Why identity protection (ITDR) is a priority
In the cloud the perimeter is no longer the network: it is identity. Attackers have stopped breaking the firewall and started authenticating, stealing sessions and tokens that bypass classic MFA. ITDR (Identity Threat Detection and Response) defends what actually matters today: who accesses, how, and whether that access has been compromised or abused after authentication. Without ITDR, the attacker walks in the front door with valid credentials.
The thesis
For years security defended the network perimeter. But data and applications moved to the cloud, and with them the weak point: today the attacker does not break the firewall, they authenticate. Identity is the new perimeter, and ITDR is the defence of that perimeter.
The cost of not defending identity
A stolen credential or session is worth more than an exploit: it grants legitimate, silent access that the EDR does not see and the firewall lets through. From there come BEC, fraud, exfiltration, all with legitimate APIs and tokens. Without ITDR, the intrusion looks like a normal login.
What ITDR provides
Detection and response on identities: monitoring of Active Directory and Entra ID, post-authentication anomaly detection, blocking of credential and session abuse, fast revocation. It is what intercepts the attacker once MFA has already been bypassed, as the Kali365 case shows.
When it really matters (and when less is enough)
As soon as you use Microsoft 365, Entra ID or widespread cloud access, identity is the main front: ITDR is a priority. In a tiny, fully on-premise environment with very few accounts, the priority may be elsewhere (backups, patching, basic hardening). But for the vast majority of modern companies, defending identity is not optional. See also Microsoft 365 security.
Classic perimeter defence vs identity defence
| Classic perimeter | ITDR | |
|---|---|---|
| Assumption | The threat is outside | The threat authenticates |
| Classic MFA | Considered sufficient | Bypassed by session theft |
| Coverage | Network, firewall | AD, Entra ID, sessions, access |
| Detects | Network intrusion | Credential and token abuse post-auth |
The analysis of the PhaaS platform Kali365 (800 domains mapped) shows how OAuth token theft after legitimate authentication bypasses classic MFA: the proof that defence must shift to post-authentication identity, where the endpoint sees nothing.
Read the analysis →Frequently asked.
Isn't MFA enough to protect identities?
No, not on its own. AiTM attacks and session token theft steal the access after authentication: MFA fires, but the session is already compromised. You need FIDO2/passkey, AiTM anti-phishing and ITDR that detects post-authentication abuse.
What does ITDR detect that EDR does not?
Abuses on Active Directory and Entra ID: Kerberoasting, Pass-the-Hash, DCSync, Golden Ticket, privilege escalation, anomalous session use. These are attacks that often do not touch the endpoint, so they escape EDR alone.
Why is 'identity the new perimeter'?
Because data and applications live in the cloud: the only constant boundary is who accesses. Once identity is compromised, the attacker moves like a legitimate user. That is why identity is the first asset to defend.
When is ITDR less urgent?
In very small, on-premise environments with very few identities, the priority may be elsewhere (backups, patching). But as soon as there is Microsoft 365, Entra ID or widespread cloud access, identity becomes the main front.
From theory to a real operation.
What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Identity Protection · ITDR.
Related resources: Microsoft 365 security · What is MDR · What is an EDR
A technical conversation, not a funnel.
Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.