14 Documented Cases
Manning, Snowden, Duronio, Levandowski, Ramesh, Zheng, Skelton, Ruiz, Sharp, Kvashuk, Desjardins, Tesla, Twitter, Barile — signals present in retrospect, what was missed, what triggered detection.
Detection Logic by Tier
Deterministic rules, behavioural heuristics, identity anomalies, exfiltration path coverage, sabotage signals, UEBA models — each with log sources, detection logic, and false-positive guidance.
Four-Phase Implementation
Phased programme from telemetry foundations through behavioural analytics to mature graph-based detection — structured to deliver maximum ROI first.
Legal & Privacy Constraints
Operational monitoring boundaries under US law (ECPA, CFAA), GDPR, and the Australian Privacy Act — jurisdiction-specific guidance for each monitoring activity.
By Andrey Pautov · Threat Intelligence Research Engineer · April 2026
Epistemic labels: [Documented] = cited primary source. [Inferred] = analytic conclusion from documented facts. Unlabelled = consensus support in cited literature. Not legal advice.