WiFi ITDR (Identity Threat Detection and Response) applies identity security principles to wireless network authentication. It analyzes RADIUS telemetry to detect credential attacks like brute force and password spray, behavioral anomalies like impossible travel, and device threats like MAC spoofing — all mapped to the MITRE ATT&CK framework.

How does IronWiFi detect identity threats on WiFi?

IronWiFi builds behavioral baselines per identity from authentication patterns including time-of-day, access points used, device fingerprints, and authentication methods. Nine detection engines (credential attack, identity anomaly, certificate threat, device threat, session anomaly, portal security, agent anomaly, insider threat, and OpenRoaming compliance) continuously analyze RADIUS authentication + accounting, captive portal, AI agent, and OpenRoaming federation events against baselines and known attack patterns, generating risk-scored detections in under 30 seconds.

What threats can WiFi ITDR detect?

IronWiFi ITDR detects 50+ threat types across nine engines: credential attacks (brute force, password spray, credential stuffing, replay attacks), identity anomalies (impossible travel, frequency anomaly, auth method change, sudden-denial / account de-provisioning), certificate threats (revoked, unknown CA, mass issuance, expiry clustering), device threats (MAC spoofing, device cloning, OS change), session anomalies (mid-session hijack via Framed-IP change, data exfiltration via octets z-score, session duration anomaly), portal security (bot traffic, social login abuse, session hijacking, credential reuse), agent anomalies (rate spikes, shadow AI, supply chain attacks), insider threats (warwalking, privilege escalation, terminated user access, concurrent sessions), and OpenRoaming compliance (federated credential stuffing, cross-realm MAC reuse, Operator-Name spoofing, RCOI settlement-class mismatch, missing Acct-Session-Id, settlement drift).

How is WiFi ITDR different from NAC or NDR?

Traditional NAC (Network Access Control) makes binary allow/deny decisions at connection time. NDR (Network Detection and Response) monitors network traffic patterns. WiFi ITDR operates at the identity layer — analyzing who is authenticating, how their behavior compares to their baseline, and whether their credentials or devices show signs of compromise. It catches threats that NAC and NDR miss because it understands identity context.

Do I need to install agents or sensors?

No. WiFi ITDR works entirely from RADIUS authentication telemetry that your access points already generate. There are no agents to install on endpoints, no sensors to deploy, and no network taps required. If your WiFi uses RADIUS authentication, ITDR works immediately.

What access point vendors are supported?

WiFi ITDR works with any RADIUS-capable access point. This includes Cisco, Aruba, Meraki, Ruckus, Ubiquiti, Fortinet, MikroTik, TP-Link, Cambium, Juniper Mist, and 35+ other brands. If your AP speaks RADIUS, ITDR can analyze its authentication events.

How does MITRE ATT&CK mapping work?

Every detection is automatically mapped to the relevant MITRE ATT&CK technique (e.g., T1110 for brute force, T1078 for valid accounts abuse, T1556 for credential modification, T1036 for masquerading). This gives security teams a common language for threat classification and helps with SOC workflows, incident reporting, and compliance documentation.

Can ITDR integrate with my SIEM?

Yes. Detections and incidents can be exported via syslog/CEF format or webhooks to Splunk, Microsoft Sentinel, Elastic, QRadar, Datadog, or any SIEM that accepts structured security events. Each event includes MITRE technique IDs, severity scores, and full identity context.

How does WiFi ITDR detect insider threats?

The Insider Threat Engine detects five threat patterns: warwalking (10+ access points in 1 hour indicating physical reconnaissance), privilege escalation (unauthorized role changes), terminated user access (credentials used after offboarding), after-hours authentication, and concurrent sessions from multiple locations. Detections are mapped to MITRE ATT&CK techniques including T1078 (Valid Accounts), T1078.003 (Local Accounts), T1078.004 (Cloud Accounts), T1036 (Masquerading), and T1040 (Network Sniffing).

Can WiFi ITDR detect compromised AI agents?

Yes. The Agent Anomaly Engine builds per-agent behavioral baselines and detects rate spikes (3x above baseline), new IP ranges, certificate changes, off-hours activity, and lateral movement to unauthorized network segments. A dedicated Shadow AI Discovery module identifies unregistered agents exhibiting machine-like authentication patterns. Compromised agents are automatically quarantined via RADIUS Change of Authorization.

What compliance frameworks does WiFi ITDR support?

WiFi ITDR maps to SOC 2 Type II (CC6.1, CC6.6, CC7.2), HIPAA (§164.312 access and audit controls), NIS2 (Article 21 risk analysis and incident handling), and PCI DSS 4.0 (Requirements 6, 10, 11). Full audit trails are stored in BigQuery with 365-day retention for compliance evidence.

First WiFi ITDR Platform

Detect Identity Threats
in Your WiFi Network

Nine engines detect credential attacks, mid-session hijack, data exfiltration, insider threats, AI agent compromise, captive portal fraud, and OpenRoaming federation abuse across your WiFi network in real time. 50+ threat types. 30+ MITRE ATT&CK techniques. Zero agents to deploy.

Request Design Partner Access Talk to Sales

No agents required · Works with any RADIUS-capable AP · Enterprise plan · SOC 2 Type II report issued (Johanson Group, unqualified opinion)

1,000+ Organizations

108 Countries

50M+ Authentications/Month

WiFi ITDR (Identity Threat Detection and Response) is a security category defined by Gartner that IronWiFi applies specifically to wireless network authentication. Nine detection engines analyze every RADIUS authentication event, RADIUS accounting packet (Start/Interim/Stop), captive portal session, AI agent authentication, and OpenRoaming federation transaction to identify 50+ threat types — credential attacks, behavioral anomalies, certificate threats, device spoofing, mid-session hijack, data exfiltration, portal fraud, compromised AI agents, insider threats, and federated roaming abuse — mapped to 30+ MITRE ATT&CK techniques with per-identity risk scoring from 0 to 100. Detections trigger automated response via RADIUS Change of Authorization, session blocking, or certificate revocation, and export to Splunk, Sentinel, Elastic, QRadar, or Datadog via syslog/CEF and webhooks.

50+

Threat Types Detected

<30s

Mean Time to Detect

Detection Engines

Agents to Deploy

Auth Event RADIUS, portal, or agent

Baseline Check Compare to learned behavior

7 Detection Engines Parallel threat analysis

Risk Score Identity risk 0–100

Alert & Respond Incident created

Overview

What Is WiFi ITDR?

Identity security for the wireless authentication layer

ITDR (Identity Threat Detection and Response) is a security category defined by Gartner that focuses on detecting threats targeting identity infrastructure. Most ITDR platforms monitor Active Directory, cloud IAM, or SSO providers. IronWiFi is the first to apply ITDR to WiFi network authentication, captive portal logins, and AI agent credentials.

Every time a user, guest, device, or AI agent authenticates on your wireless network, RADIUS and captive portal authentication produces rich telemetry — who, when, where, how, and what device. Most organizations discard this data. WiFi ITDR transforms it into continuous threat detection.

Seven specialized engines build behavioral baselines per identity and analyze every authentication event for credential attacks, behavioral anomalies, certificate misuse, device spoofing, portal-layer threats, insider threats, and compromised AI agents. Each detection is mapped to one of 15 MITRE ATT&CK techniques, risk-scored from 0 to 100, and correlated into incidents with automated response via RADIUS Change of Authorization.

Identity-Layer Detection

Operates at the authentication layer — sees threats that network-level tools miss entirely.

Per-Identity Baselines

Learns normal behavior for every identity: hours, APs, devices, EAP methods, locations.

Risk Scoring (0–100)

Composite risk score per identity based on detection severity, frequency, and recency.

MITRE ATT&CK Mapped

Every detection linked to the relevant technique for SOC workflows and compliance.

Engines

Nine Detection Engines, 50+ Threat Types

Every authentication event — RADIUS auth + accounting, captive portal, AI agent, and OpenRoaming federation — passes through nine specialized engines running in parallel

Credential Attack Engine

Sliding-window counters detect volumetric attacks targeting authentication credentials across RADIUS and captive portal logins in real time.

Brute Force Password Spray Credential Stuffing Replay Attack EAP Downgrade Voucher Stuffing

T1110 · Credential Access

Identity Anomaly Engine

Behavioral baselines built per identity detect deviations from normal authentication patterns across enterprise users, guest visitors, and devices — including sudden-denial bursts that signal out-of-band credential revocation or account de-provisioning.

Impossible Travel Sudden Denial Time Anomaly Frequency Anomaly AP Anomaly Auth Method Change Payment Fraud

T1078 · T1531 · Defense Evasion · Impact

Certificate Threat Engine

Validates certificate chains and detects misuse of PKI infrastructure for network access.

Revoked Cert Unknown CA Mass Issuance Expired Cert Cert Mismatch Expiry Clustering

T1556 · Credential Access

Device Threat Engine

Cross-references MAC addresses, device fingerprints, and session data to detect device-level threats.

MAC Spoofing Device Cloning Rogue Device MAC Rotation OS Change

T1036 · Defense Evasion

Session Anomaly Engine

Consumes RADIUS accounting (Start / Interim-Update / Stop) to detect threats that the auth packet alone cannot see — mid-session credential hijack, data exfiltration via outbound volume, and session-duration anomalies. Trust-tag-weighted thresholds calibrate per-NAS accounting accuracy against the WBA RADIUS Accounting Assurance standard.

Mid-Session IP Hijack Data Exfiltration Session Duration Anomaly

T1550 · T1048 · Defense Evasion · Exfiltration

Portal Security Engine

Detects web-layer threats unique to captive portal authentication — social login abuse, automated attacks, and session manipulation that RADIUS telemetry cannot see.

Social Login Abuse Bot Traffic Session Hijacking Payment Fraud Credential Reuse Cookie Replay

T1595.002 · T1078.004 · T1563 · T1565 · T1110.004

Agent Anomaly Engine

Purpose-built for non-human identities. Detects compromised AI agents, shadow AI, supply chain attacks, and lateral movement using per-agent behavioral baselines.

Rate Spike New IP Range Certificate Change Shadow AI Supply Chain Attack Peer Communication

T1078 · T1556 · T1021

Insider Threat Engine

Detects compromised or malicious insiders through authentication pattern analysis — after-hours access, excessive roaming, privilege escalation, and terminated user activity.

Warwalking Privilege Escalation Terminated User After-Hours Access Concurrent Sessions

T1078 · T1078.003 · T1078.004 · T1036 · T1040

OpenRoaming Compliance Engine

Detects WBA OpenRoaming v5.0.0 specification violations (October 2025) across the roaming federation — missing WBA-Identity-Provider, missing Acct-Session-Id, missing CUI on permanent-ID RCOIs, oversized Session-Timeout on short-lived On-Board RCOIs, malformed Operator-Name, unknown RCOI classes, settlement-provider mismatches, IDP reject reasons, and eduroam inbound classification gaps invisible to single-realm tools.

Missing WBA-Identity-Provider Operator-Name Format Invalid RCOI Class Unknown Settlement Provider Mismatch Missing Acct-Session-Id Session-Timeout Too Long (short-lived RCOI) Missing CUI (permanent-ID RCOI) IDP Reject Reason Eduroam Inbound Classified Missing Class Attribute

T1562 · T1565.001 · T1583 · T1078

Platform

One Dashboard, Every Authentication Layer

RADIUS, captive portal, and AI agent detections feed into the same incident timeline, risk scores, and MITRE mapping

Three of the nine engines — Credential Attack, Identity Anomaly, and Device Threat — analyze events across all authentication layers. The Session Anomaly Engine consumes RADIUS accounting to catch mid-session hijack and data exfiltration after auth succeeded. The Portal Security Engine adds web-layer detection for captive portal threats. The Agent Anomaly Engine monitors non-human identities for compromise, shadow AI, and supply chain attacks. The Insider Threat Engine catches warwalking, privilege escalation, and terminated user access. The OpenRoaming Compliance Engine catches WBA v5.0.0 federation-layer violations — federated credential stuffing, cross-realm MAC reuse, Operator-Name spoofing, RCOI settlement-class mismatch, oversized Session-Timeout on short-lived On-Board RCOIs, and missing CUI on permanent-ID RCOIs — invisible to single-realm tools. Every detection, regardless of source, appears in a single unified view.

How It Works

How Does WiFi ITDR Work?

From silent authentication telemetry to actionable threat intelligence in four steps

The Detection Pipeline

Every authentication event flows through a purpose-built pipeline that turns raw RADIUS data into security intelligence — automatically and in real time.

Connect RADIUS

Point your access points to IronWiFi RADIUS. Authentication telemetry flows automatically — no agents, no sensors, no network taps.

Baselines Learn

Behavioral baselines build per identity within 7–14 days: typical hours, access points, devices, authentication methods, and locations.

Engines Analyze

Every authentication event passes through nine detection engines in parallel. Each engine scores threats and maps them to MITRE ATT&CK techniques.

Threats Surfaced

Detections are risk-scored, correlated into incidents, and surfaced in your console with full identity context and response playbooks.

Why This Architecture Matters

Zero Infrastructure

No agents, sensors, or network taps. Works from RADIUS telemetry your APs already produce.

Real-Time Detection

Sub-30-second mean time to detect. Threats caught during the authentication event, not hours later.

Defense in Depth

Nine engines with different detection strategies ensure threats can't slip through a single blind spot.

Full Audit Trail

Every detection and incident logged with timestamps, identity context, and MITRE technique IDs.

MITRE Coverage

MITRE ATT&CK Technique Coverage

Every detection mapped to the framework your SOC already speaks

Technique	Name	Tactic	ITDR Detection
`T1110`	Brute Force	Credential Access	Brute force, password spray, credential stuffing, voucher stuffing
`T1110.001`	Password Guessing	Credential Access	Failed auth threshold per identity per window
`T1110.003`	Password Spraying	Credential Access	Single credential against multiple identities
`T1078`	Valid Accounts	Defense Evasion	Impossible travel, time anomaly, AP anomaly, payment fraud, off-hours activity
`T1078.004`	Cloud Accounts	Persistence	Agent rate spike, compromised automation loops
`T1556`	Modify Auth Process	Credential Access	EAP downgrade, certificate misuse, unknown CA, agent certificate change
`T1036`	Masquerading	Defense Evasion	MAC spoofing, device cloning, rapid MAC rotation
`T1562`	Impair Defenses	Defense Evasion	Rogue device, unauthorized AP association
`T1110.004`	Credential Stuffing	Credential Access	Captive portal credential reuse, federated credential stuffing across roaming partners
`T1595.002`	Active Scanning: Vulnerability Scanning	Reconnaissance	Bot submissions, headless-browser portal probing, automated CAPTCHA bypass
`T1563`	Remote Service Session Hijacking	Lateral Movement	Portal session hijacking, multi-Acct-Session-Id replay across roaming federation
`T1021`	Remote Services	Lateral Movement	Agent accessing unauthorized network segments or SSIDs
`T1078.003`	Valid Accounts: Local Accounts	Privilege Escalation	Privilege escalation via auth to unfamiliar SSID outside baseline
`T1040`	Network Sniffing	Discovery	Warwalking (10+ access points in 1 hour) indicating physical reconnaissance
`T1557`	Adversary-in-the-Middle	Credential Access	Replay attacks, credential interception via rogue AP
`T1550`	Use Alternate Authentication Material	Defense Evasion	Mid-session hijack via Framed-IP change on active RADIUS session
`T1048`	Exfiltration Over Alternative Protocol	Exfiltration	Anomalous outbound octet volume vs per-identity baseline (octets z-score from RADIUS accounting)
`T1531`	Account Access Removal	Impact	Sudden-denial burst from known AP for historically-healthy user (out-of-band credential revocation, account de-provisioning, MFA fatigue tail)

Compliance

Built for Compliance Audits

WiFi ITDR maps directly to the controls auditors ask about

SOC 2 Type II

Report issued 2026-05-07 by Johanson Group LLP — unqualified opinion, no exceptions noted (Security + Availability TSCs, period 2025-12-01 to 2026-03-09). Continuous monitoring of authentication events satisfies CC6.1 (logical access controls), CC6.6 (system boundaries), and CC7.2 (anomaly detection). Full audit trail in BigQuery with 365-day retention.

HIPAA

Detects unauthorized access to ePHI network segments. Maps to §164.312(a) (access control), §164.312(b) (audit controls), and §164.312(d) (person authentication).

NIS2

Satisfies Article 21 requirements for risk analysis, incident handling, and supply chain security. Insider Threat and Agent Anomaly engines address access control and asset management obligations.

PCI DSS 4.0

Addresses Requirement 10 (log and monitor) and Requirement 11 (test security). Payment fraud detection on captive portals maps to Requirement 6 (secure systems). 90-day detection retention meets audit requirements.

Comparison

WiFi ITDR vs. Traditional Security Approaches

How identity-layer detection compares to what you may be using today

Capability

WiFi ITDR

NAC / NDR

Detection Layer

Identity & authentication

Network traffic / port control

Credential Attack Detection

Brute force, spray, stuffing, EAP downgrade

Not detected

Behavioral Baselines

Per-identity, continuously updated

Network-level only

Impossible Travel Detection

AP location + timing analysis

No identity context

MITRE ATT&CK Mapping

Automatic, per detection

Varies / manual

Deployment

Zero agents, zero sensors

Agents, sensors, or taps required

Time to Value

Detections within minutes

Weeks of configuration

Identity Risk Scoring

Composite 0–100 per identity

Binary allow/deny

Talk to Sales

Response

Detect, Then Respond — Automatically

Configurable playbooks with shadow, detect, and enforce modes close the loop between detection and remediation in seconds

RADIUS Change of Authorization

Quarantine, disconnect, or reassign VLAN for compromised identities in real time via RADIUS CoA — no manual intervention, no waiting for the next auth cycle.

Quarantine VLAN Reassign Disconnect

Captive Portal Enforcement

Block portal sessions, require re-authentication, or trigger MFA step-up for guest users flagged by detection engines. Stops payment fraud and bot attacks mid-session.

Session Block MFA Step-Up Re-Auth Required

Agent Lifecycle Actions

Revoke certificates, restrict network segments, or suspend AI agent identities when anomalies indicate compromise or unauthorized lateral movement.

Cert Revoke Segment Restrict Agent Suspend

SIEM & SOAR Integration

Forward risk-scored detections to Splunk, Sentinel, Elastic, QRadar, or Datadog via syslog/CEF, webhooks, or REST API. Trigger SOAR playbooks from any detection event.

Syslog Webhooks REST API

Talk to a WiFi Identity Specialist

See IronWiFi working with your hardware
Get a deployment plan for your network
30-minute call — no pitch deck

Request Design Partner Access Pick a Time →

Limited design-partner cohort for Q3 2026 — dedicated engineering support, zero cost

Detect Identity Threats in Your WiFi Network