User and Entity Behaviour Analytics (UEBA) is the dominant insider threat detection approach in enterprise security. It works by establishing baseline digital behaviour patterns per user and entity, then alerting when anomalies are detected — unusual file access, off-hours logins, lateral movement. UEBA is well-evidenced, widely deployed, and genuinely effective at what it does. What it does not do is monitor the human emotional and psychological state that produces those digital behaviours. That is the layer EchoDepth covers.
The Core Problem: UEBA Detects After, EchoDepth Detects Before
Carnegie Mellon CERT's analysis of 150 insider cases found a 14-month average gap between the first observable emotional or behavioural precursor and the first malicious digital act. UEBA fires when the digital act occurs. EchoDepth surfaces signals during those 14 months.
This is not a failure of UEBA — it is a limitation inherent to monitoring digital exhaust. UEBA cannot detect what is not yet in the logs. EchoDepth monitors the human, not the logs. The two are complementary, not competing.
Side-by-Side Comparison
| Capability | UEBA / SIEM | EchoDepth |
|---|---|---|
| What it monitors | Digital behaviour (files, logins, network) | Human emotional and cognitive state |
| Detection timing | After a digital act occurs | Before digital acts — pre-digital signal |
| Signal source | Logs, access records, network traffic | Facial Action Units — 44 channels per frame |
| Baseline type | Digital behaviour baseline per user | Emotional baseline per individual |
| Detects suppression/masking | No | Yes — temporal AU sequencing |
| Continuous human monitoring | No — digital only | Yes — ~700ms latency |
| SCIF / air-gap deployable | Partially (depends on architecture) | Yes — fully on-premise, zero outbound |
| UK data residency | Varies by vendor | Yes — default, all processing in UK |
| SIEM integration | Native — is the SIEM | Yes — Splunk, Sentinel, QRadar via API |
| UK-developed | Varies | Yes — Cavefish Ltd, Cardiff |
How EchoDepth and UEBA Work Together
EchoDepth feeds structured emotional anomaly scores into SIEM platforms via REST API and WebSocket. In Splunk, Sentinel, or QRadar, EchoDepth data appears as a new field alongside digital behaviour events — enabling correlation queries that neither system could generate alone.
Example: an individual whose UEBA digital behaviour profile is entirely within normal parameters, but whose EchoDepth emotional baseline deviation has been elevated for three weeks, can be flagged for enhanced digital monitoring — before any anomalous digital act occurs. This is exactly the 14-month detection window that UEBA cannot cover.
EchoDepth can also trigger SOAR playbooks via SIEM integration — automatically initiating additional monitoring, review queuing, or alerting workflows when emotional anomaly thresholds are breached.
UEBA + EchoDepth = full insider threat coverage
UEBA covers the digital layer from the point of first digital act onward. EchoDepth covers the human emotional layer in the months before. Together they address the complete insider threat timeline — from first observable precursor to detection and response.