The Identity Security Market: Vendor and Product Trends

Not a one-size fits all market

Note: This post is the fourth in a series examining the identity security market. In it, we examine vendor approaches to the problem and how they’re evolving. Our next post will discuss the future of identity security.

As we said in the first post in this series, Identity Threat Detection and Response (ITDR) products were a reaction to the first wave of attacks on identity systems. The earliest vendors in ITDR include Authomize (acquired by Delinea), Crowdstrike, Quest, Semperis, and Silverfort. While the identity security market first coalesced around vendors providing ITDR solutions, vendors have continued to evolve toward broader, general-purpose solutions for protecting IAM systems. Accordingly, ITDR vendors provide features that directly relate to defending IAM infrastructure, whereas other vendors are morphing their existing products to support the overall objectives of identity security.

Some of the leading vendors have acquired technology from early startups in the space. Notable acquisitions include:

• Microsoft: Acquired RiskIQ in 2021

• SentinelOne: Acquired ITDR vendor Attivo Networks in 2022

• Crowdstrike: Acquired Adaptive Shield in 2024 after acquiring Flow Security (2024), and Bionic(2023), all of which bolstered its posture management capabilities across the Falcon platform

• Okta: Acquired Spera Security, an ISPM vendor, in 2023

• Cisco: Acquired ITDR vendor Oort in 2024, Splunk in 2023, and Duo in 2018

• Delinea: Acquired ISPM vendor Authomize in 2024

• BeyondTrust: Acquired access management vendor Entitle in 2024

• Silverfort: Acquired ITDR startup Rezonate in 2024

• Netwrix: Acquired AD and Entra ID security vendor PingCastle in 2024

Acquisitions in the overall identity security market will continue in 2025 and 2026, but with a dwindling number of ITDR startups available, most of the acquisitions will occur in adjacent segments.

Architectural Approaches: Platform or Purpose-Specific

Although all identity security vendors refer to their products as a “platform,” few qualify under that term's traditional meaning, which implies a holistic approach. Most startups and several purpose-specific vendors offer just one product, which they refer to as a platform.

On the other hand, established vendors such as Microsoft, Crowdstrike, BeyondTrust, and Cisco have approached identity security with a platform-level approach. They’ve applied their existing security suites to identity security, which, in theory, makes perfect sense. For example, Microsoft provides an ITDR solution (not a standalone product) by combining Entra ID, Entra ID Protection, Microsoft Defender for Identity, and Microsoft Defender XDR. However, these platforms treat identity security as one use case among many and therefore lack some of the tuning that some enterprise organizations require to secure their identity systems. Other vendors—such as Silverfort—have built broader identity security features, including ITDR, ISPM, MFA, PAM, and NHI. The following graphic shows the leading pure-play products and security platforms.

Purpose-specific and Platform Vendors in Identity Security

Despite vendors' strong preference to promote their products as platforms, enterprises often look for pure-play products that integrate with their established security solutions. Most enterprises have well-established, diversified tech stacks for identity administration and cybersecurity, so adopting a platform approach often becomes challenging.

Organizations already have a mix of products across stakeholder teams, for example. And because tight coordination across teams is a relatively new requirement, those products often don’t come from the same vendor. At the same time, many customers have already deployed the products that comprise the identity security “platform” for other purposes that don’t easily lend themselves to identity security. Finally, deploying a platform across several teams and business units is a lengthy and challenging proposition. As a result, most organizations struggle to deploy a complete platform from a single vendor to address identity security. The integration of multiple “platforms” is even more problematic. Such an approach requires applying best practices consistently across systems and teams, which is painstakingly difficult.

Point Solutions

Point solutions are at the other end of the deployment spectrum, but they come with their own difficulties and limitations. For example, deploying multi-factor authentication can reduce an organization’s exposure to identity attacks. But enabling MFA throughout an organization has proven difficult, and threat actors have already developed MFA bypass attacks.

Most ITDR products are point solutions in at least one measure because they focus on aspects of identity security. Some products are “cloud-native,” meaning they only protect cloud-based applications. Others concentrate on legacy AD implementations. Some ITDR solutions rely on investigating compilations of log files, while others provide agents to inspect user activity at a packet level on the network. While all these methods are valid, a single approach to identity security isn’t broad enough to protect against the full spectrum of identity attacks.

General Purpose ITDR

Some vendors took a different tack, creating general-purpose platforms for identity security in anticipation of emerging identity threats. Gurucul, Securonix, and Sharelock are examples of this approach. These vendors’ solutions take in signals from a variety of platforms and look for anomalous behaviors, leveraging machine learning and AI. While these platforms can detect novel identity attacks, they can also flood the SOC with false-positive signals. Most lack playbooks that analysts can follow for detection. Consequently, these products require SOC analysts to possess greater IAM training than tools that protect against known attacks (as the AD-first vendors do).

Logs vs. Agents

Nearly all vendors integrate with IAM systems via log aggregation, but some, such as Crowdstrike and Zscaler, provide agent-based monitoring of IAM traffic. On one hand, log aggregation allows the ITDR platform to reconcile groups of signals from the IAM system across numerous platforms, which can reduce the number of false-positive alerts sent to the SOC. But on the other hand, it introduces latency into the detection process.

The speed at which threat actors can access IAM systems is only increasing. A study by Crowdstrike found that “the average breakout time for cyber criminals is 48 minutes - with the fastest time recorded being 51 seconds.” IBM and Zscaler found that it takes enterprises an average of nearly 300 days to detect the breach, due in part to the emergence of brokers that sell identity lists to ransomware groups on the dark web (see our bibliography page for links to the reports). As such, the need for real-time monitoring is only growing.

Ultimately, a fusion of such approaches will prove the proper solution. Real-time, protocol-aware handling is critical—especially for known attacks against AD—but will also require both integration with other signals and the involvement of long-arc monitoring tools to ensure SOC resources are allocated appropriately.

Infusing AI

All identity security vendors are in the throes of adopting AI and ML technologies in their products. As we said earlier, most vendors focused on ML at first. Gurucul and Securonix built user and entity behavior analytics (UEBA) into their products early on, and most ITDR products now include some form of UEBA.

The effort to integrate and leverage LLMs is underway, but it’s still early. Most vendors provide anomaly detection features based on the data types they collect, whether authentication attempts, MFA bypass, impossible geo-velocity, or XDR signals. Other uses of LLMs include the development of automation scripts (Saviynt) and natural language interfaces (Iamones).

The different approaches vendors are taking to identity security serve only to underscore the market fragmentation we discussed in our first post . And as we said in that post, we expect both consolidation and innovation from new entrants to change the vendor landscape. In our next post, we’ll examine the future of identity security and how it can address the problem holistically.