Skip to main content
Insider Threat

Behavioural Drift Detection
for Insider Threat Programmes

Research shows insider threat incidents are preceded by observable behavioural changes. EchoDepth detects drift from individual baselines, providing earlier warning than digital monitoring alone.

What is Behavioural Drift?

Behavioural drift is the gradual change in an individual's behavioural patterns from their established baseline. Carnegie Mellon CERT research shows that insider threat incidents are typically preceded by months of observable behavioural changes — stress elevation, disengagement, attitude changes — before any malicious action occurs.

Digital monitoring systems detect actions: data access, file transfers, login patterns. They cannot detect the behavioural precursors that research consistently identifies as preceding incidents. EchoDepth adds this human layer to insider threat programmes.

How Behavioural Drift Detection Works

EchoDepth establishes individual behavioural baselines from facial Action Unit patterns. Unlike population-average approaches, each individual's baseline is unique to them. The system then monitors for statistically significant deviations:

  • Stress level changes — Sustained elevation in stress indicators
  • Engagement pattern shifts — Changes in attention, focus and responsiveness
  • Suppression frequency changes — Increased attempts to mask or control expressions
  • Cognitive load variations — Changes in cognitive processing indicators

Integration with Insider Threat Programmes

Behavioural drift detection is designed to complement, not replace, existing insider threat monitoring. EchoDepth integrates with SIEM platforms via REST API, feeding structured behavioural anomaly alerts into existing security workflows.

Drift alerts are not accusations. They are indicators that may warrant analyst review, additional support for the individual, or adjustment to monitoring posture. The goal is earlier intervention — supporting individuals before incidents occur, not just detecting malicious actions.

Legal and Ethical Considerations

Continuous behavioural monitoring requires explicit consent from monitored individuals, a deployment-specific DPIA, and appropriate governance structures. Cavefish does not deploy without all three. The platform is designed for transparent, consented use in high-security environments where such monitoring is lawful and appropriate.

Request Information

Behavioural drift detection briefing

Technical briefings for insider threat programme managers, personnel security teams and security leadership. NDA available.