Above Security is the inaugural sponsor of the Insider Threat Matrix
Read more
Use case
When someone is leaving, the playbook walks out before the badge does. Above sees the staging arc — job search, document selection, after-hours export bursts — long before the resignation email lands.
They called him Iron Tigran. He stopped attacks before they could form — anticipating the move two moves out and removing the squares that made it possible. The cleanest defence is the one the opponent never realised they were defending against.
Spot the offer-to-staging arc on day one, not after Friday's farewell email.
Tell the ‘good leaver’ from the one with the customer list — by evidence, before the badge is handed in.
Hand legal a defensible record — staged, dated, attributable — before the offboarding window closes.
You work at a company whose competitive moat is partly inside its people — playbooks, customer relationships, pricing wisdom, recruiting pipelines. The employees most likely to be recruited are also the ones with the most to take. You don't want every interview to trigger a fire drill. But you do want to know which of them is taking the asset out with them.
Today the trigger is the resignation email — by which point the staging has already happened. Legacy DLP fires on a single bulk export; it does not fire on three weeks of patient, plausible copy-paste into a folder named “Final Transfer.” The HR signal arrives after the data signal does. The investigation gives you the data signal first.
01
Above's investigative agents stitch together the multi-week behavioural sequence — job-board access, recruiter inMail, document selection, AI-tool seeding, after-hours export bursts — before the resignation. The signal is the sequence, not any single event.
02
About half of confirmed leaver investigations resolve as “no IP movement — this is an HR retention case, not a security one.” The other half are the ones where the playbook has already gone. The investigation tells them apart with evidence, before the badge is handed in.
03
Each finding is a timestamped, attributed event chain ready for IP counsel — what was copied, when, to where, by whom — so the legal-hold conversation moves at the speed of the evidence, not the speed of the offboarding ticket.
No. About half of confirmed leaver investigations resolve as “no IP movement — this is an HR retention case.” A job search by itself, recruiter contact, even an interview is not insider risk. What turns it into insider risk is the combination: concurrent staging activity, departure-shaped data access, peer or customer-list enumeration. The insider-risk umbrella covers negligent, compromised, malicious, and agentic insiders. Intent is one variable in the investigation — not the gate.
DLP fires on data movement against predefined policies — three weeks of patient copy-paste into a folder named “Final Transfer” doesn't trip a 50 MB-export rule. UEBA fires on deviation from a behavioral baseline — but the leaver's pre-departure activity often looks like better performance (more outreach, more deal-closing energy), not a deviation. Both categories assume the threat can be predefined as a rule or a baseline. The leaver pattern is a multi-week behavioral arc that only continuous behavioral investigation can surface.
Above's investigative agents reconstruct the multi-week sequence — job-board access, recruiter contact, role-aligned document selection, AI-tool seeding, after-hours export bursts — and the behavioral context around all of it. The output is a structured investigation: timeline, contextual analysis, reasoning, recommended actions, ready for security, HR, and legal to act on together. When the playbook has gone, IP counsel gets the evidence package before the offboarding window closes. When it hasn't, HR gets the retention conversation early.
