ITDR Part #1: Why Identity Is the New Perimeter

The rules of cybersecurity have changed. In a world powered by SaaS and remote work, identity - NOT infrastructure - is now the first line of defense. Traditional perimeter-based tools were built for networks and endpoints, not for today’s reality of decentralized users, cloud apps, and distributed access. 95% of cybersecurity incidents occur due to human behavior and actions.

Recent breaches have shown that attackers no longer need to break in - they just log in! As companies rapidly adopt SaaS platforms, every new app brings more identities, permissions, and potential risk. Security teams are realizing the real threat surface is no longer on-prem - it’s identity.

That’s where Identity Threat Detection and Response (ITDR) comes in. This emerging discipline is helping organizations detect, prioritize, and respond to identity-based threats across SaaS ecosystems. 

In this blog series, we’ll explore how ITDR is reshaping security strategies in 2025, and how your team can stay ahead of the curve.

What is ITDR? A Definition for 2025 and Beyond

Identity Threat Detection and Response (ITDR) is a cybersecurity practice that focuses on protecting digital identities - users, credentials, and entitlements - by detecting suspicious behavior, flagging misuse, and enabling fast response to identity-based threats.

Where traditional security tools focus on endpoints or networks, ITDR zeros in on the who, what, and where behind identity activity across your organization. It monitors how accounts and users behave, identifies anomalies based on context and risk, and surfaces threats like lateral movement, privilege escalation, and unauthorized access - especially within cloud and SaaS platforms.

At its core, ITDR answers a critical question: Are the right identities doing the right things, at the right time, for the right reasons?

Modern ITDR platforms integrate identity behavior analytics, access context, and adaptive risk scoring to surface threats that might otherwise go unnoticed. They don’t just detect; they enable security teams to respond - whether that means revoking access, remediating permissions, enforcing step-up authentication, or alerting security or SOC teams for deeper investigation.

As more organizations embrace remote workforces and decentralized SaaS environments, ITDR is becoming a strategic imperative.

SaaS Growth Has Fueled the Rise of Identity Threats 

The rise of SaaS has transformed how businesses operate - and how attackers operate, too.

Today’s typical organization runs hundreds of SaaS applications, each creating new users, roles, permissions, and inter-app connections. Identities are everywhere: in HR systems, collaboration platforms, DevOps tools, finance software, and beyond. This explosion of cloud identities - many of which are unmanaged or misconfigured - creates an expanded attack surface that traditional tools weren’t built to defend.

Attackers know this. They target weak identity controls, dormant accounts, and overly permissive access. Just one compromised credential can give them the foothold they need to navigate through your SaaS stack undetected.

Consider this:

• Over-permissioned users across SaaS apps can go undetected without centralized visibility - leaving sensitive data wide open to misuse or abuse.
  
  
• Unmanaged third-party access and unsanctioned SaaS tools (Shadow Apps) introduce identities your security team may never see until it’s too late.
  
  
• Misconfigured OAuth grants and app integrations can silently expose critical data, often without triggering any traditional security alerts.
  

And because SaaS environments are dynamic, with permissions and usage patterns constantly shifting, static security policies fall short. What’s needed is continuous visibility and contextual awareness, which are hallmarks of a strong ITDR program.

In this new era of SaaS, identity is more than just a user profile, it’s a potential vulnerability. Protecting it requires a purpose-built approach.

Why Legacy Security Tools Fall Short

Despite significant investment in cybersecurity tools, many organizations still lack visibility into identity-driven threats. Why? Because most legacy solutions were never designed with identity as the focal point.

Traditional perimeter-based tools - like firewalls, VPNs, and endpoint detection systems - were built to secure devices and networks, not cloud users and roles. Even more modern technologies like SIEMs and XDR platforms can struggle when it comes to identity-specific context across SaaS environments. 

They’re great at aggregating logs and highlighting anomalies, but without understanding who the identity is, what they’re supposed to do, and how they typically behave, detection efforts fall flat. 

Without context, this data means nothing. And, it could lead to false positives. All the logs in the world are useless if you can’t correlate the actions to the user level.

For example:

• A spike in file-sharing activity might be flagged - but if it’s coming from a manager onboarding a new hire, that could be perfectly normal business behavior.
  
  
• An unusual login from a new location might trigger an alert - but if the user is part of the traveling sales team, it’s expected activity.
  
  
• Access to sensitive financial data by a contractor might raise concern - but if their identity is tied to a temporary auditor role in your HRIS around tax season, that access may be fully authorized.

Additionally, traditional tools often operate in silos, lacking integration with identity providers, SaaS platforms, and cloud access management tools. This fragmentation leads to alert fatigue, missed signals, and delayed responses.

In short, the identity layer has become the modern perimeter, but most security stacks haven’t caught up. That’s where ITDR comes in: to fill the gap and bring real-time, identity-aware threat detection into focus.

Why is ITDR a 2025 Priority?

ITDR isn’t just a buzzword, it’s rapidly becoming a recognized category within enterprise security strategy. Analysts and CISOs alike are sounding the alarm on identity threats, and the market is responding accordingly.

Gartner’s recent insights highlight the growing importance of IDTR in 2025 security budgets.

Gartner recently presented their take on top cybersecurity budget priorities for 2025, where they listed Identity Threat Detection and Response (ITDR) as a critical priority.

This surge in adoption reflects a larger industry trend. Identity has become a key control point in Zero Trust architectures, and security leaders are re-evaluating how to protect it. SaaS platforms are enhancing their APIs to support third-party ITDR integrations. And, CISOs are being held accountable for identity attack surface management now more than ever.

In short: the momentum behind ITDR isn’t just vendor-driven - it’s being pulled forward by operational necessity and large scale market shifts. 

How Modern ITDR Solutions Are Built for SaaS

To be effective in today’s SaaS-first world, ITDR tools must do more than monitor login logs or set blanket access policies. They need to be SaaS-native, deeply contextual, and responsive to real-time identity behavior.

Modern ITDR platforms offer:

• Continuous monitoring of identity behavior across multiple SaaS environments
• Contextual detection based on roles, typical access patterns, and risk posture
  Dynamic risk scoring that surfaces identities most likely to be compromised or misused
• Automated response capabilities - like session revocation or privilege reduction - when risky activity is detected

DoControl’s approach to ITDR reflects these needs. We’ve embedded identity detection and response as a core layer within our SaaS security platform, not as a bolt-on, but as a foundational feature. Our platform ingests and analyzes identity activity across major SaaS apps, scoring risk based on real-world behavior, privilege levels, and environment-specific context.

The result? Security teams gain clarity on which identities pose risk, why they’re risky, and what can be done about it - before a threat turns into an incident.

DoControl’s Approach to Identity Threat Detection and Response

At DoControl, we purpose-built our Identity Threat Detection and Response (ITDR) module to solve the rising challenge of identity-driven threats within modern SaaS environments. In a world where identities - not devices - define the new perimeter, traditional security tools fall short. Our platform is engineered to fill that gap with a context-rich, behavior-aware, and action-ready layer of defense.

Purpose-Built for SaaS Identity Protection

DoControl's ITDR module is designed specifically for the SaaS ecosystem, where dynamic identities, external collaboration, and decentralized access are the norm. It continuously monitors user activity across applications and correlates signals from multiple systems - including Identity Providers (IdPs), HRIS platforms, and SaaS usage patterns - to build a comprehensive, real-time view of user risk.

Contextualized Risk Scoring with Behavioral Intelligence

What sets DoControl apart is our aggregated identity risk scoring. We combine contextual data - including access permissions, business roles, leadership levels, department nuances and behavioral baselines - to evaluate both current and potential future risk. Our platform detects high-risk behaviors such as:

• Unusual data sharing with external users or personal email accounts
• Large-scale exfiltration attempts
• Connectivity to third-party shadow apps
• Out-of-pattern SaaS activity by department or role

This score isn’t static, it evolves with user behavior and business context, helping security teams surface who poses the greatest threat at any given time.

Watchlists and Proactive Monitoring

High-risk users don’t just get flagged, they get tracked. DoControl allows teams to place users on watchlists, enabling continuous monitoring of identities that exhibit suspicious behavior over time. This enables security operations teams to stay one step ahead of insider threats, compromised accounts, or negligent activity before it becomes a breach.

Real Automatic Responses, Not Just Alerts

Detection is only half the battle. DoControl empowers teams to take decisive action at the user level, whether it’s revoking SaaS access, adjusting permissions, or suspending accounts entirely. 

Remediation can be done on-demand or automatically, based on your risk thresholds and business policies. 

We make proactive responses easy - with our automated custom workflows. With DoControl, users can set up custom workflows that are triggered by risky identity-related actions, so that these risks get detected and handled automatically. It’s a core part of our product. Stay tuned for blog series #3 to see a full breakdown of our response capabilities!

Summary

As SaaS adoption accelerates and the attack surface shifts, identity has become the new battleground in cybersecurity. Traditional tools can’t keep up with the speed, scale, and complexity of identity threats in cloud environments.

Identity Threat Detection and Response (ITDR) is no longer optional, it’s foundational.

Stay tuned for our part #2 coming next week, where we dive into insider threats, and how your own employees are sometimes the most risky identities you have in your SaaS environment. 

Click here to make sure you don’t miss part #2, Insider Threats: Detecting Identity Risks from Within!

‍