2026 WINNER · CYBERSECURITY STARS AWARDS
Permiso Security · Identity Threat Detection and Response (ITDR) Platform
Best Identity Threat Detection and Response (ITDR) Platform
Overview
Permiso Security is a unified identity security platform that secures human, non-human, and AI identities across cloud, SaaS, on-premises, and infrastructure environments. Founded by Jason Martin and Paul Nguyen, Permiso was built on a simple premise: the majority of modern breaches are identity-based, and most security tools lose visibility the moment an identity authenticates.
Permiso closes that gap with Identity Threat Detection and Response built on its Universal Identity Graph, which correlates identity behavior across IdPs, cloud accounts, on-premises environments, and infrastructure to track what every identity actually does after authentication. In 2026, Permiso extended its ITDR capabilities to AI agents with Identity Runtime Attribution, bringing the same detect-and-respond model to autonomous agents that authenticate, call tools, and access data at machine speed. The platform is backed by P0 Labs, Permiso's threat research team, whose discoveries (including the LLMjacking attack technique and ongoing tracking of threat groups like Scattered Spider and LUCR-3) feed directly into the product's detection logic.
Permiso protects enterprises including Autodesk and serves organizations managing tens of millions of identities. The company is recognized as a Challenger and Outperformer in the GigaOm ITDR Radar and won the 2026 SC Award for Best Threat Detection Technology.
Key Capabilities
- Runtime identity threat detection: Continuously monitors identity behavior after authentication, surfacing compromised credentials, anomalous access, and insider threats that IAM and posture tools miss. Powered by 1,500+ detection signals derived from real-world breach response.
- Universal Identity Graph: Correlates activity across human, non-human, and AI identities in a single view, tying every action back to a specific identity and mapping the full blast radius of any session.
- Coverage across all identity types and environments: Detection spans IdPs, IaaS, PaaS, and SaaS, including service accounts, API keys, OAuth connectors, and AI agents, not just human users.
- AI agent threat detection: Extends runtime detection to AI agents, discovering agents across the environment, attributing every action to an initiating identity, and detecting anomalous agent behavior, with Autodesk as a launch customer.
- P0 Labs threat intelligence: Detection logic is informed by original research into active attack techniques (LLMjacking, cross-prompt injection, malicious AI agent skills) and live threat-group tracking. Sample research: https://permiso.io/blog/exploiting-hosted-models
- High-fidelity alerting and investigation: Surfaces threats SIEMs miss, with a unified alert workflow and the audit trail needed to reconstruct an incident in minutes rather than days.
- Identity-first response: Least privilege recommendations, approval gates, and the ability to revoke or contain compromised identities at the identity layer.
- Agentless, API-based deployment: Connects with no infrastructure changes, delivering value in days.
How we are different
Most ITDR vendors anchor to a single layer (the IdP or the endpoint) and a single identity type (human users). Permiso is different in three ways.
- First, coverage. Permiso secures human, non-human, and AI identities in one platform, across IdP, cloud, SaaS, and infrastructure. As non-human and AI identities now outnumber human ones, and AI agents become the fastest-growing identity class, ITDR that only watches human logins covers a shrinking fraction of the real attack surface. Permiso already extends detection and response to AI agents, attributing every agent action to an identity in real time.
- Second, research. Permiso's detection is built on original threat research from P0 Labs, which published early research on LLMjacking (documenting real-world hijacking of cloud-hosted LLMs in customer environments as early as February 2024) and continues to track active threat groups and emerging AI attack patterns. This means Permiso detects attacks based on how adversaries actually behave, not just static rules, and customers inherit detection logic proven against real-world incidents. Research: https://permiso.io/blog/exploiting-hosted-models
- Third, runtime focus. Posture management tells you what an identity is configured to do. Permiso tells you what it is actually doing, continuously, and ties every action to a specific identity through the Universal Identity Graph. That runtime visibility is what lets security teams catch a compromised but legitimate credential, the exact scenario that defeats traditional IAM.
The result: an admin doing their job and an attacker using stolen credentials look identical to most tools. Permiso is built to tell them apart, whether that identity is a human, a service account, or an AI agent.
Gallery
