Insider threat detection software has evolved significantly since the first UEBA platforms emerged in the 2010s. Today's procurement teams must evaluate solutions across multiple dimensions: detection methodology, deployment architecture, compliance posture, and total cost of ownership. This guide provides the evaluation framework and procurement checklist defence organisations need to make informed decisions.
What Are the Key Evaluation Criteria for Insider Threat Software?
Insider threat detection software identifies personnel who may misuse authorised access to cause harm. Key evaluation criteria include: detection lead time, false positive rate, deployment architecture (cloud/on-premise/air-gapped), data residency, SIEM integration, evidence auditability, and total cost of ownership. For defence, SCIF compatibility and UK data sovereignty are critical.
When evaluating insider threat solutions, procurement teams should assess capabilities across seven core dimensions:
1. Detection Lead Time
How early does the system identify potential threats? Traditional UEBA systems detect anomalies after a digital act has occurred. Research from Carnegie Mellon CERT shows that observable behavioural indicators precede malicious digital acts by an average of 14 months. Systems that monitor pre-digital signals — emotional baseline deviation, stress markers, disengagement patterns — provide earlier warning.
2. False Positive Rate
High false positive rates create alert fatigue and erode trust in the system. Ask vendors for documented false positive rates from comparable deployments. Expect rates below 5% for mature systems. Consider how the system handles baseline establishment and individual calibration.
3. Deployment Architecture
For defence organisations, deployment options are critical. Key questions:
- Can the system run fully on-premise with no cloud dependency?
- Is air-gapped deployment supported for SCIF environments?
- What are the minimum hardware requirements?
- Does the system require GPU acceleration?
4. Data Residency and Compliance
For UK defence procurement, data sovereignty is non-negotiable. Verify:
- UK GDPR compliance for biometric/behavioural data processing
- Data residency guarantees (no data leaving UK jurisdiction)
- NCSC guidance alignment
- DSAT-compatible audit logging
5. Integration Capabilities
Insider threat detection should integrate with existing security infrastructure:
- SIEM integration (Splunk, Microsoft Sentinel, QRadar)
- SOAR platform compatibility
- IAM/PAM system integration
- API availability for custom integrations
6. Evidence Auditability
Can system outputs be reviewed, challenged, and used as evidence? Look for:
- Timestamped, structured output formats
- Reproducible detection methodology
- Clear audit trails
- Support for incident investigation workflows
7. Total Cost of Ownership
Beyond licence fees, consider implementation costs, training requirements, ongoing maintenance, and the cost of false positives (investigation time per alert).
What Is the Difference Between UEBA and Emotion AI?
The insider threat detection market offers three primary technology approaches. Understanding their differences is essential for informed procurement.
| Capability | UEBA | Emotion AI | Combined Approach |
|---|---|---|---|
| What it monitors | Digital behaviour (access patterns, data transfers, login anomalies) | Pre-digital signals (facial expressions, emotional baseline, stress) | Both digital and pre-digital layers |
| Detection timing | After digital act occurs | Before digital act (avg. 14 months earlier) | Earliest possible detection |
| Data sources | Log files, network traffic, access records | Camera feeds, existing CCTV | All available sources |
| Hardware needs | Log aggregation infrastructure | Standard RGB cameras (720p+) | Both |
| Privacy model | Monitors work activities | Baseline deviation only, pseudonymised | Layered privacy controls |
"In the majority of insider threat cases examined, there were observable behavioural indicators prior to the damaging act. In almost all cases, no systematic monitoring was in place to detect these indicators."
— Carnegie Mellon CERT Insider Threat CenterWhat Should Be Included in an Insider Threat Software RFP?
The following checklist covers essential RFP requirements for insider threat detection software procurement:
Technical Requirements
- On-premise deployment capability with no cloud dependency
- Air-gapped/SCIF-compatible deployment option
- Documented hardware requirements (CPU, RAM, storage, GPU if any)
- Camera/sensor requirements and compatibility
- API documentation and integration capabilities
- SIEM integration (specify platforms: Splunk, Sentinel, etc.)
- Output format specifications (JSON, STIX, etc.)
Compliance Requirements
- UK GDPR compliance documentation
- Biometric data processing lawful basis
- Data Protection Impact Assessment template
- UK data residency guarantee
- NCSC guidance alignment statement
- DSAT-compatible audit logging
- ICO registration confirmation
Performance Requirements
- Documented false positive rate from comparable deployments
- Documented false negative rate
- Processing latency specifications
- Baseline establishment period
- Scalability (cameras/users supported per deployment)
Commercial Requirements
- Pilot programme availability and terms
- Pricing model (per camera, per user, per deployment)
- Implementation and training costs
- Support SLA and escalation procedures
- Contract exit terms and data portability
How Should You Structure the Evaluation Process?
A structured evaluation process typically follows four phases:
Phase 1: Paper evaluation — Review vendor responses against RFP requirements. Score each vendor across evaluation criteria. Shortlist 2-3 vendors for demonstration.
Phase 2: Technical demonstration — Request live demonstrations of detection capabilities. For defence procurement, request air-gapped demo environment access. Involve technical stakeholders (security architects, SOC leads).
Phase 3: Pilot deployment — Conduct a time-bound pilot (typically 4-12 weeks) with defined success metrics. Establish baseline, run live detection, evaluate outputs against known scenarios if possible.
Phase 4: Business case and contract — Develop business case from pilot results. Negotiate commercial terms. Execute contract with clear SLAs and exit conditions.
Camera-based insider threat detection for defence
EchoDepth monitors emotional baseline deviation using existing camera infrastructure. SCIF-compatible, UK data residency, structured JSON output. Detects pre-digital threat signals months before UEBA alerts fire.