Above Security is the inaugural sponsor of the Insider Threat Matrix
Read more
Use case
The most expensive cases aren’t insiders going rogue — they’re credentials, recovery keys, and OAuth tokens leaving the boundary through channels your existing controls don’t watch. By the time the customer-side ticket lands three days later, the credential has already been used.
Karpov never let the attack form. He saw the move two moves out and removed the squares that made it possible. The cleanest defence is the one you never had to launch.
Catch credentials, recovery keys, and OAuth tokens leaving the boundary — by channel and content.
One IT admin's afternoon: 13 mailboxes silently forwarded, a LAPS key copied to an unknown destination, two plaintext passwords pasted into the Windows Search Bar.
Make the systemic fix — not the punishment.
You manage security somewhere a small number of high-privilege users — IT admins, engineers, exec assistants — handle credentials, recovery keys, and tokens all day, every day. Most days, nothing happens. On the wrong day, a credential leaves the boundary in seconds — pasted into the wrong field, hardcoded into the wrong file, granted to the wrong OAuth scope, or saved into the wrong forwarding rule.
The DLP rule didn’t fire because the destination wasn’t an external email. The secret-scanner didn’t fire because the file wasn’t a public repo yet. A credential pasted into the wrong search bar, a recovery key copied into a shared note, a JWT dropped into a third-party debugger — none of these trip the controls built for documents leaving the perimeter. The first signal in legacy tooling is the customer-side support ticket three days later, after the credential has already been used. The blast radius is already shaped by then.
01
Above's investigative agents observe the high-risk text fields, code editors, and configuration screens — for credentials, recovery keys, JWT tokens, and OAuth grants at the moment they're typed, pasted, or committed — so the rotation conversation starts within minutes, not after the customer-side support ticket lands three days later.
02
A single click that touches thirteen mailboxes is administratively trivial and operationally enormous. The investigation surfaces the one-to-many fanout as it happens — with the operator, the action, the scope, and the destination attached — so a five-minute admin task doesn't become a five-day incident.
03
The admin who pasted a password into the wrong field wasn't the failure — the workflow that made it the easiest path was. The investigation makes the systemic case for a workflow change, with the timeline to back it up — so the same mistake doesn't happen to the next admin.
Yes — and it's the kind that costs the most. The insider-risk umbrella covers negligent insiders explicitly. A high-privilege operator going fast on the wrong text field isn't malicious; they're an administrator doing administrative work at speed. The consequence is identical to a malicious leak: a credential that has reached an unmanaged surface, a destination the company cannot recall it from, and a clock starting on rotation, customer notification, or worse. Intent is one variable in the investigation. The exposure is the other.
Secret-scanners watch code repositories — but the credential leaks we surface most often live in places repos don't see: search bars, AI chat boxes, third-party developer tools, internal forwarding-rule configurations. DLP fires on data movement against predefined policies; pasting into the wrong text field on the same authenticated corporate device is not the data-movement event the policy was written for. Both categories were designed for the leaks the previous generation worried about. Continuous behavioral investigation is designed for the channels nobody has written a rule for yet.
Above's investigative agents observe the high-risk surfaces — credential text fields, code editors, configuration screens, admin consoles — for credentials, recovery keys, JWT tokens, and OAuth grants the moment they appear there. When something leaves the boundary, the investigation names the operator, the credential type, the destination, the timestamp, and the systemic context (workflow gap? unfamiliar tool? missed training step?). The output is a structured investigation: timeline, contextual analysis, reasoning, recommended actions — including which credentials to rotate, which workflows to redesign, and which trainings to refresh.
