ITDR Is Not PAM With Better Alerts. Why Identity Threat Detection Needs Its Own Program

The attacker did not hack the system. They logged in.

That is the uncomfortable reality behind modern identity breaches. Stolen credentials remain the starting point for nearly 70% of attacks, yet most security strategies still focus only on credential storage, MFA enforcement, and periodic access reviews.

The real problem begins after authentication succeeds. Once a legitimate credential is compromised, traditional identity controls often lose visibility into what happens next.

This is the gap Identity Threat Detection and Response was built to solve. But deploying an ITDR tool does not automatically create an effective ITDR program. That gap between tooling and operational maturity is where many enterprise identity security strategies are breaking down today.

What ITDR Detects That PAM Cannot 

PAM controls access to privileged accounts. It vaults secrets, records sessions, and enforces least privilege on accounts it knows about. What it cannot do is detect the abuse of credentials after authentication has already succeeded. 

• Token abuse and OAuth grant exploitation. An attacker who compromises a legitimate OAuth token can access data and systems without triggering any PAM alert. 
• Session hijacking after valid MFA. Post-authentication session theft bypasses both the vault and the MFA gate. 
• Lateral movement using legitimate credentials. Pass-the-Hash and Pass-the-Ticket attacks use real credentials against real systems. PAM sees a legitimate session. 
• Cloud control plane abuse. IAM role assumption, service principal exploitation, and cloud management API abuse look identical to legitimate administrative activity without behavioral context. 
• Directory enumeration and reconnaissance. Attackers querying Active Directory or Entra ID to map the environment before moving. This pattern is invisible to PAM but detectable through directory telemetry analysis. 

The ITDR Data Model 

ITDR operates on a fundamentally different data model from PAM or endpoint security. Building an effective ITDR capability requires pulling from the right telemetry sources: 

• Directory logs from Active Directory, Entra ID, and Okta 
• Cloud identity telemetry: AWS CloudTrail, Entra sign-in logs, GCP audit logs 
• Privileged session recordings from PAM platforms 
• SaaS access logs and OAuth grant activity 
• Endpoint telemetry correlated to identity events 

The goal is a unified identity threat picture that connects login events, session activity, privilege use, and lateral movement indicators across every environment where identities operate.