Toll-free1-877-430-6240 / 1-780-430-6240 Authorized Sophos Partner
Identity Threat Detection & Response

Catch the attacks that look like normal logins.

Sophos ITDR watches Active Directory and Microsoft Entra ID for the behaviours that signal account takeover: impossible-travel patterns, password spraying, MFA fatigue, suspicious privilege escalation, and dormant-account reactivation. Detections feed directly into Sophos XDR so analysts see identity events alongside the rest of the attack chain.

Key Capabilities

The detections EDR and SIEM miss

Endpoint and network defenses see attacker tools and traffic patterns. ITDR sees the identity itself - who logged in, from where, with what privileges, doing what they shouldn’t normally do.

Active Directory monitoring

Continuous monitoring of on-prem AD for the techniques attackers use after a foothold: Kerberoasting, DCSync, Golden Ticket, Pass-the-Hash, and the rest of the BloodHound playbook.

Microsoft Entra ID monitoring

Detection across cloud-only and hybrid Entra tenants: impossible-travel logins, anomalous OAuth consent grants, unusual MFA prompt patterns, and risky sign-in heuristics.

MFA fatigue & bypass

Detect MFA push-bombing attacks, suspicious approval patterns, and number-matching bypass attempts. Surface the patterns that turn a stolen password into a successful login.

Risk-scored alerts

Every detection gets a risk score based on the technique, the user, the resource accessed, and the historical baseline. Analysts triage by priority, not by chronological order.

Native XDR integration

ITDR alerts surface inside Sophos XDR cases next to endpoint, network, email, and cloud events. One investigation timeline that includes the identity context, not a separate console.

Identity hygiene reporting

Reports surface dormant accounts, over-privileged groups, orphaned service principals, and other identity-hygiene issues that make attacks succeed in the first place.

Deep Dive

The attacks that look exactly like normal logins

Most identity-based attacks don’t trip a signature. The attacker has valid credentials. The login succeeds. To the rest of the stack, it’s a Tuesday. ITDR is built to spot the patterns that say otherwise.

  • Impossible-travel detection. Same user signs in from Toronto, then Singapore eight minutes later. Each login is technically valid; together they’re impossible. ITDR flags it.
  • MFA push-bombing. An attacker with a stolen password fires repeated MFA prompts hoping the user clicks Approve out of habit. ITDR detects the abnormal prompt rate.
  • Dormant-account reactivation. Service or contractor accounts that haven’t logged in for months suddenly do, often with elevated permissions. Classic post-breach pattern.
  • AD attack tooling. Kerberoasting, DCSync, BloodHound enumeration, and other tooling produce specific patterns in AD logs. ITDR matches them in real time and feeds the case to XDR.
Identity Risk Timeline 10:02 AM Login YYZ 10:10 AM Login SIN 10:12 AM 12 MFA pushes 10:14 AM Priv elevation RISK SCORE: 9.4 / 10 Detected: impossible travel + MFA push fatigue Recommended: [ Revoke session ] [ Reset password ]
Who Deploys It

Organizations where identity is the soft underbelly

Every organization with a directory is exposed to identity-based attacks. ITDR is most valuable in environments where the directory is also the gateway to the most valuable data.

1

Microsoft 365 / Entra ID heavy

Cloud-first organizations where Entra ID is the keys-to-the-kingdom directory. ITDR adds the detection layer Microsoft’s built-in conditional access doesn’t cover on its own.

Detection beyond conditional access
2

Hybrid AD environments

On-prem AD federated with Entra ID. Attackers exploit the seams between the two: stale sync, mis-mapped accounts, dormant Kerberos tickets. ITDR sees both sides.

Coverage on both sides of the seam
3

Cyber-insurance & compliance

Modern policies and frameworks increasingly require identity-specific monitoring. ITDR satisfies those controls and produces the audit evidence that proves it.

Auditable identity monitoring
Pairs Well With

Where ITDR alerts go to work

Identity detection is most valuable when it lands somewhere actionable. These are the products our customers pair with ITDR most often.

Sophos XDR
SecOps

Sophos XDR

Where ITDR detections naturally land. Identity events get auto-correlated with endpoint, network, email, and cloud signals so the full story shows up in one case.

Sophos MDR
Managed Service

Sophos MDR

No in-house analysts to triage ITDR alerts? Sophos MDR watches identity, endpoint, network, and cloud signals 24/7 and acts on the ones that matter.

Sophos ZTNA
Access

Sophos ZTNA

ITDR detects the abuse; ZTNA enforces the access. Together they form the detection-plus-enforcement loop modern identity security needs.

Ready to close the identity gap in your defenses?

Trial Sophos ITDR against your live Active Directory or Entra tenant, request user-based pricing, or talk to our team about pairing ITDR with XDR or MDR.