01 ·
ITDR ≠ IAM, it is complementary
IAM defines access rules; ITDR detects when access is compromised or abused and responds operationally. The missing link that closes identity defence.
Enterprise identities are the new perimeter.
80% of incidents involve compromised identities. Fortgale governs identity security at 360°: from on-premise Active Directory to hybrid cloud environments — with detection, response and continuous governance.
Fortgale · Identity Monitor
Live
Identities · monitor
14k
Alerts · 24h
23
MFA bypass
0
Privileged
2
TimeSevDetectionSrc
10:42P1DCSync attempt · domain adminL3
10:18P2AAD impossible travel · adminL2
09:55P3OAuth illicit consent grantL2
09:21P4Kerberoasting · low confidenceL1
Compliance · identity
NIS2 · Art. 21
DORA
ISO 27001 · A.9
GDPR
Native integrations
Defender for Identity
Sentinel
Entra ID
Okta
CrowdStrike
Why ITDR
IAM governs the rules. ITDR detects when they are violated.
Identity is today the number-one attack vector. IAM rules are not enough: real-time detection & response is required.
02 ·
Hybrid 360° coverage
On-premise AD + Microsoft Entra ID + Google Workspace + multi-cloud environments. Full visibility on synchronised hybrid identities. No blind spots between on-prem and cloud.
03 ·
UEBA + certified analysts
AI correlates millions of identity events with proprietary threat intelligence; European L2/L3 analysts validate every alert and act operationally. Drastic false-positive reduction.
Proof · the identity numbers
Four data points that force ITDR.
80 %
Incidents
via compromised credentials
via compromised credentials
2h
Average time
phishing → domain controller
phishing → domain controller
74 %
Hybrid environments
AD + cloud
AD + cloud
+340 %
Cloud identity attacks
in the last 3 years
in the last 3 years
What ITDR · Fortgale is
Four coverage areas, one unified console.
From the Domain Controller to Entra ID, from cloud to post-compromise. One European outpost.
AD on-premise
Active Directory Security
Detection of Kerberoasting, Pass-the-Hash, DCSync, Golden Ticket, AS-REP Roasting, lateral movement, critical GPO changes and creation of unapproved admin accounts.
Cloud identity
Microsoft Entra ID · Azure AD
MFA Bypass, Token Theft, Service Principal abuse, Hybrid Identity attacks. Conditional Access monitoring, OAuth consent grant abuse, malicious app registrations.
UEBA
Behavioural analytics
Behavioural baseline on privileged users, insider threat detection, anomaly detection on access, impossible geo-velocity, off-hours logins, suspicious privilege escalation.
Identity IR
Identity Incident Response
Account isolation, token revocation, blast radius assessment, guided remediation. Forensics on anomalous logons, SecOps support for the identity-driven kill-chain.
Six technical capabilities
The pillars of identity detection.
01
Privilege Escalation Detection
Detection of unauthorised escalation: addition to Domain Admins, changes to sensitive groups, AD-CS abuse, ESC1-ESC8 patterns.
02
Credential Attack Coverage
Full detection: Kerberoasting, AS-REP, PtH, PtT, NTLM relay, OverPass-the-Hash, Mimikatz traces, LSASS dumping.
03
Cloud Identity Monitoring
Post-AiTM token theft, OAuth abuse, conditional access bypass, service principal abuse, illicit consent grant. M365, Azure AD, Google Workspace.
04
Lateral Movement Tracking
Identity-driven lateral movement tracking: Impacket usage, anomalous Kerberos tickets, anomalous logon patterns, NTLM hash usage.
05
Insider Threat Detection
UEBA for insider threat: data exfiltration patterns, access to resources outside the role, off-hours activity, dormant accounts reactivated.
06
Guided Remediation & Recovery
MITRE-mapped runbooks, account isolation, credential reset, token revocation, blast radius mapping, post-incident hardening.
Integrated defence
Identity is the perimeter. The other services complete the coverage.
Pre-compromise
M365 Phishing Interceptor
Block AiTM phishing before credentials are entered. Free activation for M365 and Google.
Discover Interceptor →Detection & Response
Managed Detection & Response
EDR/XDR governed by the European SOC for endpoint, network and cloud. Triage in <15 min.
Discover MDR →Anticipation
Cyber Threat Intelligence
Proprietary feeds on actors targeting identities: Scattered Spider, APT29, FIN12, identity-based ransomware.
Discover CTI →FAQ
Everything to know before talking to the ITDR team.
What is the Fortgale ITDR service?
ITDR is the Identity Threat Detection & Response outpost: 360° security for identities across Active Directory, Entra ID, Google Workspace and multi-cloud. Includes 24·7 monitoring, UEBA, identity incident response and guided remediation.
Difference between ITDR and IAM?
IAM governs who has access to what (provisioning, roles, permissions). ITDR detects and responds when access is compromised or abused. They are complementary: IAM = rules, ITDR = real-time monitoring of violations.
Which Active Directory attacks do you detect?
Kerberoasting, AS-REP Roasting, Pass-the-Hash, Pass-the-Ticket, DCSync, Golden Ticket, Silver Ticket, privilege escalation, critical GPO changes, creation of unapproved admin accounts, LDAP reconnaissance. Contextual correlation to reduce false positives.
Does it support NIS2 and DORA?
Yes. Structured for NIS2 Art. 21 and DORA requirements on privileged identity management, IAM and incident response. Auditable reporting, event documentation, documented procedures.
How does it integrate with Defender for Identity and Sentinel?
Native integration with Microsoft Defender for Identity, Sentinel, Google Workspace Security Center, Okta, CrowdStrike, SentinelOne and the main enterprise SIEMs. Native connectors and APIs with no additional agents.
Does ITDR include AiTM phishing protection?
ITDR focuses on post-compromise detection and response. For preventive AiTM protection Fortgale offers the M365 Phishing Interceptor (complementary free service). The two services are synergistic.
Start with ITDR
Enterprise identities are already in the crosshairs.
80% of incidents pass through compromised identities. The Fortgale ITDR service monitors, detects and responds 24·7 on every plane — from AD to cloud — before an identity becomes a critical incident.