The First 24 Hours After a Breach: A Step-by-Step Incident Response Playbook
- Home
- Single Blog
Red Team vs Penetration Test: Choosing the Right Assessment for Your Threat Model
Most insider threat programs focus on off-boarding. Here’s why the greatest risk occurs 60 to 90 days before resignation — and how to catch it early.
Penetration Testing
May 18, 2026
SHARE
The term “insider threat” conjures images of disgruntled employees walking out the door with USB drives. But the real risk is far more nuanced — and far harder to detect. In the majority of cases Kryphos has investigated, the data exfiltration began weeks or months before any official notice was given. By the time HR received a resignation letter, the damage was already done.
This article presents a behavioral analytics framework built from over 200 insider threat investigations. It focuses specifically on the pre-exfiltration window — the period where intervention is still possible.
63%
Begin exfiltration before resignation
84 days
Avg. lead time before formal notice
$4.1M
Average cost per insider incident
Why Perimeter Security Fails Against Insiders
Traditional security architecture is built around a fundamental assumption: the threat is external. Firewalls, IDS/IPS systems, and email gateways all share this bias. An insider — by definition — has already cleared the perimeter. They have valid credentials, legitimate access rights, and behavioral patterns that closely mimic normal usage.
This is why perimeter-focused security teams often have near-zero visibility into insider activity until after an incident is reported. The tools they rely on were never designed for this threat model.
“The insider’s greatest advantage is that every one of their malicious actions looks, at first glance, exactly like legitimate work.”
The Pre-Resignation Window: 60 to 90 Days of Elevated Risk
In our analysis of 200+ cases, a consistent behavioral pattern emerges roughly 60 to 90 days before a malicious insider resigns or is terminated. This window is not arbitrary — it reflects the time employees typically spend planning their departure, negotiating with competitors, and quietly collecting the intellectual property they intend to take with them.
KEY INSIGHT
No single signal above is conclusive. The power of behavioral analytics lies in correlating multiple weak signals across time — what we call the “convergence threshold.” When five or more signals appear within a 30-day window, the probability of malicious intent rises above 80% in our dataset.
Building a Behavioral Analytics Framework
A behavioral analytics framework for insider threat detection has four functional layers. Each layer is necessary; none is sufficient on its own.
Layer 1 — Baseline Establishment
Before you can detect anomalous behavior, you must know what normal looks like for each employee, team, and role. This requires at minimum 90 days of passive observation to build individual behavioral baselines. Machine learning models that compare against departmental averages alone will miss role-specific patterns that are entirely legitimate.
Layer 2 — Multi-Source Signal Collection
Signals must be collected from endpoints, identity systems, email, collaboration tools, data loss prevention platforms, and if available, physical access systems. Point solutions that only monitor one vector will be blind to cross-channel evasion — a technique sophisticated insiders increasingly employ.
Layer 3 — Risk Scoring and Convergence Detection
Each signal event is assigned a weighted risk score based on its historical predictive value in your environment. Risk scores decay over time for events that are not reinforced, and surge when multiple high-weight signals converge within a defined window. Alerts are triggered at convergence thresholds, not individual event thresholds — this dramatically reduces false positives.
Layer 4 — Contextual Investigation Workflow
Automated alerts must feed into a structured investigation workflow. Every alert should surface contextual enrichment automatically: the employee’s recent HR events, their role tenure, any open IT tickets, recent performance reviews (where legally accessible), and peer group comparison data. This context separates false positives from genuine risk in under 10 minutes for a trained analyst.
Building a Behavioral Analytics Framework
You don’t need to replace your entire security stack to begin building an insider threat capability. Most enterprises already have the raw data — they simply haven’t connected it. Start with identity logs, email metadata, and endpoint telemetry. Build baselines. Train analysts on what the convergence threshold looks like in practice. Run tabletop exercises on historical incidents to calibrate your scoring model.
The goal is not zero insider incidents — it’s early detection. The difference between a minor data loss event and a catastrophic breach is almost always measured in days. Close the pre-resignation window, and you close the gap.
