The perimeter is gone — and everyone knows it. What many organizations are still catching up to is what replaced it.

Identity is now the primary attack surface, and attackers are exploiting it with increasing precision. Instead of smashing through firewalls, they steal refresh tokens, abuse OAuth consent, hijack sessions, and quietly persist as legitimate users. Recent industry reporting shows that 67% of organizations have seen an increase in identity-based incidents, with third-party access and stolen credentials dominating breach investigations.

For blue teams and IAM operators, this changes the job. Preventive controls alone are no longer enough. You need Identity Threat Detection and Response (ITDR) that can spot subtle abuse inside trusted identity systems like Okta and Microsoft Entra, and respond fast enough to contain blast radius.

This playbook focuses on the threats defenders are actually seeing — and how to detect, respond, and measure success in the real world.

 

Why Identity Attacks Are Harder to Catch

Identity attacks don’t look like traditional intrusions. There’s no malware beaconing, no port scans, no obvious lateral movement. Everything happens through legitimate APIs, tokens, and sessions.

Once an attacker steals a refresh token or compromises an OAuth app, they don’t need to reauthenticate. They can mint fresh access tokens, move between services, and blend into normal user behavior for days or weeks. Session hijacking compounds the problem by allowing attackers to inherit device trust, MFA state, and conditional access context.

This is why identity incidents are often detected late — and why blast radius matters as much as detection.

 

Detecting Refresh Token Theft in Okta and Entra

Refresh tokens are high-value targets because they outlive access tokens and often bypass MFA once issued. Detection hinges on spotting behavior that breaks normal patterns, not just failed logins.

In Entra, one of the strongest signals is token usage from unexpected locations or device contexts, especially when the access token claims indicate a different sign-in posture than the original authentication event. When refresh tokens are replayed from infrastructure or geographies never associated with the user, defenders should treat it as probable compromise, not a false positive.

Okta environments show similar patterns. Watch for sudden spikes in token refresh events, particularly outside business hours or immediately following OAuth app consent. A single refresh token generating access tokens across multiple resources in rapid succession is another common indicator.

The key mistake teams make is treating these as “interesting logs” instead of actionable alerts. Token misuse is rarely benign.

 

Rogue OAuth Apps and Consent Abuse

OAuth consent is one of the quietest persistence mechanisms attackers have.

By tricking a user into approving a malicious or over-privileged app, attackers gain durable API access without needing to maintain a live session. The app continues working even after the user logs out or resets their password.

Detection starts with visibility. Teams need to baseline which apps normally request consent, what permissions they ask for, and who approves them. In both Okta and Entra, high-risk signals include newly registered apps requesting broad scopes like offline access, mail read/write, directory access, or files permissions — especially when consent comes from non-admin users or outside expected workflows.

Another overlooked signal is unused but still-authorized apps. OAuth grants that remain active without corresponding user activity are often persistence artifacts.

Effective ITDR treats OAuth apps as identities in their own right, subject to the same scrutiny as users and service accounts.

 

Session Hijacking: When MFA Is Already Bypassed

Session hijacking is particularly dangerous because it often defeats MFA and conditional access entirely. If an attacker steals a session cookie, they inherit the trust state of the original login.

In Entra, defenders should watch for session reuse across IP addresses or devices that would normally trigger reauthentication. Sudden changes in user agent strings, browser fingerprints, or access patterns mid-session are strong indicators.

Okta logs can reveal similar anomalies, especially when a session continues long after expected expiration or survives events that should invalidate it, such as password resets or device posture changes.

The defensive challenge here isn’t detection alone — it’s speed. Session hijacking demands fast containment before the attacker pivots deeper into SaaS or cloud resources.

 

Response Automations That Actually Work

Detection without response is just telemetry.

For token theft, immediate revocation is non-negotiable. That means invalidating refresh tokens, terminating active sessions, and forcing reauthentication with MFA. In both Okta and Entra, this should be automated for high-confidence detections rather than left to manual workflows.

OAuth abuse requires a slightly different approach. The response should disable or delete the offending app, revoke its grants tenant-wide, and notify affected users. Crucially, security teams should also audit what data the app accessed while active — something many incident responses skip entirely.

For session hijacking, the response window is narrow. Automated session termination combined with conditional access tightening is often the only way to cut off attacker momentum.

The most mature teams pre-wire these actions into SOAR or native automation, reducing response time from hours to minutes.

 

Measuring ITDR Effectiveness: KPIs That Matter

ITDR success isn’t measured by alert volume. It’s measured by outcomes.

Mean time to detect identity misuse is a critical metric, but mean time to contain is even more important. Teams should also track how often identity incidents are detected before data access occurs, and how frequently compromised identities lead to secondary incidents.

Another overlooked KPI is blast radius per incident. How many apps, datasets, or sessions were reachable from a single compromised identity? Reducing that number is as important as improving detection fidelity.

This is where ITDR intersects with identity architecture.

 

Reducing Blast Radius While ITDR Fights the Fire

ITDR focuses on detecting and responding to active threats. But even the fastest response can’t undo overexposed data.

This is where Ensto, as a control plane in the Keywix ecosystem, fits into the story. By minimizing standing access, reducing unnecessary data exposure, and enforcing tighter identity-to-data boundaries, Ensto limits how far an attacker can move even after identity compromise.

In practice, this means that when ITDR detects token theft or session hijacking, the attacker’s effective reach is already constrained. Fewer permissions, fewer datasets, and fewer third-party integrations translate directly into less damage.

Detection stops the attack. Blast-radius reduction limits the impact. You need both.

 

Final Takeaway

Identity attacks aren’t theoretical anymore. They’re operational, repeatable, and increasingly automated.

Blue teams and IAM practitioners need ITDR playbooks that go beyond login alerts and failed MFA counts. Token theft, OAuth abuse, and session hijacking demand deeper visibility, faster response, and better architectural guardrails.

When ITDR is paired with a control plane like Ensto, organizations gain more than detection — they gain resilience. Attacks are found sooner, contained faster, and allowed to touch far less data.

In an identity-first threat landscape, that combination is quickly becoming the difference between a security incident and a business crisis.