Home / User stories / Insider risk
TSTheo · Security Ops, 4,000 employees
Insider risk

Catch the 3 a.m. mass export — without crying wolf on your power users.

Theo’s tooling drowns him in false positives because it scores everyone against one threshold. He needs anomalies measured against each person’s own normal.

The reality today

One threshold for everyone is useless

Alert fatigue

Static thresholds flag busy analysts constantly and miss the quiet outlier.

No baseline

Without per-person normal, ‘80 downloads’ means nothing.

Separate tooling

Risk signals live apart from the document audit trail, so context is lost.

How the system works

Score each actor against their own learned baseline

Audit trailevery read · exportPer-actor baselinelearned normalAnomaly scorevolume · hours · breadthRisk alertHIGH · MEDIUM
See it in the product

HIGH and MEDIUM, scored against personal baselines

Insider risk

Anomalies scored against each person's own baseline

The same audit trail that proves your governance also powers insider-risk detection. Each person is scored against their own learned baseline — a 3 a.m. mass export lands as HIGH, while a genuine power user stays within baseline instead of being constantly false-flagged.

Fileport product — Anomalies scored against each person's own baseline
What happens, step by step

From problem to proof

1

Learn each person’s normal

Baselines are built per actor from the same audit trail that proves governance.

2

Score the deviation

Volume spikes, off-hours activity, sensitivity escalation, and breadth combine into a score.

3

Surface only true outliers

A 3 a.m. mass export lands HIGH; a genuine power user stays within baseline.

4

Investigate with context

Each alert links to the exact documents and actions on the ledger.

Why it lands

What Theo stops chasing

Per-actor
baselines, not one threshold
Same trail
that proves governance
Fewer
false positives by design
FAQ

Common questions

Won’t power users get flagged?

No — baselines are learned per actor, so legitimate heavy users stay within their own normal.

Where do the signals come from?

From the same hash-chained audit trail that records every ingest, read, export, and disposition.

What triggers a HIGH score?

Combinations like a volume spike plus off-hours plus sensitivity escalation across many distinct documents.

Related reading

Keep exploring

See this on your own data.

Book a demo — we’ll connect a system, ingest a sample, and show this working on your estate.

Book a demo