The Evolution of ITDR: From Fractured Tools to Unified Defense
Identity security is fractured—MFA here, PAM there, SSO somewhere else. First-generation ITDR adds more alerts to the chaos. Auth Sentry unifies detection and delivers investigations, not noise.
Alert-Based Detection
Built on static ML models and rules engines. Data is siloed—context clues from other services are rarely, if ever, considered when creating an alert. Flag anomalies, send alerts, wait for humans to investigate.
Problem: Analysts drown in alerts while attackers move faster than investigation speed.
Autonomous Investigation
Powered by specialized AI agents and graph databases. Continuously gather evidence, auto-enrich from security stack, validate with users, deliver complete investigations.
Solution: SOCs get investigation-ready cases. 10x faster response, 70% less noise.
ITDR 1.0 vs ITDR 2.0: Feature Comparison
| Capability | ITDR 1.0 (Alert-Based) | ITDR 2.0 (Autonomous Investigation) |
|---|---|---|
| Detection Engine | ||
| AI/ML Architecture |
ITDR 1.0
Static ML models with generic rules. One-size-fits-all anomaly detection. |
ITDR 2.0
Specialized AI Agents (OAuth, Service Account, Lateral Movement, Toxic Combo) that continuously learn YOUR environment. |
| Evidence Collection |
Analyzes events in isolation. Flags individual anomalies and tosses them over the fence to the SOC. |
Graph Database maps relationships between events across identities, permissions, and actions—delivering high-fidelity cases instead of alert noise. |
| Confidence Scoring |
Generic severity (Low/Medium/High) based on rule matching. Many platforms use severity as a proxy for confidence—they're not the same thing. |
Tunable confidence scoring (0.98 = 98% certain based on correlated evidence). Customize thresholds to fit your environment better than one-size-fits-all severity levels. |
| Investigation Process | ||
| Who Investigates? |
Humans manually correlate logs, query SIEM, pull SaaS platform data. Time: 10-15 minutes per alert |
AI Agents autonomously gather evidence from multiple sources before alerting. Time: <2 minutes automated |
| Context Enrichment |
Manual—analyst queries SIEM, MDM, threat intel after receiving alert. |
Automatic—agents query SIEM, SaaS platforms, MDM, threat intel before alerting you. |
| User Validation |
Analyst emails or calls user after investigation started. |
Agents message users directly via Slack/Teams to validate suspicious activity in real-time. |
| Alert Quality | ||
| What You Receive |
Alert: Unusual login detected
from: 203.0.113.45
Severity: Medium
Action: Investigate
Single alert triage doesn't scale. Analysts manually correlate dozens of alerts to understand one incident. |
Case: Lateral Movement Investigation
Dormant account accessed 4 systems in 5min
Evidence: 5 sources | Confidence: 0.98
Agent actions: Tokens revoked, user confirmed compromise via Slack
Complete investigation cases with evidence, context, and clear next steps—not isolated alerts. |
| False Positive Rate |
90-99% of identity alerts are false positives. Generic rules don't understand your business context. Most SOC teams won't even service alerts below critical severity. |
70% reduction in false positives through continuous learning. Agents baseline YOUR organization's patterns—alerts worth investigating, not ignoring. |
| Recommended Actions |
Generic: "Investigate", "Review logs", "Contact user" |
Specific, context-aware: "Revoke OAuth tokens", "Force MFA re-auth", "Audit systems X, Y, Z for data exfiltration" |
| Threat Coverage | ||
| OAuth Token Attacks |
Limited visibility. Flags unusual IPs but misses context about token lifecycle. |
Dedicated OAuth Agent monitors token lifespans, cross-IP usage, impossible travel, dormant token activation. |
| Service Account Security |
No baselines for non-human identities. Can't detect "abnormal" bot behavior. |
Service Account Agent learns normal patterns for every API key, detects privilege escalations and unusual access. |
| Toxic App Combinations |
Single-app view. Can't see dangerous access chains across systems. |
Toxic Combo Agent maps access paths (GitHub -> AWS -> Prod DB) and detects chained exploitation. |
| Lateral Movement |
Relies on endpoint telemetry. Misses identity-based pivots. |
Lateral Movement Agent tracks identity usage across systems, detects unusual pivots and credential sharing. |
| Agentic AI & MCP Threats |
No visibility. ITDR 1.0 wasn't built for AI agents or MCP servers—it's the wild west. Even well-meaning employees can accidentally grant AI tools access to restricted resources. |
Complete identity posture visibility including AI agents and MCP server connections. Detect unapproved AI tools, unauthorized MCP integrations, and anomalous agent behavior before data leaves your environment. |
| Response & Remediation | ||
| Response Time |
Minutes to hours (depends on analyst availability and workload). |
Seconds to minutes (agents can auto-revoke tokens, block IPs, disable accounts with SOC approval). |
| Containment Actions |
Manual workflows. Analyst creates tickets, coordinates with IT. |
Automated containment workflows with approval gates. Agents execute remediation steps autonomously. |
| Post-Incident Analysis |
Manual correlation of logs and timelines. |
Pre-built attack timelines showing complete evidence chain and agent actions taken. |
| Learning & Adaptation | ||
| Customization |
Manual tuning of rules and thresholds. Requires security engineer time. |
Continuous learning from YOUR environment. Agents automatically adapt to your organization's patterns. |
| Baseline Updates |
Periodic model retraining (quarterly/annually). |
Real-time baseline updates. If DevOps starts deploying on Fridays, agents learn it's normal for YOUR team. |
| Organization-Specific Detection |
Generic rules applied to all customers. What's normal for Company A triggers alerts at Company B. |
Precision Detection (Identity Rx): Detections tailored to YOUR business workflows, not industry averages. |
The Bottom Line
ITDR 1.0
Isolated alerts per week
10-15 min per investigation
90-99% false positive rate
Generic recommendations
ITDR 2.0
Complete investigation cases per week
<2 min automated investigation
70% fewer false positives
Full context with clear next steps
Auth Sentry is ITDR 2.0
While first-generation tools generate more alerts, we deliver fewer, higher-quality investigations—complete with evidence, context, and recommended actions. Your SOC focuses on real threats, not noise.
See ITDR 2.0 in ActionMaking the Transition
Organizations moving from ITDR 1.0 to Auth Sentry typically see results within the first week.
Day 1
Agentless deployment. Connects to identity providers and starts baselining.
Week 1
AI Agents begin detecting threats with initial baselines. Immediate value from graph-based detection.
Month 1
Full Identity Rx precision. Agents have learned your environment. 70% FP reduction achieved.
Ongoing
Continuous learning. Detection gets smarter as your organization evolves.
Ready for ITDR 2.0?
See how Auth Sentry's AI Agents deliver complete investigations, not just alerts.
Request Free Trial