Insider threat is the security gap most stacks quietly pretend doesn't exist. ATT&CK doesn't cover it well, NIST CSF only gestures at it, and every Q1 risk register carries a row for it that nobody knows how to test. As of today, ESProfiler customers can map their security stack against the open community framework that does cover it — the Insider Threat Matrix — in minutes.
What is the Insider Threat Matrix?
Maintained by Forscie and an open contributor community, the Insider Threat Matrix (ITM) is an open framework for computer-enabled insider threat investigations. Think of it as ATT&CK for insiders — built around how real investigations unfold, with explicit detection and prevention guidance attached to every technique.
The Matrix organises insider activity into five categories:
Motive — why a subject acts: Coercion, Espionage, Personal Gain, Revenge, Recklessness, the Joiner / Mover / Leaver lifecycle
Means — what they need: Privileged Access, Removable Media, BYOD, Web Access, Enterprise-Integrated AI Platforms
Preparation — how they set up: Data Staging, Email Collection, Privilege Escalation, AI-Assisted Capability Development
Infringement — the harmful act: Data Loss, Exfiltration via email / web / physical media, Misappropriation of Funds, Sharing on AI Chatbot Platforms
Anti-Forensics — covering tracks: Log Deletion, Disk Wiping, Timestomping, Steganography
What sets ITM apart from threat frameworks you may already know: every technique is paired with concrete Detections and Preventions — control-level guidance you can map directly to your stack. The framework is open-source on GitHub and currently catalogues 666 knowledge objects, with new ones added regularly to keep up with AI-era insider behaviour.
Why it matters for your defenders
Insider risk has always been the awkward corner of the security programme — half people, half technology, hard to demo, frequently owned by nobody. ITM gives you a way to make it concrete:
A shared vocabulary across security, HR, legal, and insider risk teams
Explicit detection and prevention paths for every technique — not just "be aware"
First-class coverage of AI-era insider behaviour: chatbot leakage, AI agent abuse, AI-assisted preparation
Map your stack in minutes — and see exactly where you stand
Mapping a security stack to a new framework by hand is usually a multi-week spreadsheet exercise. In ESProfiler, it isn't.
The Insider Threat Matrix is now live alongside MITRE ATT&CK, MITRE F3, NIST CSF, the NIST AI RMF, ISO/IEC 27001, and every other framework in the platform. Point ESProfiler at your existing tools and you'll see:
Coverage in minutes, not weeks — your stack mapped automatically across all five ITM categories
Gaps at a glance — the insider techniques no tool in your environment detects or prevents, surfaced and prioritised
Overlaps you're paying for twice — controls duplicated across DLP, UEBA, IAM, and email security vendors, ranked by spend
Insider risk is the one programme where coverage gaps tend to live for years before anyone tests them. Now you don't have to wait.
Get started
If you're an existing customer, the Insider Threat Matrix is already live in your tenant — open the Frameworks view to start mapping.
If you're not, book a demo and we'll show you your insider risk coverage gaps in the time it usually takes to schedule the kickoff meeting.