Identity threat detection and investigation

The identity layer your stack is missing.

Your EDR covers the endpoint. Your NDR covers the network. Your CDR covers the cloud. But an identity attack isn't on a surface. It's a person, moving across systems, over time.

See it in action →

EDR

NDR

CDR

Icite

SIEM

01 — The gap

Three tools. Three blind spots. One structural reason.

EDR — Endpoint Detection & Response

Sees the endpoint. Not who’s behind it.

EDR watches processes, files, and memory on a device. It can tell you malware ran. It cannot tell you the user who ran it was terminated in Workday yesterday.

NDR — Network Detection & Response

Sees the traffic. Not the access surface.

NDR watches packets and flows between systems. It can flag anomalous lateral movement. It cannot tell you the account moving laterally just inherited admin rights through a nested group change.

CDR — Cloud Detection & Response

Sees the cloud event. Not the identity context.

CDR monitors cloud control-plane activity. It can tell you someone exported a database. It cannot tell you the person doing it is a contractor whose access should have been revoked last quarter.

Your SIEM

Aggregates the event stream. Still can't see who has access.

Your SIEM ties EDR, NDR, and CDR together, but it queries flat event streams. It can tell you an admin login happened at 3am. It cannot tell you the user became an admin yesterday, that their termination was filed in Workday, or that they own the Customer Master List shared drive. SIEMs lack the identity graph and configuration history to connect these threads. That's the gap Icite fills, and why the SIEM gets better when Icite feeds into it.

39%

of all breaches involve credential abuse, the single most pervasive technique in 2026.

2026 Verizon DBIR

Days to weeks

is the average MTTD, not because the data wasn't there, but because it was scattered across too many places to find in time.

Vectra 2026 research

02 — What Icite does

Two kinds of value. Day one.

We're not replacing your SIEM, EDR, NDR, or CDR. We're the surface they all miss. Identity. Icite feeds into your SIEM and makes every tool in your stack more useful the moment we connect.

Day-one enrichment

Every alert you already have gets full identity context.

Connect your existing tools. Every alert gets enriched with who the person is, what they can access, how that changed, and what they've been doing across every connected system. No new workflow. No rip-and-replace. Day one.

A new class of detection

Findings your current tools can't write.

Three detection layers running across one query surface that joins time-series events, configuration state, identity graph, and investigation history. Your EDR, NDR, and CDR can't write these detections because none of them model identity.

Three detection layers

DeterministicAssertions about identity graph state: shadow admins, offboarding gaps, privilege accumulation, toxic permission combinations. Approaching zero false positives by construction.

ContextualUEBA-style baselines pre-enriched with identity graph, SCD diffs, and peer-group context. A signal becomes a finding only when it coincides with a privileged access path, a recent config change, or a device drift.

Inquiry-drivenEvery investigation the AI analyst runs becomes a candidate running detection. The detection library grows from usage, not from a vendor roadmap.

03 — The architecture

Four data classes. Joined on one person.

Sarah Chen. Senior Solutions Engineer. Termination filed in Workday. Effective in four days. Here's what each data class says about her final week:

Identity says

Terminated in Workday. Effective in four days. Still holds active sessions across five SaaS systems.

Permission says

Still holds Salesforce "Export Reports," GitHub write to billing-service, ownership of the Customer Master List shared drive.

Configuration says

Her OU allows external sharing with no warning. No DLP rule on the Customer drive. The guardrails aren't there.

Events say

247 external shares in 7 days (3x her 90-day baseline), customer_export.py pulled from GitHub, a 4 GB Salesforce report export.

Any single signal is catchable somewhere. What no tool on earth catches is all four, joined, on one person, inside her final four days.

The join is the product.

04 — Under the hood

One query surface. Three data shapes.

No other vendor ships all three in a single platform purpose-built for identity.

Timeseries

Authentication events, access logs, API calls.

OCSF-normalized from every connected provider. Sub-second queries across billions of rows. Every login, every consent, every API call, chronological and queryable.

Configuration

Group memberships, role assignments, policy definitions.

SCD Type 2 tables for every identity, group, app, and device. Every change tracked with valid_from/valid_to timestamps. "What changed since Tuesday?" is one query.

Relational

User-to-app, group-to-permission, identity graph.

Multi-hop traversals across humans, agents, groups, apps, devices, and permissions. Cross-provider canonical identity resolution. Blast radius is one traversal away.

05 — Common questions

What security leaders ask.

"We'd just revoke her access at offboarding."+

"Google DLP / Salesforce Shield already catches that."+

"We already have EDR, NDR, CDR, and a SIEM."+

"Couldn't our SIEM do this if it ingested everything?"+

"How noisy is this? We're already drowning in alerts."+

See it in action

30 minutes. Real findings.

We'll walk you through an environment running your stack and show you what your current tools are missing. No slide deck. No hypotheticals.

Inside 30 days we'll show you findings in your own environment you didn't know about. If we can't, we haven't earned it.