Join our Cybersecurity Awareness Month webinar!

Register now

When the Threat Comes From Inside, Trust Is the First Casualty

Most security programs are built to keep attackers out. Breach of Faith exposes a harder reality: insiders—malicious, negligent, or compromised—can bypass your strongest external controls. This CyberEd.io interactive plunges leaders, SOC teams, HR, and legal into the gray zone where privacy, forensics, and employment law collide with real-time risk.

Experience Breach of Faith in your organization

Breach of Faith: The scenario

The exercise opens with an ambiguous set of signals—nothing “on fire,” but everything uneasy.

Participants must distinguish coincidence from conspiracy while navigating the guardrails around insider investigations.

Early injects (Stage 1 – Suspicion):

  • DLP Alerts: Multiple transfers of “Restricted” CAD files to a personal cloud storage domain outside whitelist.
  • UEBA Anomaly: A senior engineer downloads 10x their normal volume from a Git repo at 02:13 local time.
  • Badge/VPN Mismatch: Physical access badge shows “home,” but VPN logs place the user inside a production subnet.
  • O365/Google Audit: Mass mailbox search queries for “offer,” “confidential,” and competitor names.
  • Endpoint Artifacts: Recently mounted USB mass-storage device with autorun disabled/log scrub attempts.

Escalation injects (Stage 2 – Attribution vs. Action):

  • HR Flag: Employee is in exit process (accepted a competitor’s offer); two weeks remain.
  • Phishing/Account Compromise Clue: MFA fatigue prompts on the same account the night before anomalies started.
  • ServiceNow/Jira: Tickets requesting temporary admin rights approved by a peer during off hours.
  • Finance/Procurement Trail: Unapproved SaaS trial for a “sync” tool used to mirror folders to a personal tenant.

Crisis injects (Stage 3 – Decision Point):

  • External Counsel Guidance: “Preserve evidence; avoid actions that constitute constructive dismissal.”
  • Privacy Officer Note: Jurisdiction requires proportional monitoring; intrusive surveillance risks regulatory exposure.
  • Product Team Alert: A competitor demoed a feature unusually similar to an unreleased design.
  • Insider Communication: The employee emails HR alleging retaliation—whistleblower protection may apply.

Participants must choose, in real time: do they ghost-monitor to build an airtight case, or intervene now to stop potential exfiltration? Who informs whom, when—and how?

Breach of Faith turns the messiest kind of incident—the insider case—into a repeatable, measurable exercise.

Teams leave with clearer authority lines, stronger controls, and a shared understanding of how to protect both the enterprise and its people when trust is at risk.

Schedule Breach of Faith

Learning outcomes

Breach of Faith develops skills organizations rarely practice under pressure:

Evidence-driven triage

Correlate DLP/UEBA, endpoint, identity, badge, and SaaS logs into a defensible narrative.

Proportional response & due process

Balance monitoring and containment with privacy, labor, and whistleblower protections.

Chain of custody discipline

Forensically sound acquisition (disk, memory, cloud artifacts) aligned with counsel’s guidance.

Segregation of duties

Keep HR/legal decisions separate from SOC actions; no “fishing expeditions.”

Risk-framed communication

Brief executives with fact patterns, impact scenarios, and options—no speculation.

Remediation without retaliation

Remove access (JIT/JEA rollback, key rotation) without creating legal exposure.

Enterprise value

Insider incidents are multidisciplinary; this simulation shows whether your organization can act as one team:

  • Program Validation: Tests your insider threat playbook (not just your IR plan) across HR, Legal, Security, and IT Ops.
  • Control Assurance: Exercises least privilege, JIT access, DLP policies, CASB, and data classification in a live scenario.
  • Governance Clarity: Establishes who authorizes enhanced monitoring, account suspension, or device seizure, and under what threshold of evidence.
  • Regulatory Readiness: Practices documentation standards that withstand regulator review or litigation.
  • Culture & Trust: Demonstrates how to address internal risk without chilling normal work—a key leadership signal.

Industry tailored variants include:

Financial Services

Pre-earnings financials and trading algorithms marked “Restricted.”

Healthcare

PHI access anomalies under HIPAA with clinical workflow constraints.

Manufacturing/OT

CAD/BOM leakage tied to export controls; “break-glass” account use.

SaaS/Cloud

Source code exfiltration via dev tools; tenant sync bypassing controls.

Technical inject library

Use these artifacts during the exercise to drive analysis and decisions:

Identity/IAM:

  • Azure AD sign-in logs: atypical geo + impossible travel.
  • Privilege escalation events; creation of “shadow” admin groups.

SaaS/email/storage:

  • O365 Purview DLP hits; anomalous SharePoint link sharing to external domains.
  • Gmail/Exchange audit: rule creation (“auto-forward to personal”), keyword search bursts.
  • CASB: unsanctioned app uploads; file hash mismatch alerts.

Endpoint/EDR:

  • 7-Zip with high compression on source trees; archive passwords detected via memory strings.
  • Browser history to personal drives; anti-forensics tools (wiping utilities).

Network/proxy

  • Exfil over TLS to newly registered domains; DoH evasion hints.
  • DNS tunneling patterns with low-and-slow cadence.

Facilities

  • Badge access to lab after hours; CCTV availability note (retention limits).

HR/workflow

  • Exit interview scheduled; PIP history; non-compete status; conflict-of-interest disclosure.

Decision dilemmas (designed trade-offs)

Monitor vs. intervene:

Continue surveillance to strengthen evidence—or revoke access now to stop potential loss?

Device seizure scope:

Seize corporate laptop only, or also personal devices used for work? Legal boundaries apply.

Notification timing:

Inform the business unit lead now (risk of rumor/leak), or wait until facts are verified?

Public/client disclosure:

Is this a reportable event today, or an internal HR matter pending evidence?

Sanctions matrix:

Termination vs. suspension vs. coaching—consistency with HR policy prevents precedent problems.

Council involvement:

Engage external counsel immediately to guide the investigation—or keep it internal until stronger evidence emerges to avoid escalating legal exposure?

Delivery models

CyberEd.io offers Breach of Faith in flexible formats:

On-site workshop:

Live facilitation with inject packets, mock interviews, and counsel participation.

Remote simulation:

Secure platform delivering artifacts (logs, emails, tickets) with decision dashboards.

Hybrid:

Executive/HR/legal in room; SOC/DFIR remote, reflecting real operational dynamics.

Custom tailoring:

Aligns to your jurisdiction, policies, tooling, and data classifications.

Post-exercise enablement

  • After-Action Report: Evidence reviewed, decisions taken, missed opportunities, and legal risk notes.
  • Policy & Playbook Updates: Insider threat SOPs; monitoring thresholds; investigative checklists; counsel notification triggers.
  • Control Improvements: Data egress guardrails, JIT/JEA, PAM reviews, code repo protections, SaaS governance.
  • Training Pathways: Follow-on labs for DLP tuning, UEBA baselining, forensic imaging, and interview techniques.

At-a-glance

Audience:

CISOs, SOC/DFIR, HR, Legal/Privacy, IT Ops, Business Unit Leaders.

Duration:

3–4 hours (configurable; includes facilitated debrief).

Difficulty level:

Advanced—heavy on judgment, process, and evidentiary rigor.

Industry:

Financial services, healthcare, manufacturing/OT, SaaS/cloud.

Format:

On-site, remote, or hybrid with custom tailoring.

Deliverables:

Inject library, after-action report, governance recommendations, updated insider threat playbooks.

Schedule Breach of Faith for your team today.

Talk to our team