KuppingerCole Leadership Compass: The ITDR Market Takes Shape

On 6 November 2025, KuppingerCole published a Leadership Compass on Identity Threat Detection and Response (LC81209, by Alejandro Leal), a structured vendor comparison of the ITDR market. We read this as market observation rather than a buying recommendation, and the observation we draw from it is about the category, not the rankings.

A Leadership Compass is a maturity signal. Analyst firms do not produce vendor comparisons for ideas; they produce them for markets with enough vendors, enough buyers, and enough deployment history to compare. ITDR did not exist as a named category a few years ago. Identity telemetry was something the IAM team held and the SOC occasionally asked for. The fact that there is now a comparable field of ITDR vendors tells you the market has decided identity needs its own detection-and-response discipline, distinct from endpoint and network.

That maturation maps to the threat data the rest of this section documents. When the majority of attacks are credential-based and malware-free, the detection signal that matters is an identity signal: an anomalous sign-in, an unexpected MFA approval, a privilege escalation, a session doing something the user never does. Endpoint and network tools were not built to see those, and the SOC operating model was not built to consume them.

The identity-architecture implication is the one we keep returning to. ITDR is only a product purchase if your identity platform already exports the signals a detection engine needs, in a form a SOC can act on, and can accept response actions back, force re-authentication, revoke a session, disable an account. Where that telemetry path and that response path already exist in the architecture, ITDR is a tool you plug in. Where they do not, the Leadership Compass is showing you a market for products that will sit on top of an integration project you have not started yet. The category being real does not make the architecture optional.