You are an insider-threat program lead at a 7,500-person defense contractor. The behavioral analytics platform fuses identity, file access, and DLP signals into a per-user anomaly score 0 to 1. The model flagged four users above 0.85 this month: a senior engineer, a DBA, a finance manager, and a junior salesperson.
The model exposes per-user feature trails: late-night access count, distinct hosts touched, DLP egress events, peer-deviation score, and HR-flag (PIP, departure, poor review).
This scenario tests insider-threat tradecraft, the discipline of feature-trail review, and the human-resources coordination that distinguishes a security investigation from a witch hunt. Sources: NIST SP 800-53 PM-12 Insider Threat Program, CERT Insider Threat Center research.
One ordered pass through every step. No clock. Each answer scores against the canonical solution.
Hints reduce the points you can earn for that step. Free-text steps queue for manual review.