NewsHuntress Acquires Inside Agent: A New Era for Identity ProtectionLearn more →

Login Academy Support ContactFree Trial

Menu

Investors Careers Blog About Academy Support Contact

IDENTITY THREAT DETECTION · ACTIVE DIRECTORY · ENTRA ID · OKTA · ITDR

Detect identity compromisebefore domain-level damage.Real-time credential threat detection.

Detect credential abuse, privilege escalation, and lateral movement in real time across Active Directory, Entra ID, Okta, and cloud identity providers. Behavioural analytics surfaces compromised identities before attackers achieve their objectives.

Request ITDR Assessment View Architecture →

Executive Overview

LIVE FEED■

0% of breaches involve identity compromise

Attackers no longer break in — they log in. Compromised credentials, privilege escalation, and lateral movement via legitimate identity infrastructure account for the majority of enterprise breaches, completing in hours while traditional defences detect in weeks.

Live Identity Threat Feed

SIEM · AD · ENTRA · OKTA

TIMESEVTECHNIQUEUSERSRC IPTARGETSTATUS

03:17:42

CRITICAL

Kerberoastingjsmith10.1.42.18dc01.corp

BLOCKED

03:16:35

HIGH

Pass-the-Hashadm_backup10.4.12.88fs02.corp

ALERT

03:15:28

CRITICAL

Golden Ticketsvc_sql172.16.0.44dc01.corp

BLOCKED

03:14:21

HIGH

Impossible Travelcporter185.4.12.203entra.azure

ALERT

03:13:14

MEDIUM

MFA Fatiguehsinha10.0.8.131okta.corp

WATCH

03:12:07

CRITICAL

DCSyncsvc_repl10.1.20.5dc01.corp

BLOCKED

Events / 24h

847,291

Critical

23

Blocked

21

MTTR

< 30s

False Positive

< 0.8%

Detection Accuracy

Validated across 40+ enterprise environments

Supervised + unsupervised ML ensemble · TensorRT 8.6

Mean Time to Detect (MTTD)

Industry median

0 days

Spakto ITDR

< 0s

478×faster than
industry median

45d × 86400s ÷ 27s

SLA p99 = 27s

False Positive Rate

< 0.8%

analyst-grade signal quality

IDP Coverage

4+

AD · Entra · Okta · CyberArk

Attack Category Distribution— detected identity threats, trailing 30 days across all monitored environments

T1558.003Kerberoasting / TGS abuse

31%

T1110Credential Stuffing / Spraying

24%

T1078.003Privilege Escalation

18%

T1550.002Lateral Movement (PtH / PtT)

14%

T1528OAuth / Token Theft

9%

T1078.001Insider Privilege Abuse

4%

All techniques mapped to MITRE ATT&CK Enterprise v15

Source:Spakto threat telemetry + Verizon DBIR 2024

Environments:40+ enterprise customers globally

Live Credential Telemetry

Every authentication event, parsed in real time.

Spakto ingests 4.2 billion identity events daily across Active Directory, Entra ID, Okta, and LDAP — normalising, enriching, and risk-scoring each one before any human could act on it.

itdr-telemetry@spakto — credential-event-stream

LIVE

TIMESTAMPACTIONIDENTITYSOURCE IPPROTOSTATUS

Initialising stream…

48,611

Events / sec

14 IDPs

Identity sources

< 1 ms

Parse latency

0

Active alerts

INGEST4.2B/day

Event Ingestion

AD · Entra · Okta · CyberArk · LDAP

PARSE99.97%

Normalise & Enrich

structured + geo + asset context

CORRELATE< 4 ms

Identity Graph Link

user → device → role → resource

SCOREReal-time

Risk Model Inference

UEBA + supervised ML ensemble

CONNECTED SOURCES

Active Directory

Entra ID

Okta

CyberArk

BeyondTrust

Azure AD B2C

Ping Identity

Duo Security

Threat Landscape

Identity attack vectors Spakto detects

Every technique below has a corresponding detection rule in Spakto's ITDR engine — mapped to MITRE ATT&CK, with severity ratings drawn from real-world incident response engagements.

T1110.004HIGH

Credential Stuffing

Automated breach-credential replay across multiple identity providers

T1558.003CRITICAL

Kerberoasting

Service account TGS ticket extraction and offline hash cracking for DA

T1550.002CRITICAL

Pass-the-Hash

NTLM hash reuse for lateral authentication without plaintext password

T1558.001CRITICAL

Golden Ticket

KRBTGT-forged Kerberos TGT with arbitrary lifetime — domain persistence

T1003.006CRITICAL

DCSync Attack

Domain replication protocol abuse to pull NTLM hashes from AD database

T1528HIGH

OAuth Token Theft

Consent phishing and token replay to access M365 / GCP / AWS resources

T1111HIGH

MFA Fatigue / AiTM

Adversary-in-the-middle proxy intercepts OTP and session cookies

T1078.001HIGH

Insider Privilege Abuse

Legitimate elevated users exfiltrating data outside normal access scope

User Entity Behavioural Analytics

Risk-scored in milliseconds. Compromised before the damage.

Every identity session is scored against five behavioural dimensions. Anomalies compound — a suspicious login plus unusual privilege use plus DCSync equals one outcome: automatic containment.

Jane Cooper

Analyst II · Finance

LOW

12

Marcus Webb

Sr. DevOps Engineer · Platform

MEDIUM

67

CORP\svc-backup

Service Account · Infrastructure

CRITICAL

94

SCORING MODEL

AlgorithmUEBA Ensemble

Baseline window30 days

Update cycleEvery 15 min

False positive rate< 0.8%

IDENTITY PROFILE

CORP\svc-backup

Service Account · Infrastructure

Last session: 14:32:00 — 10.0.0.1  ·  Kerberos · KRB5

Golden Ticket indicators — automated containment active

BEHAVIOURAL RISK FACTORS

Location Deviation100 / 100

Auth from DC IP — not expected for svc-backup

Temporal Anomaly88 / 100

KRB TGT with 10-year lifetime (domain policy: 10h)

Peer Comparison96 / 100

Domain Admin group access — never in history

Privilege Delta100 / 100

KRBTGT-forged ticket — Golden Ticket indicators

Access Velocity90 / 100

DCSync replication request detected (DRSR)

Lifecycle Methodology

SIG-COL→BEH-BAS→ANO-DET→COR-ANA→ALT-GEN→INC-RSP

Detection and response lifecycle

Six engineered stages from raw telemetry ingestion to automated containment — each with real-time analytics, ML scoring, and sub-second decision latency.

LC-01

Signal Collection

SIG-COL

LC-02

Behavioural Baseline

LC-03

Anomaly Detection

LC-04

Correlation & Analysis

LC-05

Alert Generation

LC-06

Incident Response

LC-01STAGE 1 OF 6

Signal Collection

Multi-source identity telemetry ingestion — 47 active feeds normalised to ASIM v1.4

47

Event Sources

active feeds

1.2M

Volume

events / min

< 15ms

Latency P99

ingest lag

ASIM 1.4

Schema

normalised

Technical Specification

AD Event IDs4624 · 4625 · 4768 · 4769 · 4770 · 4776 · 4781

Entra IDSignInLogs · AuditLogs · RiskDetections · ConditionalAccess

Okta / CyberArksystem.access · user.auth · policy.evaluate · vault.checkout

Network ProtosLDAP 389 · LDAPs 636 · KRB5 88 · NTLM · OIDC · SAML2

NormalisationASIM v1.4 → Log Analytics sharding · workspace-per-region

Retention PolicyHot tier 90 d (query) · Cold tier 7 yr (compliance archive)

sig-col.log

LIVE

// Initialising SIG-COL module...

MITRETA0001TA0003TA0006

ML Inference Engine

v4.2.1

Machine learning at the core of identity security

Five-stage inference pipeline — from raw AD/Entra/Okta telemetry to analyst-ready STIX 2.1 alert in under 30 seconds. Each layer runs as an independent microservice with gRPC streaming and GPU-accelerated scoring.

Model Architecture

PyTorch 2.3

TensorRT 8.6

CUDA 12.1

ONNX 1.16

L-01

TEL-NORM

TELEMETRY NORMALISATION

Input ingestion + OCSF 1.1 schema canonicalisation

Events/min

4.2M

throughput

p99 latency

8ms

normalisation

IDP Sources

4+

covered

Features

48

per event

Architecture Specs

SchemaOCSF 1.1 — Open Cybersecurity Schema Framework (strict validation mode)

SourcesAD 4624/4625/4769/4776/7045, Entra ID SigninLogs v1, Okta SystemLog

Throughput4.2M events/min @ p99 < 8ms — zero-copy ring buffer (LMAX Disruptor)

Outputfloat32 tensor [batch=256, seq=512, features=48] — GPU-pinned mem

Dedup60s sliding window, SHA-256 event fingerprint per source endpoint

EnrichmentAsset criticality tier, MaxMind geo-IP, BGP ASN, crown jewel proximity

Live Inference Trace

> Initialising TEL-NORM pipeline...

Pipeline SLA

< 30s

GPU Inference

TensorRT 8.6

Model Accuracy

99.2%

MITRE ATT&CK Coverage

0% of identity ATT&CK techniques covered.

21 detection rules mapped to MITRE ATT&CK for Enterprise — covering identity-targeted sub-techniques across Initial Access, Credential Access, Privilege Escalation, Lateral Movement, and Persistence.

14Detected

5Partial Coverage

2Threat Hunting

v16MITRE ATT&CK Framework

Initial Access

4 techniques

T1078DETECTED

Valid Accounts

T1133DETECTED

External Remote Services

T1566PARTIAL

Phishing / OTP Intercept

T1078.4DETECTED

Cloud Accounts

Credential Access

5 techniques

T1003DETECTED

OS Credential Dumping

T1110DETECTED

Brute Force

T1558DETECTED

Steal or Forge Kerb Tix

T1539PARTIAL

Steal Web Session Cookie

T1556HUNTING

Modify Auth Process

Privilege Escalation

4 techniques

T1134DETECTED

Access Token Manipulation

T1068PARTIAL

Exploit Priv Escalation

T1548DETECTED

Abuse Elevation Control

T1078.3DETECTED

Local Accounts

Lateral Movement

4 techniques

T1021DETECTED

Remote Services

T1550DETECTED

Use Alt Auth Material

T1563PARTIAL

Remote Service Session

T1534HUNTING

Internal Spearphishing

Persistence

4 techniques

T1098DETECTED

Account Manipulation

T1136DETECTED

Create Account

T1098.1DETECTED

Extra Email Delegations

T1547PARTIAL

Boot/Logon Autostart

Automated Response Engine

From detection to containment in under 8 seconds.

When Golden Ticket indicators fire, Spakto's response engine doesn't wait for an analyst. It isolates, revokes, rotates, notifies, and documents — autonomously — while the attacker is still in the credential.

PLAYBOOK · PB-ITDR-003 · AUTO

Golden Ticket Detection & Containment

01

DETECTKerberos Ticket Anomaly Flagged00.000s

02

ENRICHIdentity Graph Linkage+0.210s

03

CORRELATELateral Movement Scope+0.440s

04

ISOLATENetwork Segment Quarantine+1.800s

05

REVOKEAll Kerberos Tickets Invalidated+2.600s

06

RESETKRBTGT Account Double-Rotated+4.100s

07

NOTIFYSOC L2 + CISO Alerted+5.200s

08

DOCUMENTIR Ticket Created — INC-2024-0847+8.300s

ACTIVE INCIDENT

Golden Ticket — CORP\\svc-backup

CRITICALP1AUTO-CONTAININC-2024-0847

Mean Time to Detect

–

vs. industry avg 207 min

Mean Time to Respond

–

full autonomous response

Auto-Contained

–

zero analyst required

AFFECTED SYSTEMS

DC01.corp.io

Domain Controller

ISOLATED

FILESVR03.corp.io

File Server

CLEAN

SQL-PROD01.corp.io

Database Server

MONITORING

Why Spakto ITDR

Identity threat detection excellence

Multi-Provider

4+ IDPs

AD, Entra ID, Okta, CyberArk — a single normalised identity event stream

Detection Speed

< 30s

From credential use to high-fidelity alert — 478× faster than industry median

ML Accuracy

99.2%

Validated detection accuracy across supervised and unsupervised ML models

Zero FP Noise

< 0.8%

False positive rate validated against 40+ customer environments worldwide

ITDR deployments active across financial services, healthcare, and critical infrastructure

ISO 27001 Aligned

NIST Identity Framework

CIS Control 5 & 6

NIS2 Compliant

DORA Ready

Identity Threat Detection FAQs

Frequently asked
questions.

5

questions
answered

01

What is Identity Threat Detection and Response (ITDR)?

ITDR is a security discipline focused on detecting and responding to attacks targeting identity infrastructure — credential theft, privilege escalation, and lateral movement via compromised accounts. As attackers increasingly target identity rather than endpoints, ITDR fills the detection gap that traditional endpoint and network tools leave in identity-based attack chains.

03

What Active Directory attacks does ITDR protect against?

ITDR detects DCSync attacks, Kerberoasting, AS-REP roasting, Pass-the-Hash, Pass-the-Ticket, LDAP enumeration, BloodHound reconnaissance, and AD persistence techniques like AdminSDHolder modification and malicious GPO creation.

05

How is the UEBA behavioural baseline established?

The ML model observes 30 days of user activity across login times, geographies, device profiles, resource access patterns, and privilege use. It then scores deviations across five dimensions — location, temporal, peer comparison, privilege delta, and access velocity — combining them into a single risk score updated every 15 minutes.

02

How does ITDR detect Golden Ticket attacks?

Golden Ticket attacks forge Kerberos tickets using the KRBTGT account hash. ITDR detects them through anomalous ticket characteristics — unusual encryption types, lifetimes exceeding domain policy, and authentication patterns inconsistent with the user's historical baseline.

04

How does ITDR integrate with existing SIEM and SOAR platforms?

ITDR generates identity-specific alerts integrating with your SIEM via standard connectors (Sentinel, Splunk, QRadar). SOAR integration enables automated response — account suspension, forced password reset, session termination — triggered automatically on high-confidence detections.

Still have questions?

Our security engineers answer within one business day.