Demo  Arrow | GitHub | Docs | API reference | Contact | Resources
tirreno - Open-source security framework Home Use cases How it works Pricing About
Arrow Download

tirreno » .com/bat » Application-level security for insider threats






Resources

tirreno
.com/bat



Application-level security for insider threats

November 25, 2025 · 7 min read

Most insider threat guidance is written for security operations teams with enterprise SIEM platforms, endpoint detection agents, DLP tools, and physical access logs. The advice assumes your organization has a SOC, a dedicated insider threat program, and the budget to correlate events across dozens of infrastructure data sources.

Most organizations building internal applications don't have any of that. What they have is a web application used by employees, contractors, or partners, and no visibility into how those users actually behave inside it. They can tell you who has access. They cannot tell you who is using that access in ways that should raise questions.

The signals that indicate misuse, negligence, or compromise live in login patterns, session behavior, account changes, and data modifications inside the application itself. Detecting them does not require a SIEM. It requires instrumenting your application to observe what its users actually do.

Where insider threats play out in practice

Every internal application that handles sensitive data is a potential surface for insider abuse. The specific risks depend on what the application does, but the behavioral patterns are remarkably consistent.

ERP and financial systems are where insider threats translate directly into monetary loss. An accounts payable clerk who creates a fictitious vendor and routes payments to it. A procurement manager who approves purchase orders just below the threshold that triggers secondary review. An employee who modifies pricing or discount fields on invoices before they go out. The common thread is that the abuse happens through legitimate application functions: creating records, editing fields, approving workflows. The user has access to do exactly what they are doing. The only signal is that the pattern of behavior is abnormal.

CRM platforms hold client contact details, deal pipelines, contract terms, and communication histories. A departing sales rep who exports their entire book of business in the weeks before resigning. A support agent who opens customer records outside their assigned accounts or geography. A contractor who systematically browses high-value client profiles without any corresponding support ticket or task. In each case, the data access is technically permitted. The system lets the user view those records. What makes it a threat is the volume, the timing, or the pattern.

Healthcare and patient management systems carry both regulatory and ethical risk. An employee who accesses a high-profile patient's records out of curiosity rather than clinical need. A billing specialist who modifies procedure codes to inflate reimbursements. A staff member who accesses records of personal acquaintances. These violations trigger HIPAA exposure and are among the most commonly investigated insider incidents in healthcare organizations.

HR and payroll platforms contain compensation data, personal identifiers, performance reviews, and banking details. An HR administrator who views salary records outside their reporting line. A payroll processor who adjusts hours or overtime figures for specific employees. An IT admin who accesses personnel files without a corresponding help desk ticket. The sensitivity of the data means that even casual over-access creates compliance risk.

Internal knowledge bases and document management systems are where intellectual property lives. An engineer who downloads an unusual volume of design documents before leaving for a competitor. A contractor who accesses project files outside their assigned scope. An employee who systematically retrieves proprietary methodology or client deliverables. The exfiltration often looks like ordinary document access. Only the pattern reveals the intent.

What the behavioral signals look like

Across all of these applications, the detectable signals fall into consistent categories.

As an open-source security framework, tirreno captures these events, enriches them with user context and network intelligence, and processes them through configurable rules. Below are the key threat patterns and how tirreno surfaces them.

Compromised credentials are the most common entry point. Credential stuffing, phishing, and password reuse give external attackers access to internal applications using legitimate usernames and passwords. Traditional perimeter security sees nothing wrong. The authentication succeeded. The only signals that something has changed are behavioral: a login from an unfamiliar device, from an unexpected location, at an unusual time, followed by activity that deviates from the account's established patterns. tirreno tracks login failures that may indicate credential testing, logins from new devices or locations, and sessions where the device or IP changes mid-session. Single-event sessions (a login with no subsequent activity) are flagged as consistent with credential validation rather than genuine use.

Data access that exceeds the role is a signal whether the user is malicious or simply careless. The CRM rep browsing accounts outside their territory. The ERP user pulling reports across cost centers they have never touched. The HR coordinator viewing executive compensation. tirreno builds behavioral baselines for each user and flags deviations in access scope, volume, and pattern, whether the deviation looks like systematic extraction or casual over-curiosity.

Off-hours and off-pattern activity is easy to detect when there is a behavioral baseline to compare against. Most employees use internal applications during business hours, from consistent locations, on consistent devices. A finance user approving invoices at 2 AM. A support agent accessing the CRM from a new country on a weekend. tirreno's night time activity rule flags access between midnight and 5 AM relative to the user's established patterns. Activity from unfamiliar infrastructure or sessions that break the user's established rhythm is flagged as a signal that warrants attention in combination with others.

Account and data modifications are where the damage often happens. The ERP user who edits a vendor's bank account details. The payroll processor who adjusts overtime hours. The CRM admin who changes the owner field on a high-value deal. When your application sends field change events through tirreno's API (specifying what field was modified, the old value, the new value, and the parent record context), tirreno maintains a searchable history of every modification tied to the session that made it. Email or password changes from unfamiliar devices or locations are scored as potential compromise indicators. This audit trail is the record that compliance teams, auditors, and incident responders need when investigating what an insider actually did.

Dormant accounts that reactivate are a persistent risk in organizations where offboarding is inconsistent. A contractor whose ERP access was never revoked after their project ended. A former employee whose CRM credentials still work. A service account for a legacy integration that nobody monitors. tirreno scores accounts inactive for 30, 90, or 365 days differently when they reactivate. Combined with device or location signals inconsistent with the account's history, a reactivated dormant account accumulates risk quickly.

IP and connection intelligence adds context to all of the above. An employee accessing a financial system through a commercial VPN, a TOR exit node, or datacenter infrastructure is behaving differently from one connecting through their normal residential or corporate network. tirreno's enrichment API resolves these signals and evaluates them locally as part of the overall risk score.

Why application-level monitoring instead of enterprise SIEM

Enterprise SIEM platforms correlate events across endpoints, network traffic, identity providers, cloud infrastructure, and physical access systems. They are also expensive, complex to deploy, and designed for organizations with dedicated security operations teams.

For teams building internal applications, particularly those in smaller organizations or companies that need insider threat coverage for a specific application rather than across their entire infrastructure, the SIEM approach is disproportionate. The application is the surface where the insider threat plays out. Monitoring its behavioral signals directly is more practical than correlating infrastructure logs from a dozen systems.

There is also a data governance consideration. Enterprise SIEMs centralize logs from across the organization, including personal behavioral data about employees. Routing that data to a SaaS SIEM means employee activity data leaves your infrastructure. For organizations operating under data protection regulation, or those that prefer to keep employee behavioral data within their own systems, self-hosted application-level monitoring is a more contained approach. tirreno processes everything on your infrastructure. Behavioral profiles, risk scores, and detection logs stay in your database, under your retention policies, queryable from your own systems.

The field audit trail as a compliance tool

For organizations subject to regulatory requirements around data integrity, access logging, or change management (SOC 2, GDPR, sector-specific financial or healthcare regulation) the field audit trail serves double duty as a compliance deliverable.

Every modification to tracked fields is tied to the user identity, device, IP address, and timestamp of the session that made the change. When an auditor asks who modified a vendor's banking details and when, or when an incident investigation needs to reconstruct the sequence of patient records an employee accessed, the answer comes from infrastructure you control.

A practical integration plan

Getting started does not require instrumenting everything at once. A phased approach lets you build coverage where the risk is highest first.

1. Inventory your self-hosted internal applications. List every application your organization runs internally: ERP, CRM, HR portal, document management, admin panels, partner portals. If employees, contractors, or partners log in to it, it belongs on the list.

2. Map the actions that carry operational damage. For each application, identify the specific operations that could cause harm if misused: approving payments, exporting client data, modifying pricing, accessing patient records, changing vendor bank details, downloading proprietary documents. These are your high-value events.

3. Assign a sensitivity level to every action. Not all operations carry equal risk. Classify each action by its potential impact: critical, high, medium, low. Changing a vendor's bank account is critical. Viewing a dashboard summary is low. This prioritization determines what you instrument first and how aggressively you score deviations.

4. Start with the least sensitive operations. Begin integration with lower-sensitivity events: logins, page views, session activity. This lets you validate the data pipeline, build behavioral baselines, and tune rule weights without immediately handling your most sensitive audit data. It also gives your team time to establish review workflows before high-severity alerts start flowing.

5. Deploy tirreno and connect your applications. Install tirreno on your infrastructure and integrate your applications by sending events to the sensor API. Start with the applications and actions you prioritized above, then expand coverage as your baselines mature. The insider_threat preset gives you a working rule configuration from day one. Adjust weights as you learn what normal looks like for your user population.

Start collecting behavioral data today

tirreno is self-hosted and open source, which means you can deploy it on your own infrastructure and begin capturing user behavior data from your internal applications immediately. You do not need SaaS onboarding, vendor evaluation, or an external platform holding your employees' activity logs.

The insider_threat preset provides a starting rule configuration, but the value begins with collection itself. Most teams building internal applications have no behavioral baseline for their users. They cannot tell what normal access looks like or distinguish routine activity from something that warrants attention. Every day your application runs without instrumentation is a day of behavioral data you don't have when you eventually need it.

Every weight is adjustable, and custom rules can be written in PHP to match the specific workflows and access patterns of your application. The same deployment covers external-facing threat scenarios (account takeover, credential stuffing, registration abuse) if your application serves both internal and external users.

Open source, download at tirreno.com/download. The developer guide covers field audit trail integration.
tirreno

Security framework

Use cases

How it works

Pricing

About

Download

Live demo

GitHub

Dockerhub

Documentation

Resource center

Learn

Account takeovers

Insider threat detection

Login & activity monitoring

Field audit trails

API abuse

Bonus abuse

Chargeback management

Fake accounts

Threat hunting

Transaction abuse

HIPAA monitoring

tirreno is an open-source security
framework that embeds protection
against threats, fraud and abuse
right into your product.

General team@tirreno.com
Support ping@tirreno.com
Security atdt@tirreno.com

Terms & conditions
Privacy policy
Imprint | Contact

Rue Galilée 7
1400 Yverdon-les-Bains
Switzerland Switzerland

©2026, tirreno. tirreno© is a trademark of Tirreno Technologies Sàrl. All rights reserved.

Valid HTML 4.01 (1999 specification)



Open-source security framework