Module 02 · Insider Threat & Vetting

Insider Threat Detection:
Continuous Anomaly
Monitoring.

Security clearances tell you who someone was at the point of vetting. EchoDepth tells you who they are right now — establishing a continuous emotional baseline per individual and alerting when patterns deviate significantly. Earlier signal. Earlier intervention.

EchoDepth by Cavefish AI Ltd · Cardiff, Wales · Camera-based emotion recognition AI

Request Insider Threat Briefing Technical Overview
The Problem

How does EchoDepth detect insider threats before they occur?

Security clearances and annual reviews catch nothing in real time. Stress indicators, behavioural anomalies, and emotional changes that precede insider incidents go entirely undetected by existing TSCM and access control infrastructure. Traditional vetting misses approximately 83% of insider threats until the post-incident investigation — when the damage is already done.

EchoDepth provides a continuous passive signal layer — establishing what normal looks like for each individual, then surfacing deviations to your security operations team before they become incidents.

  • Behavioural baseline profiling per individual established across working periods
  • Anomaly scoring when emotional state deviates significantly from personal norm
  • Direct integration with SIEM platforms — Splunk, Microsoft Sentinel, and others
  • Alert escalation workflows for security operations teams with configurable thresholds
  • Pre-interview emotional state capture for HR and security investigations
  • UK GDPR-compliant architecture with role-based data access controls
  • UK data residency and air-gap deployment for the most sensitive environments
Request Briefing

Also see: Insider threat in cyber security context and deception detection capability.

Average time to detect
Real-time
Versus 6–18 months post-incident for traditional vetting and review methods.
Incidents preceded by detectable signals
~82%
Of insider incidents show elevated emotional markers in the 30 days prior — CISA research.
Deployment footprint
Camera-only
Existing CCTV infrastructure reuse is possible in most environments. Zero additional hardware required.

Average cost per insider incident

£3.2M

Ponemon Institute 2024. EchoDepth surfaces the precursor signals.

How It Works

Three-Phase Detection Architecture

PHASE 01

Baseline Establishment

EchoDepth learns what emotionally normal looks like for each individual — across typical working conditions, stress events, and interpersonal interactions. Baseline is individual-specific, not population-average.

PHASE 02

Continuous Monitoring

Passive AU analysis runs continuously against established baselines. No disruption to personnel workflow. No awareness by the monitored individual of the system's presence or active state.

PHASE 03

Anomaly Alerting

When emotional patterns deviate beyond configurable thresholds, the system generates a structured alert for your security operations team — with supporting AU evidence and deviation score.

Common Questions

Frequently Asked

How does EchoDepth detect insider threats?+

EchoDepth establishes an individual emotional baseline for each person in a monitored environment over time, then detects significant deviations from that baseline — elevated stress, behavioural anomalies, and emotional patterns that precede security incidents. It operates passively using existing cameras, feeds structured anomaly alerts directly into SIEM platforms, and requires no change to personnel workflow or equipment.

How quickly does EchoDepth establish a behavioural baseline?+

EchoDepth builds a statistically significant emotional baseline within the first 5–10 working days of continuous monitoring for a given individual. Baseline profiling is individual-specific — not population-average — which means anomaly detection is calibrated to each person's actual emotional norms rather than a generic threshold.

Does EchoDepth integrate with SIEM platforms?+

Yes. EchoDepth integrates directly with Splunk, Microsoft Sentinel, IBM QRadar, and other major SIEM platforms via REST API and WebSocket. Anomaly alerts are structured as JSON output mapping to standard SIEM alert taxonomies. SOAR playbook webhook triggers and configurable alerting thresholds are also available.

Is continuous emotional monitoring compliant with UK law?+

EchoDepth's continuous monitoring capability is designed for deployment within UK GDPR, the Human Rights Act, and the Investigatory Powers Act framework for authorised monitoring in high-security environments. The system requires a legitimate interest or explicit consent basis, documented in a Data Protection Impact Assessment. Cavefish AI provides DPIA support documentation for deployment within HMG and defence environments.

Comparison

How does EchoDepth compare to UEBA and periodic vetting?

Security clearances tell you who someone was at a point in time. EchoDepth tells you who they are right now.

Capability Periodic Security Vetting UEBA / Behavioural Analytics Access Logging / SIEM EchoDepth
Continuous monitoring✗ Point-in-time onlyPartial — digital actions✗ Reactive onlyReal-time emotional baseline
Individual emotional baselinePer-person calibration
Pre-incident signalPartialAnomaly scoring
No additional hardwareExisting cameras
SIEM alert integration✓ NativeREST API / WebSocket
Air-gap compatiblePartialPartialFull on-premise
Briefings Available

See What Your Security Stack Is Missing.

Structured technical briefings for defence procurement, security leadership, and intelligence teams. NDA available. Air-gapped demo environment on request.

Request a Classified Briefing How It Works

DEFENCE@CAVEFISH.CO.UK  ·  CARDIFF, WALES  ·  UK DATA RESIDENCY STANDARD