ITDR vs ISPM: Detection and Posture Are Different Jobs
By Identra · Updated
ITDR detects and responds to identity attacks while they are happening. ISPM finds and fixes identity weaknesses before anyone attacks them. Think smoke alarm versus building inspection. Mature programs eventually run both, but if you must sequence them, choose by dominant risk: active threats and incident history favor ITDR, while audit findings, sprawl, and privilege debt favor ISPM.
| Dimension | ITDR | ISPM |
|---|---|---|
| Primary question | Is this identity under attack right now? | Could this identity be abused later? |
| Timing | During the attack | Before any attack |
| Telemetry consumed | Live authentication events, session activity, IdP and directory logs | Configuration state, entitlements, account metadata, MFA and federation settings |
| Typical findings | Credential misuse, session hijacking, privilege escalation, lateral movement | Dormant accounts, MFA gaps, over-privileged roles, stale service accounts |
| Response actions | Revoke sessions, force step-up auth, disable accounts, open incidents | Remediation tickets, privilege reduction, account cleanup, policy changes |
| Urgency of findings | Minutes; alerts are perishable | Days to weeks; findings are durable |
| Team that owns it | SOC and incident response | IAM, identity engineering, GRC |
| Adjacent categories | EDR, XDR, SIEM | CIEM, SSPM, IGA |
What is ITDR?
Identity threat detection and response is the detection discipline for identity infrastructure. It watches authentication and directory telemetry, builds behavioral baselines for accounts, and flags activity that looks like an attack in progress: credential stuffing, impossible travel, session hijacking, privilege escalation, and lateral movement through the identity provider. When something trips, ITDR responds by revoking sessions, forcing step-up authentication, or disabling the account.
The case for ITDR is that modern intrusions increasingly skip malware entirely. CrowdStrike's 2025 Global Threat Report found 79 percent of the detections it observed were malware-free, and IBM's X-Force Threat Intelligence Index 2025 reported that abuse of valid accounts was the entry point in roughly 30 percent of intrusions. When the attacker logs in with real credentials, the only place the attack is visible is identity telemetry, which is exactly where ITDR looks.
What is ISPM?
Identity security posture management is the hardening discipline. It continuously inventories identities and their entitlements across identity providers, SaaS, cloud, and on-prem directories, then scores and prioritizes the weaknesses it finds: dormant accounts, missing or weak MFA, over-privileged roles, stale service accounts, risky OAuth grants, and misconfigured federation.
ISPM operates before any attack exists. Its output is a remediation queue, not an alert queue: enforce least privilege, remove standing access, retire unused accounts, and close configuration gaps so that a stolen credential is worth less when theft eventually happens. It shrinks the attack surface that ITDR would otherwise have to defend.
The core difference: timing and telemetry
The cleanest way to separate the two is by when they act and what they read. ISPM works at admin time: it reads configuration state, entitlement graphs, and account metadata, and it asks whether this identity could be abused. ITDR works at attack time: it reads live authentication events and session activity, and it asks whether this identity is being abused right now.
That difference cascades into everything else. ISPM findings are durable and can wait for a change window. ITDR findings are perishable and demand response in minutes. ISPM typically lands with IAM and GRC teams, while ITDR lands with the SOC. The comparison table below summarizes the split.
When to prioritize which
Nearly every vendor page concludes that you need both, which is true but unhelpful when budget or headcount forces a sequence. Use your dominant risk to decide.
- Post-incident: if you just had an identity-driven breach or near miss, start with ITDR. You have demonstrated active-threat exposure, and posture cleanup does not stop the attacker who already has a foothold. Layer ISPM in once detection is stable.
- Audit-driven: if your pressure is failed access reviews, orphaned accounts, or excessive privilege findings, start with ISPM. It directly produces the remediation evidence auditors want and reduces identity sprawl that makes every other control noisier.
- AI agent adoption: if you are deploying agents and copilots, prioritize posture visibility first so every AI agent identity and its permissions are inventoried, then add detection quickly, because agent credentials misbehave at machine speed.
- Lean team: if one small team owns both problems, ISPM usually comes first. Posture work is schedulable and reduces alert volume, while an ITDR alert queue without responders becomes shelfware. Revisit ITDR as soon as someone can own triage.
What neither catches alone
There is a gap between the two categories that neither closes by itself: identities that pass every posture check and still go bad at runtime. A session token stolen after a clean, MFA-protected login inherits perfect posture. A non-human identity or AI agent that is correctly scoped on paper can still be manipulated into misusing the access it legitimately holds. Posture says the identity is configured well, and detection tuned to human login patterns often misses machine and agent behavior entirely. We cover this failure mode in depth in why posture tools miss runtime identity risk.
This gap is where Identra focuses: runtime identity security that observes what every identity, human, machine, or AI agent, actually does after authentication, so that clean posture and quiet dashboards are not mistaken for safety. If you evaluate ITDR and ISPM tools, it is worth asking each vendor how they handle an identity that is configured correctly and behaving maliciously.
Frequently asked questions
Is ITDR part of XDR?
They overlap but are not the same. XDR correlates detections across endpoints, network, and cloud, and many XDR platforms ingest identity signals. ITDR goes deeper on the identity layer itself: IdP logs, directory changes, session behavior, and identity-specific response actions like session revocation. Organizations with heavy identity risk usually find XDR's identity coverage too shallow on its own.
Does ISPM replace IGA?
No. IGA governs the identity lifecycle: joiner-mover-leaver workflows, access requests, and certification campaigns. ISPM continuously assesses the security quality of the identities IGA manages, surfacing risks like dormant privileged accounts or MFA gaps. ISPM findings often feed IGA remediation workflows, so the two are complementary.
Can one platform do both ITDR and ISPM?
Increasingly, yes. Many identity security vendors ship posture and detection modules on a shared identity inventory, and the categories are converging. Evaluate each capability separately though: detection depth, response actions, and SOC integrations for ITDR; coverage breadth across IdPs, SaaS, and non-human identities for ISPM. A strong suite in one area can be shallow in the other.
Where do non-human identities fit?
Service accounts, API keys, workload identities, and AI agents need both disciplines, and both categories historically underserved them. ISPM should inventory non-human identities and flag stale credentials and excess privilege. ITDR should baseline their behavior, which differs sharply from human patterns. Ask vendors specifically about NHI coverage, since machine identities now far outnumber human ones in most environments.
