Detecting insider threats requires distinguishing between acceptable activities and those that either put the organization at risk or are outright malicious. Doing so is easier said than done. Many organizations simply don’t have the systems and solutions in place to identify such threats in a timely manner. The layered security stack present in most organizations is important for maintaining a strong posture against external threats, but the tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) that traditional solutions are built to recognize generally don’t apply to insider threats.