Identity has quietly become the most valuable thing on your network. Not the laptop in your reception area, not the traffic leaving the firewall — the credential that says "this device belongs here." And attackers have noticed. IBM's 2025 Cost of a Data Breach report continues to flag stolen or compromised credentials as a top initial attack vector, year after year.
The security industry has had detection for endpoints (EDR) and networks (NDR) for a decade. But when an attacker walks in with a valid username, a cloned MAC address, or a legitimate-looking certificate, those tools see nothing. That's the gap ITDR was invented to fill — and on wireless networks, the gap is wider than most teams realize.
This article explains what ITDR is, why WiFi needs its own flavor of it, and how modern identity threat detection actually works on RADIUS and captive portal authentication. If you're evaluating a WiFi ITDR platform or just trying to understand the category, start here.
What Is ITDR?
Identity Threat Detection and Response (ITDR) is a security category formalized by Gartner in 2022 to describe tools that detect and respond to attacks targeting identity systems — directories, authentication services, and the credentials and tokens they issue.
The premise is simple: as organizations adopted cloud services, remote work, and SaaS, the network perimeter dissolved. Identity became the new perimeter. And the attacks followed. Credential stuffing, password spraying, token theft, privilege escalation, and insider abuse are no longer edge cases — they're the primary way modern breaches start.
The Core ITDR Principles
- Monitor identity telemetry directly: authentication logs, directory changes, session tokens, certificate issuance — not just endpoints or packets
- Detect abuse of valid credentials: the attacker with a working password looks normal to EDR and NDR
- Map to MITRE ATT&CK: especially the initial access, credential access, and defense evasion tactics
- Respond at the identity layer: disable accounts, force re-auth, revoke tokens — not just quarantine the device
- Cover the identities EDR can't see: service accounts, IoT devices, AI agents, unmanaged BYOD
Why WiFi Needs Its Own ITDR
Most ITDR products focus on cloud identity — Microsoft Entra ID, Okta, Active Directory. That's necessary but not sufficient. Your wireless network runs its own parallel identity system that those tools don't see at all.
RADIUS is an identity system. Every 802.1X authentication is an identity decision: a user or device presents a credential, and the RADIUS server grants or denies network access. That's the same decision your IdP makes for SaaS — but happening thousands of times a day at the network edge, and usually invisible to the security team.
Captive portals are an identity system. Guest logins, sponsor-approved access, sponsor-approved BYOD, social login, voucher redemption — every one of these is an identity event. They're also the most common target for bots, fraud, and credential-scraping scripts in retail, hospitality, and public venues.
EDR and NDR can't cover this. EDR doesn't run on printers, IoT sensors, guest phones, or the AI agent your finance team just deployed. NDR sees encrypted WiFi traffic and shrugs. The authentication event itself — the one thing that says "this identity just tried to get on the network" — lives in RADIUS and portal logs, and nothing else in your stack is watching it.
The Blind Spot
An attacker who phishes a valid WiFi certificate, clones an IoT MAC, or compromises a captive portal service account can operate on your network for weeks without triggering a single EDR or NDR alert. The authentication looked legitimate. Everything after it looked like normal traffic. ITDR is designed specifically to catch the one moment where the identity behavior is anomalous.
How WiFi ITDR Works: The Detection Engines
A modern WiFi ITDR platform runs multiple detection engines in parallel, each tuned to a different class of identity threat. IronWiFi's ITDR uses seven, and they map neatly to the attack surface of a wireless network.
1. Credential Attack Detection
Watches RADIUS for the patterns that brute-force, credential-stuffing, and password-spray attacks leave behind: failed authentications clustered against one account, successful auths following many failures, shared credentials appearing on new devices. Maps to MITRE T1110 (Brute Force) and T1078 (Valid Accounts).
2. Identity Anomaly Detection
Baselines normal behavior per identity — usual locations, usual devices, usual times — and flags deviations. Impossible travel (the same user authenticating in New York and Singapore within 10 minutes) is the canonical example. Works equally well for users, service accounts, and machine identities.
3. MAC Spoofing and Device Integrity
Correlates MAC addresses with expected device fingerprints (DHCP signature, OS indicators, certificate binding). When a MAC that belongs to a managed laptop suddenly appears with the fingerprint of a Linux server, the engine fires. This catches the classic "cloned MAC to bypass MAC auth bypass" attack.
4. Insider Threat Detection
Detects abuse that looks like legitimate use because it is legitimate use — just not by the right person. Service accounts logging in from user laptops, admin credentials used outside business hours, shared accounts authenticating on multiple devices simultaneously.
5. AI Agent Compromise
AI agents now get on your network with their own identities — usually a certificate or service credential. When those credentials start behaving unlike the agent (unusual destinations, off-schedule activity, unexpected volume), that's a compromise signal. See why AI agents need network identity for the foundational problem.
6. Captive Portal Fraud
Bot detection, click-fraud patterns, rapid-fire guest registrations with disposable emails, abuse of sponsor-approval workflows, and SMS OTP pumping. Hospitality, retail, and venue operators see this constantly — and it's invisible to everything except the portal itself.
7. Session Integrity
Monitors accounting records for session hijacking indicators: MAC changes mid-session, unexpected roaming patterns, accounting updates that don't match the original auth. Maps to MITRE T1550 (Use Alternate Authentication Material).
40+ Threats, Mapped to MITRE ATT&CK
The seven engines together cover more than 40 distinct threat types. The MITRE ATT&CK framework is the industry standard for describing these, and WiFi ITDR should speak that language out of the box.
| Threat | MITRE Technique | What ITDR Sees |
|---|---|---|
| Password spray against RADIUS | T1110.003 | Many accounts, one password, distributed timing |
| Credential stuffing (portal) | T1110.004 | Stolen-credential list replayed from bot infrastructure |
| Valid account abuse | T1078 | Working credential used from wrong geography/device |
| Impossible travel | T1078 + behavioral | Same identity, two locations, physics violation |
| MAC address spoofing | T1036.005 | MAC–fingerprint mismatch on auth |
| Certificate misuse | T1552.004 | Valid cert from unexpected device or location |
| Session hijacking | T1550 | Mid-session identity or MAC change in accounting |
| Shadow AI agent on network | T1078 + discovery | Unregistered machine identity behaving like an agent |
A full WiFi ITDR deployment with properly wired conditional access policies doesn't just detect these — it responds: disable the account, force re-authentication, move the session to a quarantine VLAN, or notify the SOC, depending on severity.
Deployment: Why It's Agentless
The best thing about WiFi ITDR is that you already have the data. Every RADIUS server produces detailed authentication and accounting logs. Every captive portal logs every registration and session. That's the telemetry ITDR needs — nothing more.
A properly designed WiFi ITDR platform ingests those logs and produces detections. There's nothing to install on endpoints, nothing to push to APs, no network tap, no mirror port. That matters because:
- BYOD works. You can't put agents on personal phones, but you can see their authentications.
- IoT works. Sensors, cameras, printers, and medical devices get covered without firmware changes.
- Guests work. You monitor every portal login without touching the guest device at all.
- AI agents work. The agent presents a credential; you watch the credential. Done.
- Deployment is fast. If RADIUS and portal are in place, ITDR turns on in hours, not months.
This is why cloud RADIUS paired with ITDR is such a natural fit — the cloud service already has the data centralized, so detection is a policy toggle rather than an integration project.
See WiFi ITDR in Action
IronWiFi's ITDR runs 7 detection engines across your RADIUS and captive portal authentication — no agents, no taps, no hardware. Detections are mapped to MITRE ATT&CK and integrate with your SIEM and SOAR.
Explore WiFi ITDR Talk to an ExpertTrusted by 1,000+ organizations in 108 countries
How to Evaluate a WiFi ITDR
Not every tool marketed as "WiFi security analytics" is ITDR. Use these criteria when evaluating.
Does it watch authentication events directly?
Packet analytics and flow tools look at traffic. ITDR looks at who asked for access and whether that request was normal. If the product can't describe its detections in terms of identity behavior, it's not ITDR.
Does it cover both RADIUS and captive portal?
Enterprise WiFi threats target 802.1X. Guest WiFi, retail, and hospitality threats target the portal. A real WiFi ITDR covers both paths — and correlates them when the same identity appears in each.
Is it mapped to MITRE ATT&CK?
Your SOC already works in MITRE. A detection that fires as "anomalous WiFi behavior" is noise. A detection that fires as "T1110.003 password spray against RADIUS" is actionable.
Can it respond, not just detect?
Detection without response is a dashboard. ITDR should push policy changes back to RADIUS, identity providers, and ideally the SOAR — disabling the account, forcing re-auth, or quarantining the session.
Is it agentless?
If the vendor wants agents on endpoints or physical appliances at every site, that's not WiFi ITDR — that's endpoint or network security with a new label. Real WiFi ITDR runs on logs the authentication system already produces.
Where ITDR Fits Alongside EDR, NDR, and Zero Trust
ITDR isn't a replacement for anything. It's the missing layer.
- EDR protects managed endpoints. Still needed. Blind to unmanaged devices and identity abuse.
- NDR analyzes network traffic. Still needed. Blind to identity intent and encrypted flows.
- Cloud ITDR (Entra, Okta, AD) protects cloud identity. Still needed. Blind to RADIUS and captive portal.
- WiFi ITDR protects wireless authentication identity. The piece that was missing.
- Zero Trust is the architectural principle that ties them together — see our zero trust wireless implementation guide for how they stack.
Organizations pursuing Zero Trust discover quickly that "never trust, always verify" only works if something is actually verifying the identity at every access point. On wireless, that something is ITDR.
The Bottom Line
WiFi is no longer just a connectivity problem — it's an identity problem. Every authentication against your RADIUS server or captive portal is a decision about who gets in, and attackers are now specifically targeting that decision.
ITDR is the discipline built to detect abuse of that decision. WiFi ITDR applies it where your existing tools can't reach: the 802.1X handshake, the portal login, the AI agent's certificate, the service account that moved from the data center to the guest VLAN. Agentless deployment makes it practical; MITRE ATT&CK mapping makes it operational; automated response makes it useful.
If you're building a Zero Trust wireless network, ITDR is no longer optional — it's the telemetry layer that makes every other investment actually work.
Daniel Konecny
Blog Writer, IronWiFi
Daniel writes about enterprise WiFi authentication, identity threat detection, and how security teams close the gap between RADIUS, captive portals, and the rest of their identity stack.
About the author