Add‑on for XDR & MDR
Sophos Identity Threat Detection & Response (ITDR) strengthens identity security by detecting compromised accounts, abnormal authentication behavior, privilege escalation, and identity‑based attack techniques across hybrid environments. Integrated with Sophos Central, ITDR adds critical identity-layer visibility and automated response actions helping organizations stop adversaries earlier in the attack chain.
As identity exploitation becomes one of the primary methods attackers use to breach networks, ITDR ensures real-time detection and containment of identity-based threats across endpoints, networks, cloud applications, and identity providers.
Sophos ITDR is available in two deployment models:
- ITDR Add‑on for XDR
- ITDR Add‑on for MDR
Each model enhances your existing Sophos security posture with identity‑centric detection, analytics, and response.
ITDR Add‑on for XDR
The ITDR Add‑on for XDR extends your Sophos XDR platform with identity-layer telemetry and threat detection capabilities.
Key Benefits
- Enhanced XDR telemetry with identity analytics across AD, Azure AD/Entra ID, and cloud apps
- Detection of compromised credentials, suspicious authentication attempts, impossible travel anomalies, MFA bypass attempts, and lateral movement
- Identity threat correlation with endpoint, firewall, network, and email signals already in XDR
- Automated response actions, such as disabling accounts, forcing password resets, alerting SOC teams, or isolating devices
- Identity-based threat hunting with natural language queries and AI-driven detection insights
Ideal For
Organizations with an internal SOC or security team that uses Sophos XDR for detection, investigation, and response looking to add stronger identity threat visibility.
ITDR Add‑on for MDR
Key Benefits
- 24/7 MDR analyst monitoring of identity systems, authentication patterns, and privilege escalations
- Human-led threat hunting to detect stealthy identity-based attacks, including credential theft, domain reconnaissance, and attempted domain takeover
- MDR-initiated response actions, including user lockdown, MFA resets, device isolation, or full incident response
- Integrated case handling where MDR analysts correlate identity events with endpoint, firewall, and cloud telemetry
- Faster containment of identity breaches through machine-accelerated + human-led analysis
- Mitigation guidance and post-incident recommendations driven by the MDR operations team
Ideal For
Core ITDR Capabilities (Both XDR & MDR Add‑Ons)
- Real-Time Identity Threat Detection
- Compromised account use
- Suspicious login locations and impossible travel
- Privilege escalation attempts
- MFA bypass or manipulation
- Password-spray and brute force attempts
- Lateral movement patterns
- Behavioral & Contextual Analytics
- Baseline user behaviors and detect anomalies
- Monitor access patterns across cloud and on-prem systems
- Detect deviations from normal login routines or privileges
- Automated Response Actions
- Disable user accounts
- Force password resets
- Revoke sessions
- Isolate compromised endpoints
- Enforce conditional access actions (where integrated)
- Threat Surface Coverage
- Microsoft Active Directory
- Azure AD / Entra ID
- Cloud SaaS applications connected with identity
- Endpoints, servers, networks (via XDR/MDR)
Business Impact
- Stop identity-based breaches early—before attackers move laterally or escalate privileges
- Reduce risk of account takeover, insider threats, and compromised credentials
- Extend your Zero Trust strategy with identity-driven detection and access controls
- Simplify security operations with centralized identity threat visibility
- Enhance compliance with detailed identity audit logs and threat reporting
- Accelerate investigation and response with integrated XDR/MDR workflows
