Insider Threat

Sancorp’s in-depth knowledge of the threat from insider betrayal provides our team with invaluable insight into mitigation measures. Our team gains knowledge and methodologies from our strategic partner, Carnegie Mellon University’s Software Engineering Institute (SEI) CERT Partner Network.  As SEI CERT Insider Threat partners, Sancorp leverages and utilizes over twenty years of research and development to provide a systematic approach to support an organization’s Insider Threat requirements. Our core competencies in Insider Threat defense include:

  • NISPOM 2 Insider Threat Program Development

    • We tailor our successful Insider Threat program template to assist organizations with the NISPOM 2 requirements. We also support a more mature Insider Threat program to implement repeatable and robust countermeasures to potential insider threats.

  • Certified SEI CERT Insider Threat Vulnerability Assessments 

    • Sancorp Consulting, LLC partners with Carnegie Mellon University Software Engineering Institute (SEI) CERT Insider Threat program professionals to provide certified Insider Threat Vulnerability Assessments (ITVA) to support an organization’s security efforts.  We tailor these assessments to evaluate an established Insider Threat program, identify critical assets, and provide identified recommendations for remediation to increase the maturity and success of an organization’s Insider Threat program.

  • Advanced Analytics Technical Controls

    • Our team provides customers with detailed recommendations on tested system analytics and visualization tools to support system event and information management requirements. These analytical technical controls provide an added layer of vigilance to support anomaly detection within an organization.

  • Continuous Evaluation and Monitoring

    • In conjunction with technical system analytics controls, Sancorp works with organizations to establish the required framework for policy, procedures, and employment of a cohesive continuous evaluation and monitoring program. Our team provides expert recommendations on separation of duties, legal, behavior, triage, and responses.

  • System Integrity and Penetration Testing

    • Working with our cyber activities strategic partners, Sancorp supports system integrity and testing of an organization’s internal technical controls to ensure monitoring mechanisms detect and identify anomalies within data systems and physical access to critical areas.

  • Incident Response Plans

    • Sancorp brings extensive experience in providing support to develop an Insider Threat response plan integrating decision response matrix, identifying key personnel, and supporting training and evaluation of the program.

    • We focus on evaluating an organizations daily operations and business practices to identify vulnerabilities or gaps that will affect operational readiness and liability to an organization from internal and external factors. Implementing a systemic approach when an incident occurs minimizes subjective decisions and instead establishes a baseline Decision Matrix to help an organization link senior management, supervisors, and essential controls/personnel to react, providing an effective response to the incident. Sancorp specializes in:

      • Tailored organization Incident Response Plan

      • Evaluation and rehearsal of existing plans

      • Decision Matrix development and scenario training

      • Team/Red Cell testing/integration

  • Training and Awareness

    • Our team assists organizations in training from C level staff on their roles and responsibilities to the critical employees supporting daily operations and critical functions.

  • Behavioral Observations  

    • Sancorp coordinates and partners with identified behavioral specialists to assess and support a tailored behavior and operational risk management program for an organization. These tailored solutions include identifying high impact stress situations and remediation plans, critical decision making, coaching, positive environment measures, and support to employee transition plans.

  • Physical Security Measures and Assessments

    • Sancorp provides robust technical and procedural physical security consultation to support an organization’s Insider Threat Plan and security posture.  

Sancorp’s unique and innovative approach resulted in the HQ USMC selection of Sancorp to head their Insider Threat Program and Analysis Center in 2018.

Identity and Data Activity

Sancorp provides subject matter expertise and technical experts to support biometrics access control, media device forensics/exploitation, identity and data intelligence, and identity management requirements. 


Organizations require the positive physiological identification of personnel for verification in a global environment where increased identity theft, counterfeit activities, and corporate espionage continues to rise.  Our subject matter experts support biometrics requirements ranging from biometrics analytical support to strategic level consultation on biometrics system design and interoperability.  The use of biometrics encompasses two primary activities:

  • Biometrics authentication for identification and access control. This process includes a one-to-one (1:1) comparison e.g. one known/unknown biometric against compared with one candidate biometric and providing a match/no match response.

  • Biometrics searching, this process includes a one-to-many (1:N) comparison and includes the searching of one or more biometric modalities (e.g. face, fingerprint, voice) against a database of biometrics (known as an automated biometric identity system or ABIS) in search of a match within the database.

Examples of Sancorp identity activity support includes:

Biometrics and Access Control

  • Physical Access Verification

    • Commercial application of biometrics for one-to-one verification

    • Logical control and verification

    • Accountability

    • Transaction Certifications

  • Enterprise level architecture design

Exploitation and Forensics

  • Staff proficient in forensic tools such as EnCase, Internet Evidence Finder, XRY, etc.

    • Cell Phone

    • Computer media (hard drives, removable media, etc.) in search of identity data

  • Identification, extraction and reporting of digital communications

Identity and Data Intelligence

  • Biometric Matching

    • Searching a biometric against ABIS systems (1:N) to discover matches to known/unknown individuals

      • 1:1 match reports (these reports compare physiological features between the searched biometric and the possible match)

  • Identification of Digital Signatures and Patterns

    Identity Resolution

    • Utilizing a structured methodology to associate biometrics with biographic and behavioral activities to link together identity characteristics

    • Relational/Link Analysis expertise to visualize big data and networks

    • Social Media identity resolution

    • All Source integration with identity and biometric signatures to create robust personas

Sancorp’s enhanced understanding of identity activities and biometrics resulted in multiple awards (Prime and Sub) supporting Identity Activities for the USMC and the National Ground Intelligence center.


Sancorp staff bring significant military and federal experience in CI investigations, analysis, collections, operations, and awareness regarding foreign intelligence threats, the risks they pose, and the defensive measures necessary to safeguard classified and sensitive information. In addition, our staff bring decades of military and federal expertise in critical technology protection, developing CI Support Plans to mitigate the threat to personnel, technology, and resources through the development of structured protection processes created through collaboration with various stakeholder engagements. These CI Plans address threats to the supply chain along with research, development and acquisition to identify, resolve and/or mitigate threat.

Specific areas of Sancorp professional expertise include:

  • CI Policy

  • CI Investigations

  • Defensive CI Briefings and Debriefings

    • Foreign Travel

    • Foreign Visits and Assignments

  • CI Analysis

  • CI Collections

  • CI Cyber Defensive Measures

  • CI Training and Awareness

  • CI Support to Critical Programs

    • Supply Chain Risk Management

    • Research, Development and Acquisition Analysis

  • Liaison with federal counterparts such as the FBI, CIA, DHS, etc., to ensure full coverage of CI threats

Sancorp’s expertise in CI and Security resulted in an award from the USD(I) to provide impact, objective, data-driven evaluations and studies regarding the DoD CI enterprise and the Defense Security Enterprise (DSE).

Cyber Activities

Our experts provide the most up-to-date cyber support to our customers in the ever-evolving world of digital communications. Support includes forensically sound digital media investigations to support our client’s requirements to identify, preserve, and conduct data analysis of computers, media, and mobile device platforms. Our teams support system integrity and testing of an organization’s internal technical controls to ensure the integrity of monitoring mechanisms to detect and identify anomalies within data systems and physical access to critical areas.

  • Computer Forensics

    • Hard Drives, SD Cards, Flash Drives, Cell Phones, GPS, etc.

  • Cyber Policy Development

  • Concept of Operations Integration

  • Tactical/Training Scenario Development

  • Cyber Anomaly Identification

  • System Integrity/Penetration Testing  

  • Data Management

  • Cyber & Network Security

  • Technology (hardware/software) recommendations and training

Sancorp supports Headquarters USMC, Plans, Policies and Operations with our Exploitation SME providing expertise regarding requirements from strategy to policy development support in support of the Expeditionary Forensics Exploitation Capability.