MFA or biometric verification. Utilizing threat intelligence, it enriches alerts with adversary profiles and real-time intelligence linked to MITRE ATT&CK techniques. Furthermore, it employs deception technology to lure attackers into honey token accounts, monitoring actions like password resets, account enable/disable, or email changes. Falcon Privileged Access adds additional controls using just-in-time access and continuous monitoring, revoking privileged access the instant security posture changes. 

• Automated incident response: Falcon Fusion SOAR, which is natively integrated into the Falcon platform, provides a no-code automation and orchestration engine that enables teams to automate end-to-end response workflows. Examples include isolating compromised hosts, triggering alerts for specific threats, and automatically notifying teams via tools such as Slack, Teams, or email, or through real-time conditional access policies. The solution offers over 1,500 automated actions, including first-party and third-party tools that can be executed either via CrowdStrike or through integrations with tools such as Okta/Ping, Entra ID, and Fortinet.

• Incident response analysis: The solution supports all stages from incident alert to resolution, including detection, alert generation, prioritization, and drill down analysis. It generates alerts using global threat intelligence and assigns risk scores based on severity, adversary behavior, and attack stage. Analysts can use the Incident Workbench along with the Collaborative Command Center to visualize the attack path and consolidate alerts. The Command Center facilitates real-time coordination, note-taking, task assignment, and teamwork.

CrowdStrike was classified as an Outperformer thanks to its continued rapid development. It has not only already delivered a broad range of improvements, its strong roadmap suggests more to come. Its advances in the use of its AI platform will continue to drive innovation.

Opportunities
CrowdStrike has room for improvement in a few decision criteria, including:

• Risk prioritization: CrowdStrike’s risk prioritization combines a wide array of telemetry and external threat intelligence to proactively identify and prioritize risk. However, this could be improved by allowing customers to customize risk weighting to provide more specific risk prioritization.

• Compliance management: The solution’s Attack Path Analysis assesses full attack chains aligned with MITRE stages, helping analysts to enable a response based on attack progression, though it does not map identity threats against broader compliance frameworks. However, its acquisition of Adaptive Shield means it now offers broader compliance insight across SaaS applications. CrowdStrike may well improve its offering by providing these insights across all identity locations. 

• Enterprise security reporting: The solution offers dashboards, reports, and alerts with customizable real-time insights into threats, incidents, and identity security. It serves as a solid reporting platform but could improve by providing prebuilt integrations with tools like Tableau or Power BI rather than offering only API options.

Purchase Considerations
Depending on requirements, organizations can consume the solution through one of four options: Falcon Identity Threat Detection (ITD), Falcon Identity Threat Protection (ITP), Falcon Privileged Access (FPA), and Falcon Shield. Falcon Identity Protection operates on a subscription basis and is licensed per active identity. Active identities refer to accounts that have been authenticated within the last 90 days, including human and non-human identities and service accounts. While CrowdStrike does provide retail pricing on its website, customers are encouraged to contact the vendor or any of its extensive partner ecosystem for specific pricing.  

CrowdStrike offers flexible licensing through Falcon Flex, which grants customers access to the complete CrowdStrike portfolio, allowing maximum flexibility to expand platform adoption in line with business needs and timelines.  

The CrowdStrike Falcon Identity Protection module features various prebuilt integrations to facilitate deployment. Professional services can assist in fine-tuning conditional access policies and reviewing the initial set of risks and detections with the customer to expedite remediation and adoption.  

The vendor also provides a fully managed 24/7 service to prevent identity-based attacks and effectively respond to and remediate identity-based threats. CrowdStrike's offering caters to customer needs, accommodating both small and large enterprises. 

Use Cases
CrowdStrike excels in various use cases, including preventing lateral movement, reducing identity attack surface by minimizing hidden vulnerabilities in the identity landscape, and averting the misuse of privileged and service accounts.

Delinea: Delinea ITP (Identity Threat Protection)

Solution Overview
Delinea secures identities through centralized authorization, enhancing organizational security by governing interactions across the enterprise. It applies context and intelligence throughout the identity lifecycle, covering cloud, traditional infrastructure, data, and SaaS applications to mitigate identity threats.

Delinea's Identity Threat Protection solution is based on the ITDR solution inherited as part of its Authomize acquisition from January 2024, which is now fully integrated into Delinea’s broader offering. The solution is deployed as a SaaS-based platform and integrates with existing infrastructure, including IaaS, SaaS, and IdPs through agentless connectors, although an agent is required for on-premises integration. Through its integrations, the solution gathers data from a broad range of sources, which is then normalized and analyzed, highlighting risks based on alerting and user risk scores. Its AI engine detects violations and suspicious IAM activity, offers automated remediation recommendations, and identifies real-time attacks.

The solution provides clear risk analysis through its dashboards, offering insights that include overall risk, impact analysis of account breaches, and severity scores to help prioritize activities. Additionally, the solution delivers strong proactive capabilities by providing ISPM, helping to identify misconfigurations in cloud environments to address risk. It also features an automation platform to assist customers in building automated threat responses.

Delinea ITP is offered both as a single solution that can be purchased standalone and as seamlessly integrated functionality in Delinea’s SaaS Platform. But it also integrates seamlessly into Delinea’s broader portfolio. By integrating Authomize completely into its platform, Delinea has shown customers they can expect new services and capabilities to be made a core part of the platform.

Delinea is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ITDR Radar report.

Strengths
Delinea scored well on a number of decision criteria, including:

• Risk prioritization: Alerts are prioritized using risk scores and enhanced with a case management layer that groups related alerts into unified cases. This layer aims to reduce alert fatigue by consolidating multiple security signals into high-confidence cases. Priority is based on the risk score derived from two main factors: blast radius and account takeover risk. Scores are calculated by adjusting risk factors, modifying their weights, or incorporating external factors 

• Automated incident response: The solution offers a good range of remediation capabilities, and its broad integrations allow it to trigger remediation actions across other tools within a customer's infrastructure. It uses built-in remediation executed directly on IdPs and via Delinea PAM, with actions such as access revocation, password resets, and refactoring user permissions. 

• Extended IdP integration: Delinea offers several prebuilt integration options, including Active Directory, Entra ID, Okta, Ping, Google Admin Directory, AWS IAM, and OneLogin. These integrations are prebuilt using APIs, so end users only need to apply their credentials to connect. Custom integrations can be developed based on public APIs. Furthermore, customers can also engage Delinea's professional services team to create integrations that are not supported out of the box.

Opportunities
Delinea has room for improvement in a few decision criteria, including:

• Compliance management: The solution maps threats against a number of compliance and security control frameworks, including the MITRE ATT&CK framework. Framework compliance is shown within the admin dashboard to highlight potential compliance deviations. Customers can also define custom compliance groups for frameworks not currently covered. There is an opportunity for Delinea to enhance this further with the addition of a broader range of out-of-the-box supported compliance frameworks, helping customers meet more use cases.

• Proactive protection: The solution offers automated risk mitigation through native response actions such as blocking access, revoking permissions, and enforcing MFA. It also assists organizations in proactively enhancing their security posture by identifying and remediating identity misconfigurations before they escalate into security incidents. Still, the solution would benefit from supporting the use of deception technology, a valuable tool in combating identity threats.

• Incident response analysis: Comprehensive incident analysis is enabled by correlating security alerts into cases, thereby reducing noise and highlighting high-validity threats. This provides detailed attack timelines, risk scoring, and context from multiple sources, enabling customers to understand the origins, methods, and impact of attacks. The addition of AI-driven support agents would be beneficial in helping customers more quickly analyze incidents. While this is not currently generally available, the vendor's AI Authorization Agent is now in preview and helps users by providing automated recommendations for access and risk-related analysis and decision making. 

Purchase Considerations
Delinea ITP is licensed on a per-user subscription basis, with a minimum commitment of 12 months. Pricing is available directly from Delinea or through its partner channel.

The vendor does not anticipate the need for professional services to aid deployment. However, services can be purchased to assist with implementation and provide ongoing recommendations based on best practices. The solution does not require extensive training, as it is designed to be self-explanatory and intuitive, with comprehensive documentation available. A general overview of the product and key models typically takes two to three hours.

Small to midsize customers lacking a centralized IdP or with minimal to no usage of cloud service providers may find limited value in the solution. The company's primary focus is on larger businesses (1,000+ users), which may make it less suitable for smaller customers. 

Use Cases
Delinea addresses a number of use cases, including comprehensive identity lifecycle coverage, which helps detect anomalies and threats regardless of where the identities or resources reside. It can also remediate identity and access risks by automating remediation for identity and access misconfigurations. Additionally, it offers threat detection for PAM and IdP environments, further strengthening the identity security posture.

Gurucul: REVEAL ITDR

Solution Overview
Gurucul is a security analytics firm specializing in cyber risk insights. Its REVEAL platform leverages machine learning and AI to analyze enterprise data, providing real-time threat and risk intelligence. Designed as an open, flexible, cloud-native solution, REVEAL offers a unified console for data control, visibility, searchability, and analytics.

REVEAL is a modular platform that integrates identity analytics alongside SIEM, UEBA, SOAR, and Data Pipeline Management (DPM) modules. Available as both a SaaS and self-hosted solution, it supports on-premises and cloud environments. The platform excels in comprehensive security analytics, enabling seamless data ingestion, deep customization, and insider threat risk prioritization. It collects telemetry from diverse environments, automates data ingestion, and uses ML-driven analytics to enhance threat detection, reduce false positives, and identify zero-day threats.

At the core of REVEAL, the Dynamic Risk Engine normalizes threats, helping organizations focus on high-risk events. Risk models can be customized to align with enterprise risk tolerance, while AI-driven capabilities accelerate identity threat detection and response. Analysts can also leverage natural language queries for streamlined investigations. Additionally, Gurucul STUDIO, the platform’s custom analytics and behavioral modeling tool, allows security teams to develop and deploy tailored algorithms without requiring deep ML expertise.

As REVEAL is a modular solution, organizations can license individual modules or bundle them to meet specific security needs. Core modules include DPM, SIEM, UEBA, SOAR, NTA, and Identity Analytics (IdA). For ITDR capabilities, organizations would need the UEBA module at a minimum.

Designed for large enterprises, REVEAL continues to evolve. Customers should expect to see ongoing enhancements and new capabilities delivered within the existing platform, as well as developments in emerging technology areas.

Gurucul is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the ITDR Radar report.

Strengths
Gurucul scored well on a number of decision criteria, including:

• Incident response analysis: The REVEAL platform offers native case management while seamlessly integrating with external case management systems. All incident-related actions, including response and automated remediation, are executed within the platform. Gurucul provides responders with critical context, such as threat actors, associated MITRE TTPs, risk scores, incident details, and logs, ensuring quick access and efficient querying. Comprehensive RBAC capabilities allow teams to share or obfuscate case details, maintaining confidentiality where needed. Additionally, AI-driven analysis accelerates investigations and response times. 

• Automated incident response: Gurucul REVEAL enhances incident mitigation through its integrated SOAR module, using response playbooks to isolate, block, or reduce privileges for at-risk identities—both human and machine. The platform provides extensive automation capabilities, including opening, modifying, or closing ITSM tickets, enforcing MFA, resetting passwords, and reducing identity entitlements. Built-in integrations with leading EDR solutions—such as CrowdStrike, FireEye, Tanium, and CarbonBlack—support further endpoint actions, such as file quarantine and process termination.

• Risk prioritization: Gurucul’s risk engine leverages a customizable scoring model to help enterprises quantify and prioritize risks effectively. It assesses risk using over 240 attributes, providing a unified risk score for users, devices, and assets. Organizations can create or refine policies and models based on their needs. With Gurucul STUDIO, teams can configure risk parameters, establish new policies, or modify existing ones to enhance threat detection and response.

Opportunities
Gurucul has room for improvement in a few decision criteria, including:

• Proactive protection: Gurucul REVEAL continuously evaluates all aspects of identity security by analyzing data from multiple sources. Leveraging its Threat Intelligence-as-a-Service from Gurucul Threat Labs, along with integrated third-party intelligence feeds, REVEAL can identify compromised accounts and initiate automated response actions via its SOAR module. Gurucul’s AI-powered orchestration and response can also dynamically modify and execute playbooks based on real-time information and evolving threat conditions. Protection capabilities can be further enhanced through deception technologies, an increasingly popular method for countering identity-based threats. 

• Compliance management: Gurucul REVEAL offers comprehensive compliance reporting, mapping detections and threats to the MITRE ATT&CK framework with prebuilt MITRE dashboards and reports. The platform supports a wide range of global compliance frameworks, including GDPR, HIPAA, SOX, NIST, and ISO 27001. This could be further enhanced with continued expansion in supported regulations, though customers can currently customize policies or create new ones to address specific compliance requirements. 

• Enterprise security reporting: Gurucul REVEAL provides over 1,500 out-of-the-box reports, including nontechnical reports that highlight business value, risk reduction trends, and progress toward key security KPIs. Reports can be customized, run manually, or scheduled for email delivery. Further improvements could include integrations with enterprise reporting tools like Power BI and Tableau to enhance data visualization and analytics. However, it is possible to export to Excel or CSV and import into other tools using that format.

Purchase Considerations
Gurucul’s licensing model varies by module and is based on either per user, per device, or volume based. All licenses are subscription-based, with a minimum 12-month term that includes support. While perpetual licensing with support is no longer standard, it may still be available in exceptional cases. Pricing is not publicly disclosed and is available through direct quotes from Gurucul sales or authorized partners.

The company offers flexible deployment options, including SaaS and self-hosted setups. Self-hosted deployments require internal resources and support from the customer’s IT team, whereas Gurucul’s SaaS solution is typically operational within three days, ready for integration and data ingestion. Admin and end user training is included in quick-start packages.

While Gurucul REVEAL serves Global 1000 enterprises, government agencies, and small and medium enterprises, the company’s primary sales focus is not on the SMB market.

Use Cases
The Gurucul platform addresses a wide range of use cases. It detects compromised accounts and misused credentials. It identifies data exfiltration using behavioral analytics, recognizing abnormal data access patterns, especially large transfers to external or unauthorized locations. And it uses advanced machine learning and analytics to identify unusual user and entity behavior, reducing lateral movement threats.

Microsoft: Defender for Identity*

Solution Overview
Microsoft is a leading global software and cloud services company. It serves diverse markets and customers of various sizes. With Microsoft 365 and Azure, it ranks among the top three cloud platforms, boasting a significant customer base. 

Microsoft’s ITDR solution is built on Microsoft Defender for Identity, which leverages telemetry and capabilities from the M365 platform, including Entra ID and Defender for XDR. It provides identity controls and security features to assist customers in addressing identity threats. The integration with other M365 components facilitates security controls such as conditional access and MFA. In addition, it employs threat analytics to deliver real-time threat overviews, identify risky behaviour, and offer actionable insights for risk remediation. Defender for Identity grants visibility into the identity inventory, pinpoints at-risk individuals, and supplies insights on compromised identities, including attack details and responses. It also features an impact graph to demonstrate broader implications. Management occurs via its ITDR dashboard, which offers status and risk information, although multiple consoles are required for comprehensive ITDR functionality. Its Security Score feature aids customers in managing risk through Identity Posture assessments. For M365 users, the integration within the M365 estate enables swift deployment and enforcement of identity threat detection.

Defender for Identity is available as part of Microsoft E5 and A5 licenses. It is also available in the Security Pack Add-On.

Customers can expect that updates and new capabilities for this tool will be delivered within the existing M365 platform.

Microsoft is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the ITDR Radar report.

Strengths
Microsoft scored well on a number of decision criteria, including:

• Enterprise security infrastructure integration: While Microsoft does not necessarily develop a broad array of integrations, the vast Microsoft ecosystem means customers can expect integrations with Microsoft tools to be available across much of their current security investments. This includes SIEM, SOAR, ITSM, and XDR tools, many of which will integrate with Microsoft's Defender solution.

• Automated incident response: With its integration into the broader Defender XDR ecosystem, Defender for Identity can take a wide array of actions. Natively, users can be automatically disabled; however, with this broader integration, more nuanced actions are automated. This includes enforcing MFA, applying conditional access rules, isolating user accounts and workstations, and more. 

• Incident response analysis: Microsoft offers detailed insights into threats, provides analysis of attack paths, and enables ticket management within the platform. Its robust integration across the 365 suite ensures it delivers comprehensive identity incident details. While it may not be a complete incident response platform, it does enable teams to respond to incidents. 

Opportunities
Microsoft has room for improvement in a few decision criteria, including:

• Enterprise security reporting: Although the reporting platform does allow users to develop their own custom reports, there are only a small number of prebuilt identity-specific reports. More prebuilt identity threat and identity audit reports would be beneficial. 

• Risk prioritization: Microsoft’s new ITDR dashboard helps consolidate threat information, although it would be helpful if the dashboard more clearly stated the risks and how they are prioritized. However, it does indicate both broad risks and the number of users vulnerable to those risks, and can provide detailed information by drilling down into the dashboard.

• Compliance management: Identity risk is mapped to MITRE and the CIS benchmark, with an assessment of compliance to these standards available. However, there is no broader reporting against other business compliance frameworks. 

Purchase Considerations
Defender for Identity is available as part of the M365 E5 licence, including its A5 academic equivalent. M365 licenses are per-user, per-month subscriptions. Activation of the appropriate license is all that's needed for implementation. However, certain configurations will require some knowledge of the M365 platform or support from Microsoft or its partners’ professional services.

While technically the solution is suitable for smaller customers, the licensing requirements are likely to appeal to those who utilize E5 licences to address broad business needs rather than specifically for ITDR. 

Use Cases
Defender for Identity best serves M365 customers looking to prevent, detect, and respond to increasingly prevalent identity-related threats, including identifying attacks that begin with compromised credentials. It also helps mitigate the risks associated with vulnerabilities in identity posture and aids modern SOC teams in gaining improved visibility into emerging cyberthreats.            

Permiso: Permiso Identity Security Platform

Solution Overview
Permiso provides comprehensive protection and detection for all identity risks and threats in real time, across all environments. This includes detecting credential compromise, account takeover, and insider risk for all identities, across all environments.

The Permiso Identity Security Platform is a SaaS-based solution. Each customer is provided with a dedicated application instance. The platform is designed to protect cloud-native environments and seamlessly integrates with them via API. It offers a wide range of prebuilt integrations to identity providers and cloud services providers (IaaS, PaaS, and SaaS). It uses static and runtime signals from these platforms to tackle risks and threats, including misconfigured identities such as over-permissioned users, users accessing resources without MFA configured, and alerts on unauthorized users accessing services and data. It can also identify sensitive files containing credentials and secrets and flag those for compliance review. Permiso prides itself on the comprehensive nature and depth of its detection signals, with its team having built over 1,500 detection signals from real-life breaches and observing threat actors in the wild, across IdP, IaaS, PaaS, and SaaS.  Permiso reports risks through its management console dashboards, which show posture and threat events. It can also send alerts via email, Slack, or API to SIEM and XDR solutions.

The solution can be purchased as individual modules (ISPM and ITDR) or as a single package.

Permiso has an established ITDR platform and intends to deliver new functionality and improvements. 

Permiso is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ITDR Radar report.

Strengths
Permiso scored well on a number of decision criteria, including:

• Extended IdP integration: Permiso offers a wide range of prebuilt integrations across multiple IdPs and SaaS apps. It also provides APIs to allow customers to build custom integrations where needed.

• Risk prioritization: The broad range of integrations allows the solution to ingest a wide array of telemetry. It uses this telemetry to highlight identity posture exposures, prioritized by criticality and blast radius. It also takes this same approach with identity threat alerts, with its composite alerts a good indicator of a likely compromise. Additionally, it features a Watchlist capability that allows you to closely monitor high-risk identities—i.e., those with high privilege levels. Customers can also customize risk prioritization to address specific risk weighting.

• Proactive protection: Permiso provides proactive protection through its ISPM capabilities, helping customers identify potential areas of risk and enabling them to plan and execute remediation actions. Additionally, it proactively alerts customers to threats through in-product notifications and research, and it offers hands-on support for customers to triage and address incidents or threats via its P0 Labs threat research team. 

Opportunities
Permiso has room for improvement in a few decision criteria, including:

• Enterprise security infrastructure integration: Although its catalog is not as extensive as others, Permiso does offer some prebuilt integrations for security tools, and customers can utilize APIs to create additional ones. However, customers would benefit from an increased number of prebuilt integrations to simplify deployment. 

• Compliance management: The solution currently maps identity threats and attacks solely to MITRE and does not report identity within the context of broader compliance frameworks. Customers can create their own frameworks, but the platform would benefit from providing a wider range of compliance reports. 

• Automated incident response: The Permiso platform is designed to identify risks for security operations teams, so it does not provide automated responses natively on the platform. However, it can trigger response automation through integration with third-party tools. 

Purchase Considerations
Permiso’s licenses are per human identity and subscription-based, with discounted multi-year enterprise license agreements (ELAs) available. Currently, pricing is only available directly through the vendor. However, it is developing a channel partner ecosystem.

As Permiso is a SaaS platform with a wide range of integrations, implementation should not be onerous, although professional services are available.

The vendor’s primary customers are large or cloud-native enterprises with the security maturity to consume and act on the alerts it provides. 

Use Cases
Permiso addresses key use cases. It helps in identifying and reducing the risk of account takeover. Its broad integration and telemetry capabilities are used to identify insider risk. It also helps customers identify potential risks via its ISPM capabilities.  

Proofpoint: Identity Threat Defense

Solution Overview
Proofpoint is a cybersecurity firm prioritizing a people-centric approach. Its cloud-based solutions help organizations counter targeted threats and bolster user resilience against cyberattacks. Proofpoint Identity Threat Defense (ITD) finds and addresses identity vulnerabilities and active threats across an organization’s identity infrastructure.

Proofpoint ITD comprises two main components: Spotlight for discovering and remediating identity vulnerabilities and Shadow for detecting threats using deception technology. Customers typically combine the two for robust identity threat protection. The solution integrates with various identity providers, including Active Directory, Entra ID, and Okta, collecting identity data from various sources, including cloud, PAM, IGA, and IAM tools. Threats are displayed within its administration console and in its email security Targeted Attack Protection (TAP) dashboards. ITD can prioritize and automate the remediation of vulnerabilities based on company policy. Its TAP module also identifies compromised cloud accounts and prevents takeovers. The solution features a unique endpoint analysis tool that deploys a dissolvable binary for 100 milliseconds for discovery and remediation tasks before self-deleting. It employs deception techniques to detect live attacks, providing insights into privilege escalation and lateral movement attempts. High-fidelity alerts, including screenshots, are sent to SOC teams. Its management platform enables security teams to conduct detailed analysis, automate risk remediation, and integrate with tools like PAMs and ITSM for service tickets and security workflows. 

Proofpoint ITD is a mature solution. While it continues to innovate and deploy new capabilities, customers should anticipate they will be deployed within the current product suite.

Proofpoint is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ITDR Radar report.

Strengths

Proofpoint scored well on a number of decision criteria, including:

• Risk prioritization: Proofpoint offers risk-based prioritization of discovered vulnerabilities and threats, classifying them according to vulnerability and identity risk, as well as attack path. It integrates identity threats with the TAP dashboard, enabling users to identify high-risk targets and their potential attack paths if compromised. This aids security teams in prioritizing risks and focusing mitigation efforts effectively.

• Proactive protection: The combination of Spotlight threat detection and Shadow deception technology allows users to set traps for attackers and analyze attacks in real time, providing experienced SOC teams with detailed insights into attacks and vulnerabilities and allowing them to strengthen their identity security. The product prioritizes identity vulnerabilities and facilitates automated remediation (usually applied to endpoints), as well as manual remediation through the organization’s ITSM system.

• Incident response analysis: Shadow’s management console offers extensive real-time forensics on attacker activity, supplying security teams with crucial data on its proximity to critical assets. When an attack occurs, whether from a deception trap or an actual attack, the ITD product promptly collects vital forensic information, including system and process data, request headers, AD info, screenshots, risk insights, DNS data, network and connection details, shared locations, memory data, event logs, and more. This information equips incident responders and SOC analysts with necessary details to address the attack. 

Opportunities
Proofpoint has room for improvement in a few decision criteria, including:

• Extended IdP integration: The solution supports only a limited number of IdP integrations, including Active Directory, Entra ID, AWS Identity Center, and Okta. Moreover, it can’t build custom integrations, which is currently significant to how ITD operates. Increasing the number of supported integrations would benefit customers with complex identity platform infrastructures. 

• Compliance management: Proofpoint offers insights aligned with the MITRE ATT&CK framework and also provides analysis of common data security frameworks based on individual vulnerabilities. Customers can build analysis frameworks tailored to their specific needs. However, given the increasing demand to comply with more stringent requirements, enhanced coverage in this area would be beneficial. 

• Automated incident response: Proofpoint’s solution offers mitigation steps like blocking identities in the identity store, enforcing MFA configurations, and increasing audit levels on at-risk accounts for better visibility. It can also deploy additional deception technology to counter attackers. More advanced responses can be delivered via integration with CrowdStrike or Microsoft Defender, but it would be helpful to add more native capabilities to reduce reliance on external integrations. 

Purchase Considerations
Proofpoint’s Identity Threat Defense is sold on an annual or multi-year subscription basis and is licensed per endpoint with tiers of endpoint price points. As the number of endpoints licensed goes up, the price per endpoint goes down. Pricing is available directly from the vendor or via its extensive channel partner ecosystem.

The solution is available as a SaaS offering and is also deployable on-premises. To fully exploit the on-premises deception technology, customers may need a certain level of cybersecurity maturity.

While the solution is available to companies of all sizes, Proofpoint focuses its ITD product more on companies with 1,000 users and above.

Use Cases
The Proofpoint solution addresses many use cases, including the continuous discovery, prioritization, and automatic remediation or initiation of manual remediation of identity vulnerabilities stemming from directory misconfigurations. It also detects and responds to threats using enterprise-wide deception technology and automatically remediates identity vulnerabilities exposed on endpoints. 

Quest Software: Security Guardian

Solution Overview
Quest Software specializes in migrating, managing, and securing Active Directory and Entra ID. Its unified identity SaaS platform, known as On Demand, supports customer initiatives in migration, modernization, ITDR, and identity recovery.

Security Guardian is Quest’s ITDR solution, currently supporting ITDR exclusively for Microsoft’s Active Directory and Entra ID. This SaaS-based solution is part of Quest’s On Demand platform. It features a single management UI that integrates hygiene risk signals (the ability to identify misconfigurations that could leave a customer vulnerable) with threat and anomalous activity signals. The solution seamlessly integrates with Microsoft directories via consented applications for Entra integration and a lightweight agent for Active Directory. It offers a variety of useful capabilities for Active Directory environments, including security assessment, threat prevention, and a unified view of hybrid environments. The vendor focuses primarily on the protection of key Tier 0 accounts in Microsoft environments. Its new Shields Up capability can freeze changes to powerful Tier 0 objects when a threat is detected.

Quest has also invested in AI by developing integrations with Microsoft Security Copilot to incorporate AI capabilities into the platform, providing support for the security operations teams.

Security Guardian is a single platform that can be licensed for AD, for Entra ID, or for both. It is an addition to Quest's already-established SaaS platform, and we anticipate a high rate of change to the product as it fills capability gaps and adds new innovations. 

Quest is positioned as an Entrant and Fast Mover in the Innovation/Feature Play quadrant of the ITDR Radar report.

Strengths
Quest scored well on a number of decision criteria, including:

• Incident response analysis: Directory changes are streamed into the Security Guardian platform, where they become independent of the environment where the incident occurred. This allows analysts to build an understanding of the broader context of the incident. It has also invested in its new GenAI capabilities to assist security operations teams with the analysis of complex incidents.

• Proactive protection: Quest’s Shields UP feature blocks all configuration access changes to Tier 0 accounts in real time. It achieves this by employing Azure AI and machine learning to automatically identify anomalous behaviours within Active Directory and Entra ID, such as unusual spikes in account lockouts, failed sign-ins, permission changes, and file access renames.

• Risk prioritization: Currently, Security Guardian assesses the impact of risks by leveraging the expertise of Quest Active Directory and Entra ID specialists. Findings are ranked as Medium, High, or Critical to assist customers in prioritizing risks. This will be enhanced with the forthcoming GenAI release, which will offer further contextual risk analysis that integrates threat intelligence with the various signals within Security Guardian.

Opportunities
Quest has room for improvement in a few decision criteria, including:

• Extended IdP integration: Security Guardian only integrates with AD and Entra ID. However, the lack of broader integrations is by design, as the solution is designed to meet specific risks posed to Microsoft’s directory platforms. 

• Compliance management: All Security Guardian findings are only mapped to the MITRE ATT&CK matrix. This is a strategic limitation implemented by the vendor, which does not perceive current customer demand for broader coverage. However, the solution could benefit from wider compliance coverage, as customers are increasingly demanding to meet heightened compliance requirements.

• Enterprise security reporting: Security Guardian provides a clear, user-friendly interface for accessing threat and posture information. But the vendor has acknowledged that its reporting capabilities are focused on common use cases with limited customizations, and reports that cannot be easily exported. The solution would benefit from improving this. The vendor does have reporting enhancements and greater flexibility included in the product roadmap.

Purchase Considerations
Security Guardian is a subscription-based solution and is licensed per “managed person." Pricing is available directly from Quest or through its established partner channel.

The vendor considers its solution simple to deploy, with most installations taking only one to two hours, but it can supply professional services if needed. Onboarding services are available to all customers, either in the form of an interactive session for larger clients or video-based assistance for smaller customers.

Customers should be aware that this solution is intended solely for Active Directory and Entra ID and does not integrate with any other identity platforms. The vendor focuses on both SMBs and large enterprise customers. 

Use Cases
Security Guardian is designed to meet specific use cases by identifying the control plane for Active Directory and Entra ID (that is, Tier 0). It provides the capability to disrupt high-risk changes that may result from an attack before they can affect Active Directory. As the solution does not rely on native logs and uses its own telemetry, it can identify risks that are not typically visible, such as individual GPO settings changes.

Segura: Segura 360 Privilege Platform

Solution Overview
Segura (formerly Senhasegura) is a global identity security vendor that helps organizations secure and manage privileged access to critical systems and data. Its goal is to eliminate privilege abuse, protect identities, maintain productivity, and ensure compliance with security standards.

Segura’s 360 Privilege Platform combines multiple modules for complete privileged access and identity security. It supports various deployment methods: SaaS, hardware appliances, and software. Its ITDR capability focuses on user and entity behavior analytics (UEBA), cloud entitlement management, and keystroke-based verification (keystroke dynamics identification, or KDI). The PAM approach positions ITDR directly before service access, reviewing entitlements to ensure swift responses to identity threats. The platform integrates with numerous IdPs, offering real-time behavior analytics and user identity insights. The KDI feature detects unusual or mimicked behavior through keystroke analysis. Quickium AI has been acquired to improve zero-day attack detection. The solution can display and record live sessions for analysis and incident reviews and includes attack path analysis for assessing the impact of breached identities.

The solution is available with various modules or license packs; however, it functions as a single unified platform. Customers will need the PAM Core module as a minimum for ITDR. Customers can expect the vendor to continue providing enhancements within its existing platform, as well as to see developments in emerging technology areas.

Segura is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the ITDR Radar report.

Strengths
Segura scored well on a number of decision criteria, including:

• Risk prioritization: Segura offers features for risk-based prioritization to help customers manage identity security threats. It ranks threats by risk level, allowing security teams to concentrate on critical issues. Each threat is assigned a risk score based on severity, potential impact, and likelihood of occurring. Administrators can assign weights to behavioral criteria according to security priorities, ensuring alignment with organizational policies and risk appetite. 

• Enterprise security infrastructure integration: The solution integrates with a broad range of tools within the security infrastructure stack, including SIEM, SOAR, ITSM, EDR, and XDR platforms. It employs industry-standard technologies and protocols to facilitate integration with a diverse selection of security tools, and also uses APIs and supports SCIM to enable customers to develop custom integrations.

• Incident response analysis: The solution logs all actions within the platform, such as user activities, access attempts, command executions, and system events. It includes timestamps, user IDs, source IPs, and other relevant details. Full video recordings of user sessions, including keystrokes and on-screen actions, are also captured. This wealth of data enables investigators to thoroughly analyze incidents. Segura Intelligence, an AI feature using generative AI, further enhances incident response. 

Opportunities
Segura has room for improvement in a few decision criteria, including:

• Enterprise security reporting: Segura offers a wide range of reports, including benchmarking, risk analysis, trend analysis, and executive and compliance reports, and it integrates with Grafana for custom report building. However, the solution could be improved by offering prebuilt integrations with other enterprise reporting tools, as current integration is API only. 

• Automated incident response: The solution automatically blocks at-risk identities based on policies and anomalies. Its Segura Intelligence tool auto-generates CloudFormation and Terraform scripts to remediate risks. Adding a comprehensive orchestration option that could trigger complex external actions would be beneficial to some customers, as this currently requires external automation from SIEM or SOAR solutions. 

• Proactive protection: The solution continuously monitors the IT environment for security threats and vulnerabilities, notifying administrators of anomalies in processes, integrations, connectivity, or access attempts. However, customers are increasingly seeking deception technologies for further protection, which this solution currently lacks. 

Purchase Considerations
Segura's licensing is based on the use of one of its four modules: PAM Core, Certificate Manager, DevOps Secrets Manager, and Endpoint Privilege Manager. PAM Core is required for ITDR and is licensed per user. Contract terms are one- to three-year commitments. Segura supports three licensing options: Perpetual, Subscription, and SaaS.

While deployment is designed to be easy, the vendor does offer a range of professional services for those who desire additional support during deployment. Its "PAM Success Green Path" Program guides customers to achieve best practices in their adoption. 

Use Cases
The Segura solution addresses a number of complex use cases. It helps organizations achieve comprehensive privileged access management to enhance security and compliance, and helps reduce the complexity that stringent regulatory standards such as GDPR, HIPAA, PCI DSS, and ISO 27001 add. It also helps to improve secure machine-to-machine communications by managing digital certificates and cryptographic keys throughout their lifecycle.

SentinelOne*

Solution Overview
SentinelOne specializes in endpoint, cloud, and identity security, offering its customers threat prevention, detection, response, remediation, and forensics.

SentinelOne’s Singularity Identity, a SaaS solution, includes two modules: Identity Posture Management and Threat Detection and Response. It primarily protects Microsoft Active Directory and also integrates with Okta. The threat detection module secures Active Directory and domain-joined endpoints in real time, using Sentinel agents for enhanced protection, while Posture Management assesses configurations to identify misconfigurations, vulnerabilities, and threats to Active Directory and Entra ID, providing actionable insights to reduce risks. SentinelOne is an XDR vendor, and its Singularity Identity integrates well across various platforms. It uses deception technology to attract attackers, allowing analysts to detect and mitigate ongoing threats. Additionally, SentinelOne’s investment in Purple AI helps improve security operations with case summaries, language translation, and natural language queries. 

While the solution is available as part of the broader Singularity XDR platform, customers can also purchase the ITDR components as standalone solutions. 

Customers should anticipate improvements and new features being integrated into the existing Singularity product set. 

SentinelOne is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ITDR Radar report.

Strengths
SentinelOne scored well on a number of decision criteria, including:

• Proactive protection:  SentinelOne can implement robust proactive measures, offering valuable insights into risk and providing a degree of automated risk reduction, and can employ deception technology to enhance these capabilities. Its capacity to proactively scan AD and Entra ID for potential risks and offer clear mitigation steps is also useful.

• Enterprise security infrastructure integration: The SentinelOne Singularity solution offers a comprehensive array of integrations, giving customers numerous options for incorporating their existing security investments. SentinelOne features an integration marketplace that contains a substantial number of prebuilt integrations available for customers to utilize.

• Incident response analysis:  SentinelOne’s iPurple AI module has simplified incident investigation by assisting with queries, sharing insights, and achieving quicker response times. This solution offers robust incident analysis, enabling users to explore attacks, including attack paths, so the analysis can reveal broader potential impacts. Threats are aligned with the MITRE ATT&CK framework, providing a common language for operations teams during incident handling.

Opportunities
SentinelOne has room for improvement in a few decision criteria, including:

• Compliance management: SentinelOne aligns threat guidance with threat frameworks such as the MITRE framework. However, it would benefit from incorporating a broader compliance risk reporting mechanism, as numerous organizations require adherence to an increasingly demanding set of compliance standards.

• Extended IdP integration: SentinelOne offers a range of prebuilt IdP integrations with leading vendors such as Okta, Zscaler, and CyberArk. However, customers should be aware that its identity protection is currently limited to Active Directory and Entra ID. Extending this protection would enhance the appeal of the platform to non-Microsoft-directory houses. 

• Risk prioritization: While SentinelOne provides a solid level of insight and clearly indicates top risks, prioritizing them seems to require additional investigation. Making risk prioritization easier to locate would be advantageous. Additionally, it is not clear whether customers can customize risk priorities to ensure they align with the organization's risk appetite.

Purchase Considerations
SentinelOne provides an overview of its licensing packages on its website. Identity Threat Detection and Response is included as part of its Commercial and Enterprise plans. Plans are based on a subscription and are licensed per workstation. ITDR can also be purchased as a standalone add-on.

As a SaaS product with a broad range of integrations, the platform should not be overly complex to deploy and integrate with existing systems. Its effective use of AI may also assist in lowering operational overhead.

Use Cases
SentinelOne addresses a variety of use cases. This includes providing identity protections at the endpoint, such as detecting identity misuse and reconnaissance aimed at critical domain servers, service accounts, and local credentials. Endpoint cloaking and deception techniques also inhibit adversaries. Furthermore, the solution helps to enhance posture management, significantly reducing the organizational attack surface. 

Sharelock: Sharelock Identity Security Platform

Solution Overview
Sharelock focuses on identity security through AI-driven solutions. It develops advanced technologies for identity security, offering scalable solutions tailored to complex identity infrastructures.

The Sharelock Identity Security Platform (ISP) merges ITDR with ISPM. It uses AI technologies and behavioral analysis to combat identity risks efficiently. The solution connects with various identity systems like Active Directory, Okta, and AWS, and with SaaS platforms such as SAP, Salesforce, and Microsoft 365. Its detection capabilities employ machine learning algorithms to analyze user behavior in real time and follow the MITRE ATT&CK framework for consistent threat mapping. Sharelock produces prioritized alerts based on severity and related anomalies, escalating to incidents when multiple signals indicate broader threats. The platform offers reports detailing affected identities, threat severity, and mitigation recommendations. The solution manages posture by assessing identity management security gaps like orphan accounts or MFA deficiencies and resolving them with no-code workflows.

Sharelock combines ITDR and ISPM into a single platform powered by agentic AI, automating posture management and threat response. Out-of-the-box processes, like Security Investigation Autopilot (SIA), utilize autonomous agents that integrate with security sources to enforce and remediate identity posture. Agents share insights across ITDR and ISPM for 360° identity visibility and continuous risk mitigation.

ITDR is available as part of the vendor's consolidated Identity Security platform but can also be purchased as a standalone module.  

Sharelock offers a broad range of capabilities within a stable platform. Customers should expect to see improvements made within that platform. They can also expect to see developments in emerging technology areas. 

Sharelock is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the ITDR Radar report.

Strengths
Sharelock scored well on a number of decision criteria, including:

• Automated incident response: Sharelock’s agentic AI provides a flexible automation solution, allowing AI bots to perform initial incident analysis and automate mitigation steps to block at-risk identities and credentials. The platform features automated responses to threats for rapid containment, including disabling compromised accounts, enforcing multifactor authentication (MFA), terminating risky sessions, and starting access recertification campaigns. 

• Extended IdP integration: Sharelock provides extensive integrations across various identity platforms, such as Okta, OneLogin, EntraID, and Active Directory (on-premises), in addition to identity governance systems, PAM, and business applications like SAP, Salesforce, and Microsoft 365. It offers prebuilt integrations but also allows customers to create custom integrations when needed.

• Risk prioritization: Sharelock provides comprehensive risk identification and prioritization. It combines multiple indicators of behavior (IoBs) to generate composite signals that correlate related anomalies to reveal larger threats. It enhances risk prioritization by integrating with external threat intelligence systems. Administrators can also modify the weight of specific IoBs or set thresholds for alert generation. 

Sharelock was classified as an outperformer due to its innovative agentic AI approach, enabling it to create comprehensive intelligent automations. It possesses a strong roadmap that should accelerate its development. 

Opportunities
Sharelock has room for improvement in a few decision criteria, including:

• Compliance management: Currently, compliance management is limited to alignment with MITRE. As organizations increasingly must meet compliance demands, the development of a compliance reporting engine would be useful. 

• Proactive protection: Sharelock’s posture management allows it to identify vulnerabilities such as orphan accounts, MFA gaps, and excessive privileges. It also integrates with external threat intelligence feeds to detect leaked credentials on the dark web and other sources. However, it currently lacks support for deception technology, which organizations are increasingly finding beneficial in combating identity attacks.

• Enterprise security reporting: The solution provides a reporting framework for comprehensive insights into an organization’s identity threats and security posture. However, it currently lacks integration with external reporting tools like Power BI or Tableau, a valuable addition for many enterprises. 

Purchase Considerations
Sharelock uses a per-user subscription-based licensing model. Potential customers should be aware there is a minimum commitment of two years to its subscription. The company does not offer public pricing information; this can be gained from its sales team or through its network of trusted partners.

Sharelock is designed to be simple to deploy and configure, requiring minimal professional services. However, for customers with specific needs or advanced customizations, Sharelock offers access to its in-house experts or certified partners to provide tailored support. 

Use Cases
The Sharelock Identity Security Platform addresses multiple use cases, such as detecting and responding to identity threats like credential misuse, privilege escalation, and lateral movement. It enhances identity hygiene by addressing vulnerabilities like orphan accounts, unused MFA devices, and excessive privileges. Its use of agentic AI simplifies automated threat responses, minimizing manual effort for security teams and speeding up threat management resolution. 

Silverfort: Identity Security Platform

Solution Overview
Silverfort is a vendor that specializes in identity security. Its aim is to break down the silos of identity infrastructure and point solutions to eliminate security gaps and blind spots.

Silverfort’s Identity Security Platform uses patented Runtime Access Protection to natively integrate with existing IAM solutions to provide inline enforcement of security controls like MFA. The native integration also provides real-time visibility and risk analysis for authentications, enforcing MFA or blocking access if triggered. It reduces compromised credential threats by monitoring the identity attack surface. It protects against credential access attempts, privilege escalation, and lateral movement, blocking them in real time across any user, admin, or non-human identity, whether on-premises or in the cloud. The solution analyzes all access attempts, identifying anomalies in authentication protocols and user behavior that signal compromise risk. Its extensive data collection provides rich analytics, including identity security posture reports, detailed log analytics, and real-time actionable insights dashboards. The solution's self-hosting deployment options for on-premises and cloud have been enhanced by its new SaaS platform. 

While Silverfort ITDR is not a separate product, it is included at no charge in all of its solution suites, and regardless of the suite purchased, identity protection operates across the entire infrastructure and covers all users.

The platform is well established, and while the company continues to improve its platform, including via acquisition, customers should expect to see these innovations within the current solution framework.

Silverfort is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ITDR Radar report.

Strengths
Silverfort scored well on a number of decision criteria, including:

• Risk prioritization: Silverfort gathers data from multiple feeds, including SIEM, EDR, and multiple IdPs, to map and prioritize risks across ID vectors. The solution offers clear guidance on addressing threats and identifying key risks. Customers can customize risk prioritization to align with their organization’s risk appetite. 

• Extended IdP Integration: Silverfort connects to a good range of IdPs, which includes Microsoft Active Directory, and has extended to cover Azure Data Factory (ADF). It also integrates with PingFederate, Okta, AWS, Google, and Azure. Its recent acquisition of Renovate will extend this integration to even more SaaS tools.

• Enterprise security infrastructure integration: Silverfort provides a wide range of integrations with major vendors. This includes many prebuilt integrations as well as the ability for customers to build custom integrations via webhooks. The solution also integrates across SIEM, SOAR, and XDR platforms to allow the automation of security enforcement or trigger protection workflows.

Opportunities
Silverfort has room for improvement in a few decision criteria, including:

• Compliance management: While Silverfort is able to analyze identity security against good practice and security standards, it is not currently able to review it in the context of compliance and governance frameworks, a feature customers would find useful. 

• Proactive protection: The solution provides proactive protection through its enforcement of MFA and access blocking. However, it lacks support for methods such as deception technology, which many organizations are finding to be a valuable tool in combating identity attacks. 

• Enterprise security reporting: Silverfort does offer a good level of technical reporting. However, it currently lacks reports that cover nontechnical areas such as business value, risk, and progress against baselines. These are areas many organizations find valuable and would be a beneficial addition.

Purchase Considerations
Silverfort’s ITDR and ISPM are not sold separately; instead, they are included at no extra charge within any of its base packs, which are licensed per user. Regardless of the number of users included in a base pack, all users are covered for ITDR. Customers should be aware there is a minimum value of $30,000 for any Silverfort contract.

The solution is not particularly complex to deploy. However, Silverfort does offer support services around threat hunting and incident response if needed.

While this is a solution that is suitable across all types and sizes of businesses, the minimum contract level may make it commercially unviable for smaller customers. 

Use Cases
A key use case for Silverfort is the proactive prevention of lateral movement using MFA as a verification control, which is enforced on top of command-line access tools to effectively disarm adversaries' tools. Another is real-time incident response, in which it contains the spread of detected attacks with a single click by blocking access for all users within a suspected segment.

Varonis: Unified Data Security Platform

Solution Overview
Varonis is a data security vendor whose Unified Data Security Platform offers protection for complex data ecosystems. Varonis is a long-established vendor in this space with a large global customer base across all industries.

The Varonis platform is primarily offered as a SaaS solution and is also available on the Azure and AWS marketplaces. It provides extensive integrations across SaaS, on-premises, IaaS/PaaS, and databases, using APIs or a local collector. Agents are only required where native APIs do not offer sufficient visibility and control (for example, Windows/Linux servers). 

Identity Protection is a core feature included in all solutions. For instance, a customer purchasing Varonis for Microsoft 365 also receives Identity Protection, which analyzes both identity behavior and data risk, correlating this telemetry to identify identity-based threats. 

The solution offers centralized access control for easy review, modification, and revocation of access while adhering to policies and regulations. Its threat models alert users to potential risks such as brute force attacks or unusual login locations and provide automated responses to mitigate risks at scale.

Varonis has made significant investments in AI, with its Athena assistant providing a variety of optimizations to assist operations staff. Additionally, its Managed Detection and Response (MDDR) service serves as a valuable asset for organizations prepared to invest in additional expertise.

The identity solution continues to evolve but does so within the framework of its existing solutions.

Varonis is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ITDR Radar report.

Strengths
Varonis scored well on a number of decision criteria, including:

• Compliance management:  Varonis provides out-of-the-box support for compliance frameworks like Sarbanes-Oxley, PCI-DSS, GLBA, HIPAA, CCPA (CPRA), GDPR, UK Data Protection Act, New Zealand Privacy Act, NY SHIELD, Colorado Privacy Act, Virginia CDPA, CJIS, and more. Customers can also customize rules and adjust visual dashboards to monitor key parameters. 

• Incident response analysis: Varonis records every action on customer data and identities in the cloud and on-premises. Analysts access a searchable history of data events enriched with context like sensitivity, account type, device name, and geolocation. Incident alerts align with the MITRE ATT&CK framework for easy tactic/technique filtering. Varonis’s Athena AI enables customers to conduct investigations and analysis using natural language more efficiently.

• Enterprise security infrastructure integration: Varonis supports a broad range of integrated platforms across SIEM, SOAR, EDR, web gateways, and firewalls. This includes vendors such as Microsoft, Splunk, Cisco, and Fortinet. Where an integration is not available, customers can build custom ones. 

Opportunities
Varonis has room for improvement in a few decision criteria, including:

• Risk prioritization: Varonis prioritizes threats by severity, based on factors like privileged identities, access to sensitive resources, common frameworks, potential impact, and breach likelihood. MDDR customers benefit from additional criteria for imminent threats like ransomware. It would be useful if this information and the ability to customize priorities were available for unmanaged customers. 

• Automated incident response: While the solution offers automated responses for data and access, it has limited automated responses for Active Directory and identity management. However, MDDR customers benefit from Varonis AI, which analyzes alerts, performs initial investigations, and triggers automated responses. Expanding these capabilities to nonmanaged users would be beneficial to customers. 

• Proactive protection: Varonis scans for leading indicators of compromise and connects them across multiple clouds. However, the Varonis platform currently does not survey or stream threat intelligence regarding large-scale credential leaks and breaches. This would be a useful addition, as would support for the use of deception technology, which is becoming an increasingly valuable tool in tackling identity-based attacks. This addition is on the vendor's roadmap.

Purchase Considerations
Varonis is a modular solution licensed on a per-user, per-module basis. The exception to this is IaaS services, where licensing is based on capacity. Licenses are available as annual subscriptions.

As this is a SaaS platform, deployment should not be overly complex, and Varonis, as part of its onboarding process, works with its customers to fine-tune policies and identity threat alerting.

For customers seeking extra expertise and resources, Varonis’s MDDR service enhances capability and reduces the overall number of actionable tickets a customer is likely to encounter.

This is a solution targeted at larger businesses and is unlikely to be appropriate for smaller organizations. 

Use Cases
Varonis addresses the multicloud complexity many organizations face by providing uniform ITDR capabilities across the entire data estate. Customers managing multiple SaaS applications with local accounts and numerous instances of cloud infrastructure are able to detect and mitigate identity threats for each resource using the same Varonis platform. The solution also performs well in regulated industries requiring comprehensive compliance reporting to prevent identity risks from escalating into data risks.          

Vectra AI: Vectra AI Platform

Solution Overview
Vectra AI provides a hybrid attack detection, investigation, and response solution. It brings together threat information from networks, identities, the public cloud, SaaS, and GenAI and uses its patented Attack Signal Intelligence to help organizations detect, prioritize, investigate, and halt identity cyberattacks.

Vectra AI Platform tackles identity security with a dual focus on posture and post-compromise. It proactively detects misconfigurations that attackers could exploit, including vulnerabilities in AI technologies. During and after an attack, it employs AI detection of anomalous behavior to prioritize threats targeting human and non-human identities across an organization. Using machine learning, the platform analyzes identity behavior and correlates activities within the environment, assessing risks with an urgency score based on attack severity and entity importance. High-priority threats are displayed in clear dashboards, allowing users to quickly understand and mitigate ongoing risks. Integrations with Active Directory and Entra ID facilitate account disabling and force MFA reprompts for high-risk identities. Additionally, with suitable EDR integration, the platform can isolate high-risk machines. Mitigation automation can be further enhanced via API.

The complete solution is offered in five separate modules covering on-premises, SaaS, and cloud environments. ITDR is available in any of these modules and can be deployed specifically to address any individual area.

The vendor provides a comprehensive and continually evolving platform, and customers can expect to see new capabilities and improvements within the bounds of the existing platform. They should also expect to see developments in emerging technology areas.

Vectra AI is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the ITDR Radar report.

Strengths
Vectra AI scored well on a number of decision criteria, including:

• Proactive protection: Vectra AI offers proactive solutions by continuously monitoring networks, identities, clouds, and GenAI tools to identify security gaps. It provides active posture visibility, allowing real-time insights into the attack surface and exposure. Its Offensive Security Assessment enables organizations to simulate phishing-driven credential theft attacks to test their security posture and validate detection effectiveness. Vectra AI Platform, with its managed services, can block domains, reset passwords, or lock accounts to prevent exploitation.

• Automated incident response: Vectra AI provides automated response capabilities to swiftly stop attackers, allowing security teams to lock down accounts and revoke sessions for compromised identities. Cloud-native workflows enable isolation of cloud principals across regions. Integrated responses allow teams to isolate threats that reach specific thresholds on the Vectra AI platform using EDR, SIEM, SOAR, and ITSM, automating incident response playbooks.

• Risk prioritization: The solution gathers broad threat telemetry to prioritize risks, and uses its AI Prioritization feature to correlate identity threats with the importance of affected entities. It combines the severity of AI detection events, linked to MITRE ATT&CK techniques, with its Privilege Access Analytics capabilities to assess potential misuse of high-privilege identities. The platform generates urgency scores, ensuring only critical threats require immediate attention, thus reducing alert fatigue and enhancing response efficiency.

Vectra AI was classified as an Outperformer thanks to its strong focus on developing AI-based automations and intelligence to help customers optimize their security operations. The company continues to deliver innovation and has a strong roadmap. 

Opportunities
Vectra AI has room for improvement in a few decision criteria, including:

• Compliance management: Vectra AI provides an Identity Posture Dashboard that clearly identifies potential risks. These are primarily evaluated against security controls such as MITRE and NIST rather than business compliance frameworks. Increasingly, organizations are required to meet stringent compliance demands, with identity being a part of this. Offering enhanced insight into how security risk may affect compliance would be a valuable addition. 

• Extended IdP integration: Vectra AI's solution integrates with AD and Entra ID, and provides visibility and threat detection for organizations using Okta by monitoring attacker interactions within Azure AD (Entra ID) and M365. It offers APIs for customers wishing to build custom integrations. However, the vendor's out-of-the-box integrations are relatively limited. Including additional integrations with other popular IdPs would be beneficial. 

• Enterprise security reporting: The Vectra AI platform offers a fully customizable view of threats and emerging risks within the environment, assisting teams in proactively monitoring and responding to evolving threats. However, it appears limited in its capacity to integrate this reporting with other enterprise reporting tools, such as Power BI. While providing APIs enables customers to create custom integrations, simplifying the process with out-of-the-box integrations would facilitate adoption for customers. 

Purchase Considerations
The licensing for the Vectra AI Platform depends on the coverage area. Active Directory and local network identities are based on the number of active IPs/devices, whereas Entra ID and M365 SaaS licensing rely on the number of monitored identities. Coverage for Azure and AWS cloud environments is determined by specific resource and log volume metrics. Licensing operates on a subscription basis, with customers typically purchasing a license for one to three years. Perpetual licensing is not available. Pricing is obtained through Vectra AI and its partner network.

Implementation is simplified through Vectra AI's agentless design. The company offers in-app guides at no extra cost, facilitating rapid onboarding and ongoing product comprehension. Customers have the option to purchase professional services to assist with deployment and onboarding when needed.

For customers requiring additional security resources, Vectra AI’s ITDR coverage can be delivered as part of its managed detection and response service. 

Although the solution is appropriate for all types of businesses, the primary target market is companies with 500 or more employees. 

Use Cases
Vectra AI delivers capabilities for stopping human and non-human identity attacks across multiple platforms, improving identity hygiene through proactive posture assessment, and enhancing threat hunting by providing deep forensics and threat-hunting capabilities.

Zscaler

Solution Overview
Zscaler provides security solutions for both SMBs and enterprises. Its cloud-native Zero Trust Exchange platform is designed to securely connect users, devices, and applications, regardless of location.

 Zscaler’s ITDR solution, part of its Zero Trust Exchange platform, offers visibility into identity misconfigurations and risky permissions. Deployed as a SaaS solution, it has three main capabilities: Identity Attack Surface Visibility, Identity Change Detection, and Identity Threat Detection. ITDR uses a client connector that connects users and resources, which can be activated from the central console. It integrates with Microsoft Active Directory, Entra ID, and Okta, scanning the directory upon connection and presenting results in 15 to 30 minutes. Dashboards provide insights into risks, prioritized for security team assessment. Operations receive remediation guidance through walkthroughs and videos. ITDR continuously monitors for real-time threat detections, alerting SOC teams to active threats, with alerts forwarded to SIEM tools. It includes its own orchestrator for building custom automated workflows. 

Zscaler’s solution is modular, and the Identity threat detection capabilities are available as a module to the basic plan or as part of one of Zscaler's license bundles.

With an established product, customers should expect that ongoing developments and additions will occur within the familiar Zscaler solution. 

Zscaler is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ITDR Radar report.

Strengths
Zscaler scored well on a number of decision criteria, including:

• Proactive protection: Zscaler provides numerous options for customers to proactively address risks, and this is enhanced with videos and walkthroughs that help identify and mitigate threats. The platform scans Microsoft directories every 15 minutes for changes impacting security. Additionally, it uses deception technology to attract attackers, enabling assessments without affecting production identities. 

• Enterprise security infrastructure integration: Via the Zscaler client, the ITDR solution is able to gather a comprehensive set of threat telemetry, giving it broad application coverage. It also offers integrations with a wide range of SIEM, SOAR, and EDR solutions, as well as providing open APIs that enable further custom integrations for telemetry sharing.

• Automated incident response: Zscaler provides several native remediation options. Its detectors identify threats such as DCSync, DCShadow, Kerberoasting, session enumeration, privileged account access, and LDAP enumeration. With these threat insights, security teams can quickly identify and mitigate those risks. The solution also provides a comprehensive native orchestration engine that, thanks to the integration with its client agent, can build workflows to effectively lock down risky behavior.

Opportunities
Zscaler has room for improvement in a few decision criteria, including:

• Extended IdP integration: While Zscaler offers comprehensive integration with Microsoft’s user directories and Okta, it does not provide other out-of-the-box integrations. Expanding these integrations could prove useful for larger customers with multiple identity platforms and locations. 

• Incident response analysis: While Zscaler offers good investigation capabilities with all threat detection events visible in an interactive graphical reporting tool, it is not clear how this is enhanced with the use of AI-based assistance. Such assistance is becoming increasingly commonplace and valuable, and any lack of these capabilities in the Zscaler platform will be to its detriment. 

• Risk prioritization: Zscaler offers clear dashboards that highlight a variety of threats, including its Identity Posture Dashboard, where the highest-risk users and threats are clearly prioritized. However, it remains unclear whether customers can customize risk scoring and prioritization. This capability would be beneficial to ensure risk reporting aligns with the organization's risk appetite.

Purchase Considerations
Zscaler's ITDR capabilities are available as part of its wider solution, and they can be licensed as one of its bundle packages or as a separate add-on to its Essential package. The license is on a subscription basis and calculated on the number of individual users accessing a Zscaler service, which are termed seats.

As a SaaS-only product, the solution should not be burdensome to deploy, and the wide range of integrations should simplify deploying it in existing environments. The vendor has a substantial ecosystem of well-established partners alongside its own professional services team to assist where customers find it necessary. 

Use Cases
Zscaler addresses a wide range of use cases, including identity attack surface visibility, which provides a risk score for quantifying and tracking identity posture. It features MITRE ATT&CK mapping to enhance visibility into security blind spots, and through identity hygiene management, it identifies new misconfigurations as they emerge. Additionally, it helps drive time to value with ready-made guidance, commands, and scripts for threat response remediation.

Identity is a key attack vector for cybercriminals and often drives cybersecurity breaches. Organizations should proactively identify risks and quickly isolate and stop active incidents as part of their cybersecurity strategy. 

 Vendors are increasingly addressing identity threats, and since our last report, the market's approach has become more consistent, with vendor strategies mainly falling into three categories:

• Full ITDR platforms: These solutions integrate with popular identity platforms, using their telemetry to assess security risks and respond quickly. They may require agents across an estate or integrate with enforcement tools for real-time threat mitigation. These platforms are ideal for all organizations, but they may require the replacement of some existing components. 

• Threat analytics platforms: These solutions offer broader integrations and gather telemetry from various sources. They use analytics to normalize threat data and provide risk guidance through proactive alerting or integration with SIEM, SOAR, or ITSM platforms for automated responses. They are ideal for enterprises with mature technology stacks wanting enhanced identity threat insights without replacing existing investments. 

• Specific solutions: These solutions generally do not offer a complete ITDR approach, instead concentrating on a particular area. However, they can help reduce identity attack risks. For instance, vendors specializing in deception technology can add an effective additional layer of protection. Vendors offering this type of solution are ideal for those with existing identity security solutions seeking enhancements in specific areas. 

Addressing the identity threats is a complex problem. However, there are some initial steps potential customers can take to better understand their requirements and help narrow down potential vendors. 

• Understand current identity platforms: This should include capabilities related to current user directories, third-party locations such as SaaS apps, external identity platforms, and non-human identities such as applications and machine accounts. The more locations, the broader the potential solution’s integrations must be.

• Evaluate existing investments to determine if they might address your needs: Many vendors offer additional capabilities. For instance, XDR vendors are adding ITDR capabilities along with those providing PAM and identity governance. Consider if any current technology partners or investments can offer a solution. 

• Look at response automation: Assess the response types you might need. For simple account locking and risk activity displays, most platforms are sufficient. For comprehensive needs, including device isolation, evaluate both the platform's native features and integration capabilities with existing organizational tools.

• Assess a platform’s proactive approaches: Taking a proactive approach to identity security helps to reduce risk. Deception technologies can provide value here, though they do add complexity and require a mature understanding of security approaches. Consider whether your organization has the necessary skills and experience to take advantage of it.

• Weigh your security maturity: Identity threats are complex, necessitating quick responses for security. Understanding security maturity is vital when selecting ITDR solutions. Fully automated options are appealing for those with limited experience and resources, while more mature organizations may prefer solutions that integrate widely, enhance telemetry to identify threats, and trigger security responses. 

ITDR will continue to evolve. The use of AI in operations will increase, along with automation and proactive identity threat detection capabilities like deception technology and posture assessment. Market consolidation is expected to continue, driven not only by vendor mergers and acquisitions but also by expanding capabilities across identity governance, access control, and privileged access management. Vendors are increasingly addressing a broader range of threat vectors—including endpoints, SaaS, and cloud environments—in order to compete more effectively and capture greater market share.

Identity poses a significant security risk and is a primary target for cybercriminals; robust security and proactive protection must therefore be a priority. ITDR solutions can substantially mitigate risk and should be a part of every organization’s security considerations.

To learn about related topics in this space, check out the following GigaOm Radar reports:

• GigaOm Radar for Identity Threat Detection and Response

• GigaOm Key Criteria for Evaluating ITDR Solutions

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Paul Stringfellow has more than 25 years of experience in the IT industry helping organizations of all kinds and sizes use technology to deliver strong business outcomes. Today, that work focuses mainly on helping enterprises understand how to manage their data to ensure it is protected, secure, compliant, and available. He is still very much a “hands-on” practitioner and continues to be involved in a diverse range of data projects. Paul has been recognized across the industry and has spoken at many industry, vendor, and community events. He writes for a number of industry publications to share his enthusiasm for technology and to help others realize its value.

Paul hosts his own enterprise technology webcast and writes regularly on his blog.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2025 "GigaOm Radar for Identity Threat Detection and Response (ITDR)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.