Building Your Identity Threat Detection and Response (ITDR) Programme: First 100 Days Playbook

Identity is now the primary target for attackers. As organisations move to hybrid and cloud-first environments, identity systems
have become both the frontline and the critical weak point. Traditional perimeter defences no longer suffice. Detecting and
responding to identity-based attacks requires a dedicated capability: Identity Threat Detection and Response (ITDR).

Building an ITDR programme is not about buying another tool. It is about creating a coherent, operational capability across people,
processes, and technology. This briefing sets out a practical roadmap for IAM leaders to establish an initial ITDR capability within
the first 100 days.

‍

Why ITDR Cannot Wait

Identity-based attacks are no longer theoretical risks. Techniques such as Kerberoasting, Pass-the-Ticket, MFA fatigue, and OAuth
token abuse have become mainstream. Attackers exploit gaps between authentication events, privilege management, and monitoring
systems.

Without visibility into how identities are being used and misused organisations are exposed to silent lateral movement, privilege
escalation, and data breaches. ITDR provides the missing detection layer focused on abnormal identity behaviours across cloud
and on-premises systems.

‍

The First 100 Days: A Practical Playbook

The first 100 days are about laying foundations, proving value early, and avoiding common pitfalls. The focus should be on building a
functioning detection and response loop, not on perfection.

Days 1–30: Establish Scope and Visibility

Start by defining what you want to protect and what you need to see. Without the right telemetry, ITDR cannot function.

• Inventory critical identities: Map privileged accounts, service accounts, federated identities, and critical applications.
  
• Baseline authentication flows: Document typical logon paths across systems. Understand what 'normal' looks like for different
  user types.
  
• Collect the right logs: Ensure ingestion of authentication events, access grants, ticketing events (e.g., Kerberos), and cloud token
  activity into your SIEM or XDR platform.
  
• Identify blind spots: Highlight areas where identity activity is not currently logged or correlated.
  

At the end of this stage, you should have a clear picture of the identity attack surface and where your monitoring gaps lie.

Days 31–60: Build Initial Detection and Response Capability

Focus next on creating actionable detections and a basic response workflow.

• Deploy identity-specific detection rules: Start with high-impact detections such as impossible travel, Kerberos ticket anomalies,
  and suspicious OAuth app grants.
  
• Align with the SOC: Ensure that identity threat detections feed into existing triage processes. Identity alerts must not sit in a silo.
  
• Define incident categories: Classify identity-related incidents distinctly, recognising that response actions may differ from malware
  or network alerts.
  
• Prepare playbooks: Develop initial runbooks for common identity threats (e.g., service account compromise, token theft) covering
  investigation and containment steps.
  

By day 60, your team should be able to detect and respond to basic identity threats, even if coverage is not yet complete.

Days 61–100: Expand Coverage and Reduce Gaps

With initial operations in place, the next step is to harden and expand.

• Enhance detection depth: Introduce behavioural analytics for lateral movement patterns and privilege escalation indicators.
  
• Broaden telemetry: Integrate logs from federated identity providers, third-party SSO applications, and cloud admin APIs.
  
• Test incident response: Conduct tabletop exercises focused on identity attacks. Validate that detections trigger the right actions and
  that the team can respond effectively.
  
• Prioritise automation: Identify opportunities to automate response actions, such as token revocation, conditional access enforcement,
  or forced password resets.
  

At the end of the first 100 days, you should have a working ITDR capability: able to detect, investigate, and contain identity-based threats in a structured and repeatable way.

‍

Common Pitfalls to Avoid

While speed matters, rushing ITDR implementation without strategic clarity creates long-term risks. Avoid these common mistakes:

• Over-reliance on vendor claims: No tool provides full ITDR out of the box. Success depends on integration and tuning, not just buying.
  
• Ignoring service and non-human accounts: Attackers increasingly target automation and integration accounts, not just users.
  
• Treating identity alerts as low priority: Identity anomalies often indicate the earliest stages of an attack, not harmless noise.

‍

Final Thoughts

Building an ITDR capability is not a project with a finish line. It is an operational discipline that must evolve alongside identity systems
and attacker techniques. The first 100 days are your opportunity to shift from passive identity management to active identity defence.

By focusing on visibility, detection, and response from the outset, IAM leaders can create an ITDR capability that strengthens overall
security posture and provides early warning against the attacks that other controls miss.

‍