Managed ITDR
Most account compromises in 2026 do not begin with a stolen password. They begin with a phished session token replayed from another country, while MFA is still happily green. Managed ITDR is the layer of detection that watches Microsoft 365, Entra ID, and Google Workspace for those signals — and the practitioner who picks up the phone when one fires at 3 a.m. Bundled in Protected at $32 per user per month.
What is ITDR?
Identity Threat Detection and Response (ITDR) is the set of detections and response actions focused on the identity layer of your business — sign-ins, session tokens, MFA events, OAuth consents, mailbox rules, and privileged-role changes — rather than the endpoint layer.
It exists because most modern attacks against small businesses never touch an endpoint at all. The attacker phishes a session token, replays it from a foreign IP, sets a mail rule to hide their tracks, and sends a fraudulent wire-instructions email from inside the victim's real mailbox. EDR cannot see any of that. ITDR can.
Managed ITDR adds the part that decides whether the service produces outcomes or just notifications: a 24/7 Security Operations Center reviewing the alerts, plus a CISSP-led practitioner who coordinates the actual response.
TL;DR
We operate Huntress Managed ITDR for you — the same identity threat detection platform Huntress runs for 200,000+ organizations, deployed and tuned to your Microsoft 365 or Google Workspace tenant.
The Huntress 24/7 SOC reviews identity alerts within minutes, automatically isolates confirmed compromised accounts, and Obsidian Ridge picks up the practitioner side: response coordination, evidence capture, insurance notification, and the post-incident debrief.
Managed ITDR is included in Protected at $32 per user per month and Complete from $55 per user per month. The Foundation tier ($15 per agent per month) is endpoint-only and does not include ITDR.
Stopping a single business-email-compromise attempt typically covers years of service.
What's included
Impossible travel, anonymous proxy and Tor sign-ins, foreign-IP logins to accounts that have no business outside one country. Detections come from the Huntress Managed ITDR platform and are reviewed by an analyst before anything reaches you.
Modern phishing kits steal session tokens, not passwords, then replay them from a different country. MFA is already satisfied. Detection has to happen on session behaviour. That is what this watches for.
Auto-forwarding rules, rules that delete on receipt, rules that hide messages matching wire or ACH or invoice — these are the canonical staging step for business email compromise. We see them within minutes of creation.
Consent phishing is the quieter cousin of credential theft. A user grants a malicious app mailbox access, no password ever changes hands, and the attacker has a stable foothold. The SOC reviews new consents and risky app registrations.
Repeated push prompts, MFA method changes, fallback to weaker factors, and registration of attacker-controlled authenticators are all surfaced. We tell you when an account looks like it is being worn down.
If an identity is compromised, you are not left translating tool alerts into next steps. We coordinate session revocation, password and MFA reset, audit-log review, insurance notification, and the post-incident debrief.
The detection platform is Huntress Managed ITDR — Huntress builds and runs the detection engine and the 24/7 SOC. Obsidian Ridge does not claim to have built the detection platform. We deploy it, tune the policies for your environment, handle the escalations Huntress raises, and own the practitioner-side response — coordination, evidence capture, insurance notification, and the post-incident write-up.
Compare honestly
The question is rarely “which acronym is best.” It is “which one of these would have caught the attack that actually hit a business like yours last quarter?” This table is honest about where each one is blind.
| Attack pattern | EDR alone | MDR alone (endpoint-only) | MDR + Managed ITDR |
|---|---|---|---|
| Phishing email lands, user clicks | Not seen — no endpoint malware | Not seen — endpoint-only scope | Sign-in anomaly + session events caught |
| Attacker replays stolen session token from abroad | Invisible — happens in the cloud | Invisible — happens in the cloud | Impossible-travel + risky sign-in flagged |
| Attacker creates auto-forward rule for ‘wire OR ACH’ | Not seen | Not seen | Inbox-rule alert within minutes |
| Malicious OAuth app granted mailbox access | Not seen | Not seen | Consent review + revoke action |
| Ransomware on a laptop | Caught — endpoint detection works | Caught + analyst response | Caught + analyst response |
| Best fit | Tech-mature teams that staff their own triage | Endpoint-heavy orgs without cloud identity risk | Any business running Microsoft 365 or Google Workspace |
If your business runs on Microsoft 365 or Google Workspace, identity is where the attacker is going. Buying endpoint-only detection in 2026 is buying a fence around the building while leaving the front door open.
See the save
A short walkthrough of the kind of identity incident this service is built to catch. Anonymized, but the shape of the attack and response are real.
Compliance mapping
Managed ITDR supports and produces evidence for the identity-side controls most frameworks now ask about. It does not make your organization compliant on its own — nothing does — but the detection logs, response records, and incident reports are the artifacts the auditors and underwriters keep asking for.
Where carriers and auditors used to accept an attestation checkbox, more of them now ask for the actual log review evidence. That is what ITDR produces continuously rather than as a one-time exercise.
Pricing
We are explicit: Foundation is endpoint-only and does not include identity monitoring. If your real risk is in Microsoft 365 or Google Workspace, you want Protected or Complete. We will tell you that on the triage call too.
Prices in USD · per agent or per user
Tier 01 · Foundation
EDR only · ITDR not included
Endpoint protection watched 24/7. Useful, but it does not see what happens inside Microsoft 365 or Entra ID. If identity is your real risk, you want Protected.
What's included
Replaces or complements
Tier 02 · Protected
Annual term · billed monthly
Adds Managed ITDR for Microsoft 365, Entra ID, and Google Workspace. This is the tier most identity incidents are stopped from.
Everything in Foundation, plus
Replaces or complements
Tier 03 · Complete
Scoped · log sources priced separately
Managed ITDR plus 90-day evidence retention, quarterly tabletop drills, and reserved practitioner hours. For teams that already feel the weight of compliance.
Everything in Protected, plus
Replaces or complements
Add-on · Identity posture
Managed ITDR catches identity attacks that are happening right now. Managed Identity Security Posture Management (ISPM) reduces the conditions that make those attacks possible in the first place. It runs continuous checks against the Microsoft 365 and Entra ID configurations attackers actually abuse — legacy authentication still enabled, MFA gaps on privileged accounts, risky OAuth consent settings, dormant admin roles, shared mailboxes used as user accounts — and turns the findings into a prioritized remediation plan a real human reviews with you.
We offer Managed ISPM as an add-on to the Protected and Complete tiers through our Huntress partnership. Like ITDR, it is operated end-to-end: findings are triaged, deduplicated, and scheduled for closure rather than landing as another dashboard you have to learn.
Both products improve identity security in Microsoft environments, but they answer different questions — and the right choice depends on team size and licensing.
| Capability | Huntress Managed ISPM | Microsoft Entra ID Governance |
|---|---|---|
| Primary purpose | Detect and prioritize identity misconfigurations that make account compromise easier. | Govern the identity lifecycle — access reviews, entitlement management, lifecycle workflows. |
| Who operates it | Huntress + Obsidian Ridge. Findings come with remediation guidance and a coordinated closure plan. | Customer IT team. Powerful tooling, but the configuration and review workflows are yours to run. |
| Licensing | Included with the Huntress identity stack. No additional Microsoft license required. | Requires Entra ID Governance — a separate paid SKU on top of Entra ID P1/P2. |
| Deployment friction | Low. Connects to the tenant via standard Microsoft Graph permissions; first findings within hours. | Higher. Access reviews, entitlement packages, and lifecycle workflows are designed for organizations with mature identity governance practices. |
| Best for | Teams that need posture improvement and prioritized fixes without standing up a governance program. | Larger organizations running formal access certifications and joiner-mover- leaver automation. |
| Relationship to ITDR | Reduces the configuration gaps that ITDR alerts on — fewer preventable incidents to chase. | Tightens who has access, but does not surface configuration risks ITDR cares about (legacy auth, OAuth consent, mailbox rules). |
For most small and mid-market organizations on Microsoft 365, the honest answer is start with ISPM. It pays for itself the first time it catches legacy authentication still enabled on a shared mailbox, or an admin without MFA, before an attacker does. Entra ID Governance is excellent but priced and scoped for enterprises with a dedicated identity team to operate it.
Sources: Huntress posture management announcement · Huntress ISPM documentation · Microsoft Entra ID Governance overview
Honest fit check
Managed ITDR is the right fit for most small and mid-market businesses running Microsoft 365 or Google Workspace and worried about account compromise, business email compromise, or wire-fraud staging. It is not the right fit if:
If any of those describe you, we will say so on the triage call. No hard feelings.
What happens after you reach out
A direct call with the practitioner. We confirm fit, scope, and whether you actually need ITDR or whether the right next step is something simpler — turning on Conditional Access, blocking external auto-forwarding at the tenant level, fixing MFA hygiene. If you don't need us, we say so.
Within one business day after the briefing, you get a fixed-fee proposal with scope, term, onboarding fee, and timeline. The tenants we will connect to and the signals we will pull from each one are listed by name.
Huntress Managed ITDR deployment: tenant connection (Microsoft 365 / Entra ID / Google Workspace), detection policy baseline, sign-in risk thresholds, mail-rule and OAuth-consent policies, escalation paths, and tabletop walkthrough of the first incident-response runbook.
The SOC is watching from day one. You get a 30-day check-in, monthly identity reports, and a practitioner you can call when a sign-in looks wrong — or when you simply want a second opinion on whether to grant an OAuth consent.
FAQ
MDR (Managed Detection and Response) watches your endpoints — laptops, servers, workstations — and responds when they show signs of compromise. ITDR (Identity Threat Detection and Response) watches the identity layer: Microsoft 365 sign-ins, Entra ID risk events, Google Workspace logins, OAuth consents, and mailbox rules. They are complementary, not competing. Most modern attacks start in identity (a phished session token) and never touch an endpoint, so MDR alone leaves a real gap. ITDR closes that gap. The Protected tier of Obsidian Ridge bundles both.
Yes. MFA blocks password-only attacks, but it does not stop adversary-in-the-middle (AiTM) phishing kits that capture the authenticated session itself. Once an attacker holds a valid session token, they can replay it from anywhere and your tenant sees them as fully MFA-authenticated. Huntress and other major industry threat-reporting teams have repeatedly identified AiTM and token theft as a primary identity-compromise pattern against small and mid-market businesses.
Anything that happens entirely in the cloud. A phished session token replayed from a foreign IP, an auto-forwarding rule created to hide invoice emails, a malicious OAuth app granted mailbox.read permissions, MFA-method changes that re-register the account to an attacker's authenticator, anonymous-proxy sign-ins — none of those touch the endpoint, so endpoint detection cannot see them. ITDR is the layer that does.
Yes. Huntress Managed ITDR connects to both Microsoft 365 (Entra ID, Exchange Online, OneDrive, SharePoint) and Google Workspace (audit log, Gmail, Drive) and correlates identity events across both. We deploy the connectors, tune the policies for your tenants, and the Huntress 24/7 SOC reviews the alerts. Obsidian Ridge adds the practitioner layer on top — escalation handling, response coordination, evidence capture, and the post-incident write-up.
Sign-in risk and inbox-rule alerts are reviewed by the SOC within minutes, around the clock. A confirmed token theft triggers automated session revocation immediately, and an on-call practitioner picks up the case to coordinate password reset, MFA re-enrollment, and the audit-log review needed for cyber-insurance notification. Our published field note on a 3 a.m. ITDR save walks through one engagement in detail.
Managed ITDR is included in the Protected tier at $32 per user per month and in the Complete tier from $55 per user per month. It is not sold as a standalone line item, because operating it without the surrounding MDR, training, and reporting program leaves obvious gaps. The Foundation tier at $15 per agent per month is EDR only and does not include ITDR — we are explicit about that in the pricing section.
No. Entra ID Protection and Defender for Cloud Apps are Microsoft-native tools — useful, but you have to license, configure, tune, and staff them yourself, and they only see the Microsoft side of the world. Huntress Managed ITDR is a purpose-built identity-threat platform that watches both Microsoft 365 and Google Workspace, comes with a 24/7 SOC reviewing every alert, and is operated end-to-end by Obsidian Ridge. The Microsoft tools produce signals. Huntress + Obsidian Ridge produce decisions.
Yes, in two practical ways. First, it produces the kind of evidence underwriters now ask for — MFA coverage, identity monitoring, session controls, and incident-response capability — instead of a self-attested checklist. Second, when an incident does happen, the audit-log record and the practitioner-written incident report meet most carriers' 72-hour notification requirements with room to spare. We have seen renewals decline coverage when the carrier discovered the attested MFA controls were never actually verified post-binding.
Related
Next step
Briefings are free and we tell you when you don't need us. 30 minutes, real answers, plain language, a practitioner who picks up the phone.
