Why are identity threats surging in the cloud era?
Identity-based threats lead as the primary attack vector for cybercriminals. Reinforcing your identity threat detection and response (ITDR) tools and processes remains critical for modern security.
Several factors drive this identity threat surge:
Stolen credentials drive 22% of breaches: Attackers increasingly exploit compromised credentials to gain initial access. Stolen or compromised credentials were the primary initial access vector in 2024, surpassing phishing and vulnerability exploitation, according to Verizon’s 2025 Data Breach Investigations Report.
Machine identities multiply out of control: Cloud-native architectures rely heavily on service accounts, APIs, containers, and serverless functions. These non-human identities often outnumber humans and carry elevated permissions without the same oversight as human user identities, creating blind spots in traditional identity and access management (IAM) systems.
Multi-cloud fragmentation hides threats: Organizations running workloads across AWS, Azure, and Google Cloud often face inconsistent IAM models. AWS IAM, Azure Active Directory, and GCP IAM each use different permissions structures, making it difficult to maintain unified identity security policies and detect suspicious activity.
Misconfigurations create entry points: Rapidly changing cloud environments often outpace manual oversight. Overly permissive roles, exposed secrets, and unused credentials also create entry points. The 2024 Snowflake breach demonstrates how compromised service account credentials allowed attackers to move laterally and exfiltrate data from multiple organizations.
The 2026 Cloud Threat Report
See how identity-based attacks are evolving across cloud environments with real-world data from the Wiz Threat Research team.
Why do you need identity threat detection and response in modern cybersecurity?
Traditional IAM security solutions focus on provisioning and authentication but lack the continuous monitoring and response capabilities teams need to detect active threats. For example, endpoint detection and response (EDR) and extended detection and response (XDR) tools monitor endpoints and networks but often miss identity-layer threats.
ITDR fills this critical gap by providing real-time visibility into identity behaviors, detecting anomalies that indicate compromise, and enabling rapid response to contain threats before they escalate. Cloud-native environments demand this visibility where identities are dynamic, permissions are complex, and threats move quickly.
Combining IAM for access control, privileged access management (PAM) for high-value accounts, and ITDR for threat detection creates a comprehensive identity security strategy.
4 core components of an ITDR strategy
An effective ITDR strategy uses these four foundational components that work together to protect identities across your cloud environment:
1. Identity inventory and contextual visibility
Any effective ITDR strategy starts with comprehensive visibility into all identities—both human and non-human—across your multi-cloud environment. This includes cataloging user accounts, service accounts, API keys, access tokens, and machine identities. Beyond simple enumeration, you need context for which identities have access to sensitive data, carry elevated privileges, or stay active versus dormant.
Cloud entitlement management platforms deliver this visibility by mapping effective permissions to your organization’s least-privilege policies. This visibility allows you to identify over-permissioned identities before they become attack vectors.
2. Baseline behavior monitoring
Once you have visibility, the next step is establishing normal behavior patterns for each identity. Baseline behavior monitoring tracks typical access patterns, API usage, resource interactions, and authentication methods for both human users and service accounts.
These baselines form the foundation for detecting deviations. For example, if a service account that typically accesses a specific S3 bucket during business hours suddenly starts downloading data from multiple regions at 3 AM, that deviation signals potential threats.
Behavioral baselines must also account for role-based patterns. For instance, a developer’s normal behavior differs from that of a database administrator’s, and both differ from an automated CI/CD pipeline’s activity.
3. Anomalous activity detection
Once you’ve established baselines, your ITDR solution continuously monitors for anomalies to indicate potential identity-based threats. These are some red flags that often signal compromise:
Unusual authentication patterns: Failed login attempts, logins from new locations or devices, or access outside normal business hours
Privilege escalation attempts: Sudden changes in permissions or role assignments
Lateral movement indicators: Service accounts accessing resources outside their normal scope
Data exfiltration signals: Large data transfers, downloads to unusual destinations, or access to sensitive repositories
Modern ITDR solutions use machine learning to identify subtle anomalies that manual monitoring would miss. The key is correlation: a single anomaly might be benign, but multiple anomalies from the same identity within a short time frame often indicate active compromise.
4. Real-time alerting and response automation
Detection is only valuable if it leads to rapid response. The final component of ITDR combines real-time alerting with automated response capabilities.
When your system detects an identity-based threat, your ITDR solution immediately alerts your security operations center with rich context about the threat, the affected identity, and the potential blast radius. This context accelerates investigation and reduces the mean time to respond.
Beyond alerting, automation is also critical. ITDR solutions should support these automated responses:
Revoking or suspending compromised credentials
Blocking suspicious IP addresses
Quarantining affected identities
Triggering incident response workflows in your SIEM or SOAR platforms
Automation ensures you can contain threats in seconds or minutes, outpacing manual response times and dramatically reducing potential damage from identity compromise.
ITDR vs. IAM vs. PAM: What’s the difference?
Acronyms for identity security can frequently make the subject confusing. Here’s a breakdown of ITDR, IAM, and PAM by their core functions:
| Capability | ITDR | IAM | PAM |
|---|---|---|---|
| Focus | Detecting and responding to identity-based threats | Managing user identities and access rights | Managing privileged or admin accounts |
| Scope | All users and systems | All users and systems | High-value accounts (like admins or services) |
| Functions | Threat detection, investigation, and incident response | Provisioning, de-provisioning, authentication, and authorization | Secure storage, rotation of privileged credentials, and least privilege |
| Key features | Threat detection, behavioral analysis, and automated response | User provisioning, password resets, multi-factor authentication (MFA), single sign-on (SSO), and role management | Vault passwords, session recording, and just-in-time access |
Here’s a detailed dive into each concept:
What is IAM?
IAM serves as a framework for identity management policies, tools, and processes managing user identities, permissions, and roles across IT resources.
These tools enforce permission policies and implement security measures like SSO and MFA. Enforcing access permissions based on user roles and responsibilities oversees role-based access control and prevents unauthorized access.
Key functions of IAM security include:
Ensuring robust authentication methods like SSO and MFA
Proactive monitoring and response using machine learning and risk analytics
Periodic audit and access revocation for inactive or over-permissioned accounts
What is PAM?
PAM is a subset of IAM focused on privileged accounts. Because these accounts are prime targets for attackers, you must monitor them and enforce least privilege principles.
The operative term for PAM—and CPAM for cloud-based environments—is “just in time.” PAM offers just-in-time temporary access with the exact permissions needed for business purposes, preventing the abuse risks associated with permanently open accounts.
Key functions of PAM include:
Session monitoring, recording, and alerting for flagged trigger conditions
Just-in-time provisioning of temporary privileges
Enforcing least privilege access while streamlining business operations
How does ITDR fit into the bigger picture?
ITDR encompasses IAM and PAM by using foundational IAM functionality, like user provisioning, and enhancing it with PAM features, like secure credential storage and just-in-time provisioning.a0
Beyond these capabilities, ITDR also offers threat detection and response. Continuous monitoring identifies identity-related threats like account compromises, insider threats, and data breaches. Built-in anomaly detection and response automation make ITDR a proactive solution that locks down all aspects of identity-related risk.
ITDR doesn’t replace IAM or PAM. It builds on these foundations to add specific detection and response capabilities for identity-based threats in cloud environments.
How does ITDR work in multi-cloud and hybrid environments?
Multi-cloud and hybrid environments introduce unique challenges for identity security. Because each cloud provider uses a distinct IAM model, maintaining consistent identity policies is difficult.
Below are some of the challenges of multi-cloud identity security:
Inconsistent IAM models create gaps: AWS IAM roles, Azure Active Directory, and GCP IAM each use different permissions structures and policy languages, making unified policy enforcement and visibility difficult.
Fragmented logs hide cross-cloud attacks: Logs and telemetry from different providers use different formats and reside in separate systems. An attacker might compromise an AWS service account, access Azure resources via federation, and exfiltrate data from GCP while making it appear as separate, unrelated events.
Cloud-native services multiply complexity: Each provider offers dozens of native services that create their own service accounts and permissions. Managing these programmatically is complex, and misconfigurations are common.
Agentless ITDR deployment removes the friction from traditional security tools. Traditional tools require agents on every workload, causing deployment complexity and performance overhead. Modern ITDR solutions use cloud-native APIs to collect identity and activity data without agents. A unified data layer aggregates signals from all cloud providers for cross-cloud correlation and detection.
Watch 5-min demo
See how Wiz Defend delivers agentless ITDR with cross-cloud identity correlation.
What are machine identities?
Machine identities—also known as non-human identities, service accounts, or workload identities—are credentials that applications, services, containers, and automation use to authenticate to cloud resources.
These include the following:
Service accounts for CI/CD pipelines, backup systems, and monitoring tools
API keys and access tokens for application integrations
Container and Kubernetes service accounts
Serverless function execution roles
OAuth tokens for SaaS application integrations
Machine identities often carry elevated privileges because they require broad access to perform tasks. For instance, a backup service account might have read access to every production database, or a CI/CD pipeline might have permission to deploy code across your entire multi-cloud environment.
Machine identities represent high-risk blind spots for several reasons:
Over-permissioning is standard practice: Service accounts often hold more permissions than necessary. Manually implementing least privilege takes time, causing teams to rely on broad default settings. These excess permissions remain active and frequently serve as attack vectors.
Attackers exploit them for lateral movement: Gaining initial access prompts attackers to seek service accounts with elevated privileges. They use these identities as tools for lateral movement, privilege escalation, and data exfiltration.
2 common ITDR use cases
Two scenarios demonstrate how ITDR delivers immediate value:
1. ITDR to mitigate CSP credential compromise
Threat groups increasingly exploit cloud service provider (CSP) security weaknesses to steal user credentials through phishing and other malicious activities. Compromised credentials allow attackers to exfiltrate user data, disrupt services, and launch ransomware attacks.
Below is an overview of ITDR solutions responding in real time across various stages of an attack:
| Attacker | ITDR solution |
|---|---|
| Steals credentials through phishing attacks or by exploiting vulnerabilities in CSPs | Monitors login attempts for suspicious patterns |
| Gains access to cloud resources using stolen credentials | Identifies anomalous behavior like unusual API calls and data downloads |
| Exfiltrates data, disrupts services, or launches further attacks | Runs automated responses like blocking suspicious IP addresses and quarantining compromised accounts |
| Covers tracks by deleting logs | Retains detailed logs and forensic data for investigation |
| Continuously refines tactics to target newly discovered vulnerabilities | Updates current threat intelligence to enable continuous improvement of security posture and threat response |
This use case demonstrates how ITDR provides defense-in-depth against credential compromise. Monitoring authentication patterns, detecting anomalous behavior, and automating response allows ITDR to contain threats before they cause significant damage.
2. ITDR for insider threat detection
Once malicious insiders have access to your network via legitimate credentials, they can gain unauthorized access to resources. Holding these permissions allows them to exploit this access to steal data, sabotage systems, or cause significant harm.
Below is an overview of ITDR solutions responding in real time across the various stages of an insider attack:
| Attacker | ITDR solution |
|---|---|
| Insider steals sensitive data before leaving the company | Monitors user activity for deviations from normal behavior |
| Starts accessing files and folders outside their usual scope of work | Detects anomalous data access patterns, like accessing sensitive files or downloading large amounts of data |
| Attempts to exfiltrate data via email to a personal account or by uploading to external cloud storage | Identifies suspicious transfers and triggers alerts or automations, like blocking the transfer or quarantining the user account |
| Tries to cover tracks by deleting logs or modifying access timestamps | Retains detailed logs and forensic data for investigation |
| Attempts to escalate privileges or access other systems | Monitors for privilege escalation attempts and unauthorized access |
Insider threats are particularly challenging because attackers already have legitimate access, so traditional perimeter security can’t detect these threats. ITDR’s behavioral monitoring and anomaly detection are essential for identifying insider threats before they cause damage.
Operationalize ITDR with Wiz’s unified security approach
Wiz Defend includes ITDR as part of unified cloud detection and response within our AI Application Protection Platform (AI-APP). Identity threats are investigated in the same place as the workloads, data stores, and permissions they can impact, because an attacker who steals credentials typically uses them to access workloads, exfiltrate data, or pivot to other systems.
Detecting the identity compromise without understanding its impact leaves you with incomplete information. The Wiz Security Graph provides a granular view of all cloud identities (users, service accounts, groups, and roles) across AWS, Azure, GCP, and beyond. Wiz precisely calculates effective permissions for each identity, enabling least privilege enforcement and exposing lateral movement paths before attackers exploit them.
The Blue Agent is the AI engine behind these ITDR capabilities. When an identity-based detection fires, such as an impossible travel alert, unusual API usage, or a privilege escalation attempt, the Blue Agent investigates immediately. It correlates the login event with the identity's permission scope, recent API activity, related cloud events, and resource access patterns. The result is a complete investigation narrative with a transparent verdict: was this a compromised credential or legitimate activity?
Agentic Workflows automate the response. For example, when the Blue Agent detects a suspicious login, a Workflow can send a Slack message to the user for validation, and if the activity is not recognized, escalate to SecOps with the full investigation context attached. Teams define the automation boundaries; agents execute within them. Ready to unify identity context, cloud activity, and runtime behavior into a single investigation surface? Get a demo to see how Wiz Defend operationalizes ITDR across your entire cloud environment.
See Wiz Defend ITDR in action
Detect identity-based threats, investigate with full cloud context, and automate response from a single platform.
