ITDR Part #2: Identity Based Threats & How You Can Detect Them from Within

In the first part of our mini series on Identity Threat Detection and Response (ITDR), we explored how identity has become the new security perimeter in SaaS environments – and why traditional tools fall short when threats originate from the inside. Now, we’re building on that foundation by diving deeper into the real exposure points that come from identity-based threats within your organization.

Insider threats are uniquely dangerous because they don’t always look like threats. They often come from trusted users (employees, contractors, or service accounts) who already have access. 

Whether driven by malice, negligence, or compromise, insider threats can lead to significant data loss, compliance violations, and reputational damage, especially in SaaS ecosystems where data flows freely between users and platforms. 

In this article, we’ll break down how insider threats actually manifest in SaaS environments, what behaviors to watch for, and how identity profiling and risk scoring (core components of ITDR) can help security teams detect and respond before real damage is done.

The Three Faces of Insider Threats

Not all insider threats are created equal. In fact, one of the biggest challenges in detecting them is that they don’t follow a single pattern. The motivations and behaviors behind insider risk can vary, but most fall into three key categories:

• Malicious insiders – These are users with intent to harm. They might steal data, sabotage systems, or leak sensitive information for financial or competitive gain. Think of a disgruntled employee that was terminated, and wants to sell proprietary code or roadmaps to a competitor.
  
  
• Negligent insiders – Often well-intentioned, these users accidentally expose data through carelessness. Think of a regular, hard-working employee at your organization. They are just trying to do their job, but don’t know the security risks behind miniscule & seemingly harmless actions they take. For example, instead of sharing an asset directly with a user, they set it to 'Public,' meaning anyone with the link can access it. We see this time and time again with extremely sensitive information such as salaries, budget files, and more.

• Compromised insiders – These company accounts have been hijacked by external actors. Think of a stereotypical evil hacker from a movie that is trying to do some serious damage. These threats often manifest via phishing, credential stuffing, or stolen OAuth tokens. Though the activity comes from a trusted account that looks legit (since it’s probably a domain from your company in most cases), the user behind it is not who you think it is.
  
  

Each of these types represents a serious risk – but it’s the blending of categories that makes detection especially tricky. A careless employee might fall victim to a phishing email, turning a negligent insider into a compromised one overnight. In SaaS environments, where access is fluid and often over-provisioned, that shift can go undetected for weeks.

What Insider Threats Look Like in SaaS Apps

SaaS applications are designed for collaboration and speed – which makes them a goldmine for identity-based abuse if not properly monitored. Insider threats in these environments don’t always wave red flags. They often appear as routine activity, unless you know what patterns to look for and how to interpret them in context.

Here are a few common identity-driven behaviors that signal insider risk:

• Mass file downloads or sharing outside the organization – A potential sign of data exfiltration, especially if done in a short time frame or by a user not typically accessing large volumes of data.
  
  
• Use of OAuth tokens to grant third-party access – While OAuth is essential for productivity tools, excessive or unusual app authorizations to third-party shadow apps can be a sign of misuse or compromise.
  
  
• Sharing files with personal or non-corporate email addresses – This may indicate accidental exposure or an intentional attempt to move sensitive data outside company control and oversight.
  
  
• Access to data outside normal role or department boundaries – This is when someone is trying to access something they have no business in doing. For example, a marketing contractor downloading financial reports, or a product engineer accessing HR documents.
  
  
• Former employees or contractors with lingering access – Without automated offboarding or app-level access reviews, stale accounts often remain active and exploitable. This scenario is especially prevalent in organizations who use Google Workspace in their SaaS stack. After work with contractors is done, these files are rarely unshared, and permissions are granted permanently.
  ‍

The key challenge? These actions aren’t inherently malicious. It’s the context that gives you everything you need to know in order to make this distinction. You need to know who the user is, what they typically do, and whether their activity aligns with their normal behavior. THAT is what determines whether something’s risky or routine.

Key Signals of Risky Identity Behavior

The challenge with insider threats isn’t just identifying what could be risky – its understanding when normal activity crosses the line into dangerous territory. 

In SaaS environments, where usage is decentralized and access is constant, traditional perimeter alerts simply don’t go deep enough. That’s where ITDR comes in. 

Insider threats often hide in plain sight, making it critical to track behavior in context. Major incidents (like Disney's infamous data exfiltration Slack breach) have occurred due a malicious actor masquerading as an insider. Here are some of the most common signals that identity activity may indicate risk in a SaaS environment:

• Unusual login times or locations – A user consistently logging in during off-hours or from unfamiliar geographies can signal account misuse or compromise.
  
  • Example: A GTM engineer based in New York logs in at 3 p.m. from NYC, then their account pings from Warsaw, Germany at 3:30 p.m. – a strong indicator of a hijacked session or stolen credentials.
    
    
• Deviations from department or role norms – When users access data or apps outside their normal scope, it may indicate compromised credentials or malicious intent.
  
  • Example: A sales rep suddenly downloads engineering documentation or accesses legal contracts – resources far outside their job function that they don’t need for their role.
    
    
• Spikes in OAuth activity or third-party app grants – A sudden increase in connected apps may indicate a user authorizing risky tools or an attacker leveraging OAuth to maintain persistence.
  
  • Example: A marketing intern installs multiple unapproved data-sync apps within an hour – none of which were previously used in their role.
    
    
• Uncharacteristic mass sharing or downloading – Users who rarely share or download files suddenly transferring large volumes of data may be preparing to leave or actively exfiltrating sensitive information.
  
  • Example: An employee who’s never downloaded company files before suddenly downloads 200 documents and shares 50 to a personal Gmail account just days before offboarding.
    
    
• Access attempts outside job function or behavioral history – Users interacting with systems or data they’ve never accessed before can point to insider misuse or account compromise.
  
  • Example: A freelance graphic designer accesses the customer success team’s shared drive – despite never needing that data for their role.

These signals only become meaningful when they’re evaluated in context – something most legacy tools miss. Without baselines, historical behavior, and role-specific insights, even the best alerts can lead to dead ends or false positives.

Why Identity Profiling and Risk Scoring Matters

Identity is not static, it evolves. Job roles change, projects shift, and access patterns follow suit. That’s why ITDR isn’t just about flagging anomalies – it’s about continuously profiling each identity over time to understand and revisit what ‘normal’ looks like and what constitutes risk for that specific user.

Risk scoring is at the heart of that strategy.

A well-built risk model doesn’t just assign value based on a single event – it aggregates context from multiple sources, such as:

• HRIS data – Job title, department, employment status
  
  
• Identity providers (IdPs) – Login frequency, MFA usage, authentication methods, access locations
  
  
• SaaS activity patterns – Historical behavior across applications, shared files, OAuth activity

Without identity-aware context, teams are left reacting to alerts without knowing where to look first — or worse, chasing noise or false positives instead of real exposure.

How DoControl Approaches Insider Threat Monitoring

DoControl’s Identity Threat Detection and Response (ITDR) module is purpose-built to protect SaaS environments from identity-based threats – especially those originating from within. 

We integrate with your HRIS and IdP systems to collect data on all your identities, connecting the dots to who they are at the user level and what actions they’re taking in SaaS. 

Our approach centers on visibility, context, and real-time, user-level control.

Identity Threat Detection & Response

We build a risk profile for every identity in your SaaS ecosystem by aggregating signals from user behavior, file access patterns, SaaS permissions, and business context like department and role data from HRIS systems. 

This enables teams to move beyond surface-level alerts and prioritize actual exposure based on user intent and impact.

Within the DoControl dashboard, you gain a comprehensive view of each identity’s risk profile – including recent alerts they’ve triggered, the assets and applications they’ve accessed, where and how they accessed them, and the devices used.

You can also see all activity from the past 30 days, including connections to unsanctioned or shadow applications. No stone is left unturned, giving you more visibility into user behavior and identity risk across your SaaS environment than you thought was possible!

‍

User Behavior Anomaly Detection

DoControl continuously monitors user activity and benchmarks it against department- and role-specific norms. 

When behavior deviates – such as a sudden spike in file sharing, an inactive user initiating a high volume of OAuth connections, or an admin performing actions outside their typical scope – our platform detects and flags it in real time, enabling swift investigation and response.

This is especially powerful in how we capture and track unusual access and login patterns. For example, if an employee logs in from California one minute, then Europe 20 minutes later, we know that there is some sort of suspicious activity happening under their identity. From there, we immediately notify security teams, enabling them to jump on the threat and remediate the risk immediately.

‍

‍Dynamic Risk Scoring

Each identity is scored based on a blend of behavior, access level, context, and deviation from norms. The score is not static, it evolves alongside the user’s actions, adjusting as new signals are ingested. 

The dynamic risk score is a key part of our product that reflects not only the likelihood of future risky behavior, but flags current activity that falls outside expected norms. 

This score isn’t just a number, it’s a prioritization tool for SecOps teams to focus on who needs attention, why, and when. We also enable our customers to flag risky users and add them to a watchlist, making it even easier to lock down these threats and determine who's a liability. 

‍

Turning Identity Risk Into Response

Detection without action is incomplete. That’s why DoControl’s ITDR module is built to facilitate true response – both automatically and on demand.

• On-Demand Bulk Remediation: Security teams can instantly revoke user permissions, remove OAuth tokens, or suspend users across connected SaaS applications with just a few clicks.
  
  
• Automated Workflows: You can define policies that trigger pre-set responses when identity behavior crosses a risk threshold – like auto-restricting sharing access for users who attempt to exfiltrate sensitive files.
  
  
• User-Level Control: Remediation can be applied per identity, with precision. That means exposure is contained without disrupting broader workflows or affecting uninvolved users.

DoControl gives security teams not just the signals – but the context and control they need to protect the organization from the inside out. Stay tuned for more on our detection and response capabilities.

Summary

Insider threats don’t always look like threats – until it’s too late. In SaaS environments where users, data, and access are constantly in motion, relying on traditional tools or surface-level alerts just isn’t enough.

By continuously profiling identities, tracking behavior in context, and scoring risk in real time, DoControl empowers security teams to detect, prioritize, and respond to identity-driven threats before they escalate. 

Whether it’s a negligent employee, a compromised contractor, or a malicious insider, DoControl gives you the visibility and control to act early, and with confidence.

In the final part of our ITDR blog series, we’ll shift focus from exposure to execution – diving into how detection and response workflows can be automated to dramatically reduce dwell time and stop identity threats in their tracks.

Click here to make sure you don’t miss our final part: ITDR Part #3: From Reactive to Resilient: Responding to Identity Threats in Real Time

Click here to get a quick demo without talking to sales to see our ITDR module in action!