Insider Threat for Modern Enterprises

Candor surfaces the handful of people who actually warrant your attention, ranked and investigation-ready.

Action Center Live

# Subject Relative Score Summary Status Attack Chain

57F950A

1739 ± 225 Contractor downloaded confidential infrastructure docs New

8B2D41F

1590 ± 253 Sr. accountant accessed security infrastructure New

29E4E09

1477 ± 267 Sr. DBA accessed HR records and termination data New

6F47EC2

1352 ± 314 Chief of Staff II accessed malware research sites New

F86CD19

1315 ± 297 Jr. solutions engineer accessed DOJ investigation New

1FABEC0

1228 ± 324 Sales representative searched remote access tools Investigating

9AC7D12

1184 ± 198 IT admin accessed production credentials outside hours New

Overview Risks Behaviors Threat Framework

✨ Summary

This Product contractor engaged in ERP Integration work exhibited concerning data access patterns across February and March 2026. The contractor accessed personal email (mail.qq.com) 25 times throughout March, searched for IT infrastructure files, credentials, and security documentation despite working outside IT, and sent two external emails with attachments to a personal address on March 26.

Subject

#1 100%

57F950A

Rating: 1739 ± 225

Department: Product

Title: Contractor — ERP Integration

Cohorts: All Employees Product

Timeline Risks Graph

New

Accessed personal email: mail.qq.com 21x

Personal Email Usage · Mar 2 – Mar 30

HIGH: DLP Policy Match — Bulk download of sensitivity-labeled files

DLP Violation · Mar 28, 2:47 PM

HIGH: DLP Policy Match — Confidential data sent to external recipient

Suspicious External Email · Mar 28, 9:22 AM

"I already have access, I just need to find the document where the staging credentials are documented…" 6 msgs

Suspicious Copilot Conversation · Mar 25, 9:00 PM

Suspicious web search: "anydesk silent install command line"

Suspicious Web Search · Mar 14, 4:45 PM

AWS Console access granted without documented justification

Privilege Escalation · Feb 10, 10:14 AM

Slack message sent

Context-Aware Risk Ranking.

Candor tells you who to watch. We surface the riskiest individuals in your company, including both contractors and full-time employees, by comparing profiles holistically across every data source. No brittle detection rules that miss new threats. Your team stays proactive and catches insiders early.

Risk Engine Active

# Individual Delta Type

1 J. Martinez · Engineering ↑ 3 FTE

2 S. Chen · Finance ↑ 1 FTE

3 A. Rivera · Sales ↑ 5 Contractor

4 P. Sharma · Product ↓ 2 FTE

5 D. Okafor · DevOps ↑ 7 Contractor

AI-Empowered Investigations.

Let our engine do the grunt work so your team can focus on assessing intent. A single pane of glass brings together every signal, from endpoints and identity to email and cloud, while AI summarizes activity, highlights anomalies, and provides the context analysts need to make fast, confident decisions.

Investigation · IR-0891 Active

09:14

Elevated privileges requested for prod-db-west

ServiceNow

09:48

USB mass storage device connected

CrowdStrike

10:02

Copilot query: “how to compress and encrypt folder” Copilot

Copilot

10:17

Outbound email with .7z attachment to personal domain Outlook

Outlook

AI Summary

Subject escalated privileges, performed a bulk file download, connected USB storage, queried encryption methods, and exfiltrated a compressed archive. All of this occurred within a 63-minute window following a resignation notice filed the prior day.

Automated Documentation.

Ingest your own templates to make reporting effortless. Candor auto-generates investigation reports, stakeholder briefings, and compliance documentation so your team spends more time investigating risk and less time writing it up. Align HR, Legal, and Security around a single source of truth.

Report · IR-2024-0891 Active

Investigation Summary

Subject 47E023E · Confidential

Executive Summary

Key Findings

Evidence Chain

6 events 4 sources 3 attachments

Instant Remediation.

Use Candor's action center to escalate a case, disable accounts, or restrict access without ever leaving the investigation. Pre-built integrations with your IAM, ITSM, and collaboration tools mean containment happens in clicks, not hours.

Action Center · IR-0891 Active

Disable Account Microsoft Entra ID

→

Escalate Case ServiceNow ITSM

→

Restrict Access Okta IAM

→

Nudge Manager Slack

→

Long-Term Training.

Candor highlights risk at the organizational level. We show your security training team exactly where negligence clusters across departments, roles, and behavior patterns so they can customize efforts and prevent employee mistakes from becoming insider threats.

Flagged File Downgrades · Q1 2026 Active

Engineering 85%

Finance 62%

Sales 48%