Joseph Somori, Threat Analyst
Personam.AI

October 20, 2025

In cybersecurity, the loud threats always steal the spotlight. Ransomware, phishing, malware outbreaks — they all grab attention because they are noisy and fast. But the most dangerous attacks are often the quiet ones. They move slowly, patiently, and deliberately. They hide inside what looks like normal behavior.

I work as a threat analyst with Personam, a company focused on detecting insider threats through behavior-based analytics. My job has taught me how deceptive “normal” can be. Every day, I watch patterns of user behavior that seem ordinary on the surface; logins, downloads, file transfers, but within those patterns, I’ve seen the beginnings of insider attacks. In this role, I have learned how even the most routine actions can hide serious risks. These are what professionals call “low and slow” insider threats. I think about them often, because they remind me that trust is both powerful and fragile. You can have the best firewall, the strongest passwords, and the most advanced monitoring, but if someone already inside decides to act with bad intent, technology alone is not enough.

When “normal” turns into risk

Most security tools are built to react to obvious problems. They raise alerts when someone transfers too much data or tries to access something off-limits. They rely on rules, thresholds, and patterns we already understand. But what happens when an insider takes just enough to stay unnoticed?

That is when “normal” becomes dangerous. A few extra downloads here. A late-night login that looks like dedication. A bit of Dropbox activity that seems routine. Each action alone looks fine. Together, they tell a very different story.

A large professional services firm handling sensitive client data learned this lesson the hard way. One of their senior partners began collecting sensitive client materials over several weeks. These were designs, patents, and legal drafts worth millions. Every move he made fit within his permissions. Every transfer looked routine. To traditional tools, it was invisible.

But once Personam’s behavior-based analytics were deployed, the system started noticing small irregularities. The partner’s activity did not match his past work patterns, and it did not resemble how others at his level used the same systems. The downloads were spread out carefully, but the intent was clear once the data was viewed in context.

At first, no one wanted to believe it. This was a respected professional with years of trust behind him. Yet the behavioral evidence kept building. When investigators looked deeper, they discovered multiple people were quietly staging client files for exfiltration. Without behavior-based analytics, the firm might have never known until their clients did

The cost that no one talks about

When people hear about data theft, they think about lost files and financial damage. But the real cost is much deeper. It is the erosion of trust within an organization. It is the fear that someone you sit next to every day could be quietly working against you.

For that law firm, Personam did more than stop the theft. It provided the forensic evidence needed to take legal action and rebuild credibility with clients. It proved when, where, and how the breach happened. It turned uncertainty into understanding.

The same is true for large institutions that deal with insider risk every day. A major institution’s internal threat-monitoring program faced the challenge of monitoring thousands of employees and contractors without overwhelming their analysts. Traditional systems buried them in noise. Personam’s behavior analytics filtered out what mattered, allowing the team to focus on just two percent of users who presented real risk.

Even in complex simulations involving espionage and staged data leaks, the system identified hidden insiders with remarkable accuracy. In tests, it detected threats months earlier than other tools, achieving recall rates far beyond competing methods.

The result was not just faster detection, but a significant reduction in wasted effort.

Why behavior matters more than rules

What makes behavior-based analytics different is that it does not look for known bad actions. It learns how each user and device normally behaves and keeps adjusting that profile in real time. It also compares people to their peers to see who stands out in subtle ways.

This dual view changes everything. A late-night transfer might be normal for a network engineer but highly unusual for a legal assistant. A large Dropbox upload could be fine for marketing but a red flag for finance. Context is what makes the difference.

The technology behind it is complex, but the goal is simple: to understand what is typical so that we can recognize what is not. It is like developing an instinct for your own network. You start to feel when something is off long before it becomes obvious.

Seeing beyond the noise

I have noticed that one of the biggest challenges in security is not the lack of alerts but the overload of them. Analysts can only chase so many leads before exhaustion sets in. Behavior analytics help reverse that problem. Instead of drowning in hundreds of daily alerts, teams can focus on the few that truly matter.

In both the law firm and the Insider Threat Lab, analysts no longer had to guess whether an action seemed strange. They could see exactly how far it drifted from normal patterns. That precision turned guesswork into confidence. It made it possible to act quickly and decisively without second-guessing.

What these stories teach us

There is something deeply human about insider threats. They are not just technical problems; they are stories of trust, temptation, and sometimes desperation. The “low and slow” ones are especially painful because they happen quietly, right under our noses.

The lesson from these cases is not just about better software. It is about vigilance, empathy, and understanding how people actually behave inside our systems. Technology like Personam gives us a way to see those small shifts before they become disasters. It reminds us that every pattern tells a story, and those stories matter.

In the end, the real defense against insider threats is awareness. Not paranoia, but attentiveness. The willingness to notice when something feels slightly off. The courage to ask why.

The cost of missing those signs is never just data. It is trust, reputation, and the sense of safety that every organization depends on. The sooner we accept that “low and slow” threats are part of the landscape, the better we can prepare for them.

And the better we understand behavior, the safer we all become.