How long does ITDR deployment take?

ITDR is cloud-native and connects to identity sources via API — no agents to roll out for detection. Time to first signal is short; confirm exact timing with us.

Which identity providers does ITDR support?

ITDR is built to read events from major identity providers such as Microsoft Entra ID, Okta, and Google Workspace. Confirm the exact supported list with us.

How is ITDR different from EDR?

EDR watches endpoints; ITDR watches identities. Most modern attacks begin with a stolen credential or token rather than malware, so the two are complementary.

Does ITDR work multi-tenant for MSPs?

Yes. ITDR is multi-tenant from day one, with every client and identity source in one console and per-tenant policy and tuning.

Where does identity data live and how long is it kept?

Event data is encrypted in transit and at rest and retained for a configurable window. See the Security & Compliance page for specifics.

Stage 01 · The Detector

Catch the collision at the first particle.

ITDR watches every identity event in your environment and registers a compromise the instant it happens — at the smallest level where an attack first becomes visible. The earlier you see it, the smaller it stays.

Get a demo What it watches Log in ↗

The detector array

Every identity event, read in real time.

Identity is where most modern attacks actually begin. The Detector reads the full signal — not just logins — so a takeover can't hide inside normal-looking activity.

SIG 01

Authentication

Logins, MFA prompts, impossible-travel, and brute-force patterns across every identity provider.

SIG 02

Token & session use

Stolen tokens, replayed sessions, and anomalous OAuth grants that bypass passwords entirely.

SIG 03

Privilege changes

New admin rights, role escalations, and permission grants that quietly widen an attacker's reach.

SIG 04

Account lifecycle

Newly created, dormant, or revived accounts — classic footholds for persistence.

SIG 05

Behavioral drift

Activity that breaks an identity's normal pattern, scored continuously against its own baseline.

SIG 06

Cross-source correlation

The same identity seen across cloud, SaaS, and on-prem — stitched into one timeline.

Real‑timeDetection‑to‑signal · latency number coming soon

See it, then hand it off.

The moment the Detector registers a compromise, it doesn't just alert — it fires the signal straight into the reaction, so the Containment Field can act before the attacker takes a second step. Detection that leads directly to response, with nothing lost in between.

Where it sits in the reaction

Detector

ITDR spots the event, instantly

→

Containment

DomainGuard blocks & filters

→

Observatory

MDR reviews — optional

In the field

Three attacks, caught early.

What detection-to-containment actually looks like when the Detector fires. Timelines are illustrative.

Scenario 01 · Stolen session

02:14:03Impossible-travel login — Mumbai → Frankfurt in 11 minutes.
02:14:04Detector scores the session against the identity's baseline — far outside normal.
02:14:05Token revoked, session killed, client notified.

Outcome: account secured before a second request.

Scenario 02 · Privilege escalation

09:41A standard user is suddenly granted Global Admin in the tenant.
09:41Detector flags the role change as anomalous for that account and actor.
09:42Grant rolled back and the change escalated for review.

Outcome: a quiet foothold closed before it's used.

Scenario 03 · OAuth abuse

17:08A new OAuth app is consented with broad mailbox scopes.
17:08Detector correlates the grant with an earlier risky sign-in for the same identity.
17:09App access revoked; the identity's tokens rotated.

Outcome: token-based persistence cut off at the source.

Questions

ITDR, answered.

How long does deployment take? +

ITDR is cloud-native and connects to your identity sources via API — no agents to roll out for detection. Typical time to first signal is short. Exact timings coming soon

Which identity providers are supported? +

ITDR is built to read events from major identity providers — e.g. Microsoft Entra ID, Okta, and Google Workspace. Full supported list coming soon

What happens on a false positive? +

Detections are scored against each identity's own baseline to keep noise low. Responses can be tuned per tenant — from notify-only to automatic containment — so a low-confidence event doesn't lock a user out. Control details coming soon

How is this different from EDR? +

EDR watches endpoints; ITDR watches identities. Most modern attacks begin with a credential or token, not malware on a laptop — ITDR catches the takeover that never touches the endpoint. They're complementary.

Does it work multi-tenant for MSPs? +

Yes. ITDR is multi-tenant from day one — every client and identity source in one console, with per-tenant policy and detection tuning.

Where does my identity data live, and how long is it kept? +

Event data is encrypted in transit and at rest and retained for a configurable window. See Security & Compliance for specifics. Residency & retention details coming soon

The promise

The earlier you catch it, the smaller it stays.

See the Detector in action