Insider Threat Services on Darktrace

Insider threat services directly address the fact that most security breaches are at least assisted by insiders. The most significant security breaches will involve insider threats for example through password compromise.

Insider Threat services guards against motivated malicious insiders and accidental negligence by employees to greatly reduce corporate data loss.


  • Insider threat protection against data leakage (eg dropbox)
  • Governance, analytics and protection in one integrated solution
  • Built-in integration with enterprise directories, SIEM and MDM
  • Blended service with DLP to detect probability levels of compromise
  • Full Artificial intelligence analysis to detect anomalous behaviour


  • Discover Shadow IT & Risk eliminating the IT blindspot
  • Prevent leaks of sensitive data to cloud applications
  • Block cyber attacks by the rapid detection of anomalies
  • Reduce risk of downloading or distributing malware
  • Spot data leakage from inside staff or malware
  • Use of machine learning and artificial intelligence


£5000 to £15000 per unit per month

  • Free trial available

Service documents

G-Cloud 10



Simon Moore


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No
System requirements Needs to be monitored to drive responses

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Within 1 working day, and response levels can be raised to cover weekends if required.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), 7 days a week
Web chat support accessibility standard WCAG 2.0 AA or EN 301 549 9: Web
Web chat accessibility testing Vendor Defined capability
Onsite support Yes, at extra cost
Support levels NBD, 8x5, 24x7.

On site support not ever needed as service is on cloud. Limited complexity in configuring end-points to talk to the cloud.

A client engaged technical account manager can be provided, but required when multiple services are engaged to ensure interoperability and cost benefits. Once configured the service is stable and only needs client based support knowledge on major changes - this will be addressed through documentation.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Initial consultation on configuration of the Software included. Additionally, 1. If the customer chooses to install with their own resources, we can provide HiveLOGIC support through HiveLOGIC consultancy services 2. Provide support for: - SOC Services, including Monitoring and Reporting - Rapid Response service to events and observations 3. Training Workshops 4. Direct, side-by-side support 5. Issue and problem resolution
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Only data held in service are security logs and configuration details. Both can be exported if necessary
End-of-contract process No additional services required, service simply stops

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Nil
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing N/A
Customisation available Yes
Description of customisation 1) Look and feel of GUI.
2) Seeding with known insider threat profiles


Independence of resources As traffic levels inspected increase more probes are required.


Service usage metrics Yes
Metrics types Details are provided on traffic flows and hits on security rules
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Darktrace

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Via the web based management console, and download of data
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99.999% Up time
Approach to resilience Multiple Instances, hardware and datacentres
Outage reporting API, dashboard and email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Management interfaces may only be accessed from known addresses and via privilege account management based authentication.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 22/05/2015
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover None
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We work as a network of SMEs supported by larger businesses where scale, and costs make this sensible. Design and service ownership always resides with the Hd of Operations within HiveLOGIC (HL). We then outsource the day to day manning of our service desk to Westcon/ Comstor owing to the economies of scale they can achieve.

HL assesses service levels, SLAs, policies and procedures provided by Westcon on a regular basis :6 monthly or less and on demand.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Majority of changes are limited to configuration of the software controls. All such changes are assessed for security impact, as this a security based service

We reserve the right to augment or replace technologies and use hardware appliances for speed and performance as requirements demand.

All configuration details are recorded and changes are documented to enable auditing. All equipment abides by local security accreditation requirements and are suitably protected and isolated.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Threats to the system are constantly assessed by the vendors and by system assessment. (Darktrace) and changes made to the software base.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach The appliances and software used to detect threats are off-line and do not accept incoming traffic. They scan copied SPAN data to deliver their insight.

The boundaries they are positioned within then host Intruder protection services.
Incident management type Supplier-defined controls
Incident management approach The threat detection platform is off-line and behind a protect boundary device. Where appropriate we use threat removal devices to protect the platform.

Incidents detected are reported and acted upon as per policy. Any known attacks are instantly stopped. non-malicious, unauthorised accesses are blocked and then investigated as potential false positives.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5000 to £15000 per unit per month
Discount for educational organisations No
Free trial available Yes
Description of free trial We will run a proof of value on a life network for period of 1 month.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑