Analyst
Forrester Wave: Identity Threat Detection and Response (ITDR)
Key Finding
ITDR is the analyst frame that finally moves identity from "a thing the IAM team owns" to "a thing the SOC consumes". The architecture that does both is the one that survives.
Forrester's coverage of Identity Threat Detection and Response has matured from emerging-tech commentary into named vendor evaluation across 2024-2025. The category sits at the intersection of IAM and security operations: it consumes identity telemetry (sign-ins, MFA challenges, privilege use, session activity) and produces detection-and-response output usable by a SOC.
The analyst framing matters more than the product category. ITDR pulls identity into the SOC operating model, which is the only place a credential-based attack can be detected in time to matter. The traditional split — IAM owns identity, SecOps owns detection — leaves the gap that credential-based attacks now industrialise through.
For identity architecture the practical decision is whether the identity platform exports the signals SecOps needs in the form SecOps can use, and whether SecOps' detection rules can in turn drive identity-platform actions (force re-authentication, revoke session, disable account). When the answer is yes, ITDR is a product purchase; when the answer is no, ITDR is an architecture project.
Need help with your identity architecture?
Every incident on this page was preventable with the right architecture. Let's talk about yours.
Book a Conversation