Why your EDR won’t catch the breach: the case for identity-aware detection

Endpoint detection and response was designed to catch malware on a workstation. It still does that job well. The problem is that most attackers are no longer dropping malware on workstations as the first move.

According to CrowdStrike‘s 2025 Global Threat Report, “79% of attacks to gain initial access” in 2024 were malware-free, relying on valid credentials, social engineering, and abuse of legitimate tooling. The Verizon 2025 Data Breach Investigations Report puts credential abuse at the top of the initial-access list at 22%. Red Canary‘s 2026 Threat Detection Report records an 850% year-over-year jump in identity threats, which now make up 53% of all confirmed detections in its dataset.

The pattern across these reports is consistent. The breach starts at the identity layer, the attacker logs in rather than breaks in, and the workstation is touched late, if at all. CTDefense sees the same shape in the engagements its MDR team works through every week.

This article walks through what that shift means for a security team that already has EDR in place, which attack techniques sit in the blind spot, and what to ask an MDR provider so the coverage gap actually closes.

What EDR was built to see

EDR sensors live on the endpoint. They watch process trees, file writes, registry edits, command-line arguments, and outbound network connections. When an attacker drops a binary, runs a suspicious PowerShell command, or injects into a trusted process, an EDR with reasonable rules and a competent SOC behind it will flag it.

The detections it produces are good when there is something to detect on the host.

The gap appears when the attacker never touches a corporate laptop. A session token stolen through a reverse proxy, an OAuth grant phished out of a user, or a help-desk impersonation that resets a password — all of these produce signals in identity systems and cloud audit logs, not on endpoints. EDR was not designed to ingest those logs and is not the right place to correlate them.

Three techniques the endpoint never sees

The techniques below now show up across published threat reports from CrowdStrike, Sophos, Expel, Red Canary, and Rapid7. They share one property: they all complete without a malicious file or process landing on a managed endpoint.

Adversary-in-the-middle phishing

In an AiTM phishing attack, the victim clicks a link to what looks like the corporate Microsoft 365 login page. The page is a reverse proxy controlled by the attacker. The user enters their password and approves the MFA prompt as normal. The proxy relays both to the real Microsoft endpoint and quietly captures the resulting session cookie.

From the user’s point of view, the login worked. From Microsoft’s point of view, an authenticated session was issued. From the endpoint’s point of view, nothing happened. The attacker now has a valid session token and can replay it from their own infrastructure, bypassing MFA on every subsequent request.

The signal lives in the identity log. A successful sign-in followed minutes later by activity from a new IP address, a new user agent, or a new geography — that is the detection window. The endpoint plays no part in it.

Session token theft from cloud applications

Once an attacker holds a session cookie or a refresh token, they can act as the user against the cloud tenant directly. Sophos‘s Active Adversary Report 2026 found that 67% of incidents in its dataset were rooted in identity-related attacks and that 59% of cases lacked MFA on the compromised account, which makes token reuse trivial when it does happen.

The attacker reads mail, downloads files from SharePoint, exports contact lists, or creates a forwarding rule. None of this generates endpoint telemetry on a managed laptop, because the activity runs against the cloud API, not the user’s device. Detection requires sign-in logs, audit logs, and behavioural baselines on the cloud tenant — not process trees.

The third pattern is the abuse of legitimate OAuth flows. The attacker initiates a device-code grant or a consent flow against the corporate tenant and tricks a user into completing it, often by sending a link that looks like an internal IT request. Once granted, the malicious application holds long-lived tokens and can read mail, calendar, and files for as long as the consent stands.

This attack leaves no footprint on any endpoint. The only place to catch it is in the tenant’s application consent log and in anomaly rules that watch for new third-party applications gaining broad scopes. CrowdStrike reports that 35% of cloud incidents in the first half of 2024 involved valid account abuse, with average eCrime breakout time of 48 minutes — fast enough that a once-a-week consent review will not catch it.

What identity-aware detection actually requires

Adding identity coverage is not a bolt-on. It changes what a SOC needs to ingest, what it correlates, and what an analyst looks at first when an alert fires.

The core ingredients are straightforward to list and harder to operate:

Identity provider logs. Sign-ins, sign-in risk scores, MFA prompts, conditional access decisions, password resets, and admin role changes — all streamed in near-real-time, not pulled once a day for compliance.
Cloud audit logs at tenant scope. Microsoft 365 unified audit log, Google Workspace audit logs, Okta system log, and the equivalent for any SaaS that holds sensitive data. Without these, token reuse and consent abuse are invisible.
Behavioural baselines per user, not per device. Impossible-travel rules, new-country sign-ins, anomalous mailbox rule creations, unusual download volumes, and out-of-hours admin actions are detected against a model of how the user normally behaves.
Cross-source correlation. A single risky sign-in is noise. A risky sign-in followed by a mail-forwarding rule and a SharePoint export is an incident. The platform that fires the alert needs to see all three sources.
A response playbook tied to identity actions. Containment for an identity attack is revoking sessions, disabling the account, rotating tokens, and pulling consent grants — not isolating a laptop. The SOC has to be able to do that, fast.

Rapid7‘s 2026 Global Threat Landscape Report found that valid accounts with weak or missing MFA represented 43.9% of its incident response investigations. Expel‘s 2026 Annual Threat Report reports that 47.7% of identity incidents in its dataset resulted in attackers successfully gaining account access using stolen credentials. Those numbers describe the volume of work an identity-aware SOC is actually picking up.

Five questions to ask any MDR provider

Most buyers in the David Müller profile have already invested in EDR and a SIEM. The question is whether the managed service sitting on top covers identity in a way that matches the threat reports above. The CTDefense team uses these five questions in its own scoping conversations:

Which identity and cloud sources do you ingest by default, and which are paid add-ons? Anything that is not in scope is not covered.
Do you alert on session token replay and impossible-travel patterns, and what is the median time-to-alert for those rules? Real numbers, not “near-real-time”.
Can you respond to identity events directly — revoke sessions, disable accounts, pull OAuth consents — or do you hand the ticket back to the customer? Detection without response leaves the breakout window open.
What is your baseline for “normal” per user, and how is it built? A static rule set will not catch a slow, low-volume token replay; a behavioural baseline will.
Show a real identity-incident report from the last 90 days, redacted. What the report contains says more about the service than any data sheet.

A provider that answers cleanly will name specific log sources, give time-to-alert in minutes, describe their containment actions in writing, and produce the redacted incident sample without hesitation.

A note on the CTDefense position

CTDefense did not design its MDR service around endpoints. It was built around the assumption that the breach starts in identity, the cloud tenant, and the SaaS layer, and that the endpoint is one signal among several rather than the centre of gravity. That mirrors what the 2025 and 2026 threat reports now describe as the dominant attack pattern.

Organisations in finance, healthcare, and technology that have already deployed EDR are the right audience for that conversation. The endpoint coverage they have today still matters. The question is whether the rest of the attack surface — the identities, the tokens, the consents, the cloud admin actions — is covered with the same seriousness, and by a team that can act on what it sees in the first 30 minutes rather than the next business day.