Personam.AI | Our Blog
The Hidden Cost of “Low and Slow” Insider Threats
Joseph Somori, Threat Analyst
Personam.AI
October 20, 2025
In cybersecurity, the loud threats always steal the spotlight. Ransomware, phishing, malware outbreaks — they all grab attention because they are noisy and fast. But the most dangerous attacks are often the quiet ones. They move slowly, patiently, and deliberately. They hide inside what looks like normal behavior.
I work as a threat analyst with Personam, a company focused on detecting insider threats through behavior-based analytics. My job has taught me how deceptive “normal” can be. Every day, I watch patterns of user behavior that seem ordinary on the surface; logins, downloads, file transfers, but within those patterns, I’ve seen the beginnings of insider attacks. In this role, I have learned how even the most routine actions can hide serious risks. These are what professionals call “low and slow” insider threats. I think about them often, because they remind me that trust is both powerful and fragile. You can have the best firewall, the strongest passwords, and the most advanced monitoring, but if someone already inside decides to act with bad intent, technology alone is not enough.
When “normal” turns into risk
Most security tools are built to react to obvious problems. They raise alerts when someone transfers too much data or tries to access something off-limits. They rely on rules, thresholds, and patterns we already understand. But what happens when an insider takes just enough to stay unnoticed?
That is when “normal” becomes dangerous. A few extra downloads here. A late-night login that looks like dedication. […]
Black Hat USA 2025: Field Report
August 26, 2025
This year’s Black Hat made one thing crystal clear: cybersecurity vendors are no longer just talking about AI, they’re wiring it straight into enterprise data pipelines. Across the expo floor, whether it was the big names like Microsoft, Cisco, and Palo Alto, or NDR specialists like Darktrace, Vectra AI, and ExtraHop, every conversation centered around AI that doesn’t just analyze alerts in isolation but sits natively on network flows, endpoints, and cloud workloads.
The messaging convergensce was striking. Competitors all pitched unsupervised machine learning that learns from raw organizational data, whether packets, telemetry, or identity graphs, and then turns that into “autonomous” detection. The ambition is the same: eliminate signatures, baseline normal activity, and catch anomalies in real time. The problem? Real-world performance still lags. Despite bold claims of “zero false positives,” users report persistent noise, with Vectra AI and Darktrace often called out for flagging up to 50% benign behaviors in hybrid and cloud environments.
Still, the direction of travel is unmistakable: AI is being hardwired into enterprise nervous systems. Instead of siloed threat feeds or rule-based detectors, companies are chasing systems that continuously learn from the customer’s own environment (endpoints, networks, IoT, and cloud) and self-adapt without retraining. This is less about AI as a bolt-on tool and more about AI as the operating principle of the data layer itself.
Beyond the Logs: Why Network Traffic Analysis is the Future of Security
Chuck Faughnan
CEO, Strategic Advisor, & Investor @ Personam.ai | Cybersecurity
November 8, 2024
The pendulum has swung — again. Way back in the ‘90s, the promise of threat detection was in network traffic analysis. The modern computing method of the time was anomaly detection, and it purported to catch all breaches. And… it kind of did that!
The problem, however, is that, by the strictest of definitions, everything is an anomaly. Did you check www.askjeeves.com every day at 12:05pm? Well, that one day you checked it at 12:10pm is an anomaly! That one day you opted for altavista.com? Anomaly! Analysts got bogged down with intense alerting volumes. So, yes, while evidence of an attacker’s tracks were likely caught, you’re still looking for a needle in a haystack.
Enter: log file analytics. This approach became the industry standard. They worked well when networks were simpler and attacks were less sophisticated. Looking at logs provided a relatively effective way to detect and respond to security incidents. However, as networks have grown more complex and cyber threats have evolved, the limitations of log-based security are increasingly apparent. Legacy log-based systems often struggle with scalability, cost, and the ability to detect advanced threats.
It’s time to embrace a more powerful, efficient, cost-effective approach: network traffic analysis!
Limitations of Log-Based Security
Log-based solutions, such as Splunk or QRadar, often have high licensing costs that are variable, and pegged to data storage. As logging utilization increases, so does cost. So there’s that consideration. But what do you do if […]
