Meet Above at Black Hat USA | August 4-6, 2026 | Las Vegas, NV
Book a meeting
I’m Yonatan Machluf, Solutions Architect at Above. Before joining, I spent most of my career in offensive security — which basically means I broke into companies for a living.
When I met Aviv and Amir and learned what they were building, I knew I had to join. Insider risk and red teaming overlap more than people think. On a red team, the break-in was never the hardest part to detect. Once I was in, I looked like any other employee, and the real damage got done with legitimate access, doing things no rule would flag. That is exactly how an insider behaves. The only difference is that I had to break in to get there, and a real insider is already inside. It’s the part of security everyone agrees matters and almost nobody has actually built a process for.
I was talking to customers constantly, on engagements and off them, and the same thing stood out every time: how common this was. Different industry, different size, different stack — the same gap. And the part they could never trace was always the normal-looking behavior: a real person with real access doing ordinary things that nobody could follow. We’ve solved a lot in security over the years. This is the part the industry still hasn’t figured out how to solve.
The best way to show why insider risk has been impossible to handle accurately is to experience an incident the way your tools do: one disconnected event at a time.
Tuesday night: a senior account executive — let’s call them Alex — applies to a competitor. Nothing in your stack reacts. There’s nothing to react to.
Wednesday morning: Alex legitimately signs into Okta to access Salesforce, then exports more opportunity records than a normal week holds, several of them owned by other reps. Alex is an account executive with valid credentials, so the threat looks low. It’s flagged as an anomaly and lands in a queue with a hundred others.
Friday morning: Alex uploads the account list to a personal workspace, and a slice of it gets pasted into their personal AI chat to be rewritten as a target plan.
Reading this as a human, it’s almost painful how many signs there are that Alex intends to exfiltrate data. The system, however, sees this as mostly normal: each tool saw one isolated thing, if anything. None of them saw the person behind the actions, connecting them all together.
This is the reality of insider risk. It is one continuous human story, and every tool in your stack reads only a single page of it.
To complicate things further, most people are not Alex, deliberately taking steps toward malice. Most are heads-down, doing the work — traveling for a deal, staying up late before a launch — completely unaware they’re one careless paste away from a mistake they’d give anything to take back. On a single page, the good employee about to slip and the bad actor covering their tracks look identical. Only the rest of the story tells them apart.
Companies fight this today with a shelf of tools, not a program. A DLP you tune for files. A UEBA you tune for behavior. An ITDR for logins, a CASB for apps, a separate scanner for the shadow AI none of them can see. A SIEM to pile every alert in one place, and a team of analysts who turn out to be the only thing holding it together. Six consoles to check. Six queues to drain. Six renewals to defend at budget time. All this investment in tools, and yet when something goes wrong, still no one can tell you what happened.
Every one of those tools reads a page, and reads it well. That was the promise of fifteen years of trying to define risk in advance: set baselines and alert on the drift away from them.
The trouble is that human behavior deviates for any number of ordinary reasons, inside and outside the office. A promotion. A new project. Family events. A red-eye flight. Seasons changing. Quarter-end. This is where traditional tools really fall short, because every irregularity is treated as equal. Deviation isn’t inherently risky, and a broken policy isn’t proof of intent. The why is the most crucial aspect here, and it lives across many pages. No single console on that shelf can hold more than one.
So insider risk turns into an investigation question dressed up as a policy question. You don’t have a missing tool. You have one investigation scattered across six of them, and a person paid to staple it back together after the fact — assuming you can even identify that you have an incident at all.
This isn’t a new idea anyone is waiting to be sold on. NIST 800-53 asks you to correlate across security, HR, legal, and audit, because the signal is never in one place. CISA tells you to assess behaviors rather than profiles, and to do it continuously, not once a year. Carnegie Mellon’s CERT program, drawing on decades of real insider cases, describes an observable pathway of behavior that runs ahead of the harm — if someone is reading the whole path.
The standards called for one correlated program years ago. The tools were sold one page at a time, and the program never showed up.
Most organizations still approach insider risk reactively: an incident lands, HR and Legal get worried, and Security spends days reconstructing what happened from logs that were never meant to be read together. This is the “solution” the industry has provided. Meanwhile, the surface keeps growing — SaaS everywhere, identity everywhere, hybrid work, AI threaded into every workflow. The number of pages went up, the shelf got longer, but there’s still no way to read the whole book.
The shelf keeps growing, and in ways it was never designed for. AI agents now act on people’s behalf, with delegated and entirely legitimate access. They are a new kind of insider, and they land in exactly the same blind spot — one more page no single tool was built to read in context.
Rather than adding more shelfware to the industry, we built Above to be the reader. It sees across the systems and understands the world your people work in, so a signal on one surface changes how the next line is read. The export, the login, and the paste stop being three isolated alerts and instead become a holistic account of one person and their agentic counterparts, in chronological order. It reasons over both human and agent behavior as a single story. We can even coach the person in the moment, so a bad week never has to become an incident.
It’s not just that we need better shelves — we need to rethink the entire library. The products available today are built on reactivity and response, not proactive assumption of risk. Above is a single, native platform, not a bundle of point products wired together.
Bringing a proactive approach to risk lets you keep what’s on your shelf and get actual use out of it. Your identity provider, your EDR, and your CASB keep doing their jobs and feed one investigation now instead of six separate queues. You retire the tools that aren’t effective, and the analysts get to do the work only people can.
Beyond streamlining the investigation, Above weighs the behavior and reaches a judgment of intent backed by the whole story, not a number pulled from one signal. It doesn’t claim to know for certain what was in someone’s head, but it does provide evidence. Every look at a person’s content is opened by an authorized role and logged, so the case stays defensible for HR and legal. We know acting on an employee carries real weight. Machines collect the data, but humans decide how to use it.