Insider Threat Program Support
End-to-end insider threat programs aligned to the NITTF Maturity Framework, EO 13587, and ICD 750. We build, staff, and run programs that detect, deter, and resolve insider risk.
Insider threat programs that work, not compliance theater.
Insider risk is the threat agencies cannot outsource. ECG builds and sustains insider threat programs designed to satisfy the law and the mission, integrating user activity monitoring, hub data, behavioral analytics, and trained insider threat analysts into a defensible operating model.
We have stood up and matured programs across DoD and IC components. Our work spans hub design, data integration, analyst staffing, case management, and the privacy and civil liberties governance these programs require. Whether you are standing up a Minimum Standards-compliant hub or maturing toward proactive risk management, ECG delivers programs that survive both the IG audit and the actual incident.
From program design through operational hunt.
Six capability areas span the insider threat program lifecycle, executed by cleared personnel with hands-on hub, UAM, and analytic experience.
Program Design and Stand-Up
Charter development, governance structure, hub design, role definition, and policy alignment to NITTF Minimum Standards, EO 13587, ICD 750, and DoDD 5205.16. Includes privacy and civil liberties baseline.
Hub Data Integration
Federation of HR, security, IT, network, badge, and counterintelligence feeds into the insider threat hub. Schema design, data quality controls, and source-of-truth governance built for analytic use, not warehousing.
User Activity Monitoring
Deployment, tuning, and operations of UAM tooling on cleared networks. Use case engineering, rule logic, false-positive reduction, and integration with downstream case management. Coverage scoped to the threat, not the catalog.
Behavioral Analytics and Detection
Detection engineering across UAM, network, and behavioral signal. Anomaly identification, peer-group baselining, and exit-driven risk modeling. Analyst-in-the-loop workflows that prioritize signal over volume.
Insider Threat Operations
Cleared analysts running triage, inquiry support, case development, and CI / law enforcement referrals. Production aligned to the customer's case management standards and chain-of-custody requirements.
Program Sustainment and Maturity
Continuous improvement against the NITTF Maturity Framework, training and certification of insider threat personnel, after-action review, and roadmap planning toward proactive risk management.
Maturity, mindset, and measured restraint.
Four operating principles that distinguish how ECG runs insider threat work.
Maturity-Anchored
Every engagement is mapped to the NITTF Maturity Framework, with explicit current-state and target-state assessments. We tell customers exactly where they are, where the gaps are, and what it takes to close them. No theater, no surprises.
Analyst-Operator Mindset
Our insider threat staff are analysts and operators, not tool administrators. They have triaged real cases, written real referrals, and worked alongside CI and security professionals. The work is judgment-intensive and we hire for it.
Privacy and Civil Liberties by Design
We build programs that hold up to OGC, OIG, and PCLOB scrutiny. Data minimization, purpose limitation, role-based access, audit logging, and documented oversight are baked in from the charter forward, not retrofit after the first complaint.
Continuous Improvement
Detection engineering is a living discipline. We measure precision and recall on real cases, retire rules that produce noise, and feed lessons learned back into program design. Stagnant programs are programs being beaten.
Where this work shows up.
Representative scenarios that reflect the kinds of problems ECG insider threat teams have worked.
Behavioral Drift on Cleared Personnel
Detection logic against cross-domain signal: privilege escalation, anomalous data access, peer-group divergence, financial stress indicators, and life-event triggers. Triage workflows escalate to analyst review, not to a queue.
Pre-Departure Data Movement
Targeted hunt on resigned, terminated, or about-to-transition personnel. Combines HR signal with print, email, removable media, and network exfiltration indicators in the days surrounding separation.
Sensitive Material Mishandling
Detection and inquiry support for unauthorized disclosure indicators across cleared environments, integrated with security and CI workflows for downstream investigative handoff.
Trusted Insider in the Supply Chain
Risk assessment and monitoring on subcontractor and vendor personnel with access to controlled environments, integrated with program protection and supply chain risk management.
Aligned to the authorities that govern this work.
Insider threat programs answer to multiple statutory and policy authorities. ECG operates fluently across all of them.
Where ECG also delivers.
Ready to mature your insider threat program?
Tell us where your program stands today. We will route to leadership and acknowledge within one business day.