IncydrTM Detection Features

Mitigate Insider Risk using file, vector and user signal

Launch Interactive Demo

What is Incydr?

Incydr is a SaaS data risk detection and response product that allows security teams to effectively mitigate data exposure and exfiltration risks without disrupting legitimate collaboration.

An agent continuously monitors all file activity on corporate Mac, Windows and Linux computers. Direct integrations to corporate cloud services like Google Drive and OneDrive detect when employees use the service to share files from computers and phones. Integrations with corporate email services such as Microsoft Office365 and Gmail detect when file attachments are sent to untrusted recipients.

Incydr detects data risk across computers, cloud and email
  • Sync activity to cloud applications like Dropbox and iCloud
  • Uploads to personal email and other sites through web browsers
  • Files sent through Airdrop or accessed by web apps like Slack
  • Sharing from corporate cloud services like GoogleDrive, OneDrive and Box
  • Email attachments from corporate Office 365 or Gmail
  • File deletions from user computers
Risk Exposure Dashboard
  • A company-wide view of suspicious file movement, sharing and exfiltration activities by vector and file type.
  • Reveals the top employees whose file activity needs investigation as well as concerning remote employee activity.
  • Quickly investigate Insider Risk as well as identify security awareness gaps, Shadow IT and policy violations.
Risk Detection Lenses
  • A view of activity for a subset of users who are at a higher likelihood of putting data at risk.
  • Examples include users experiencing an employment milestone, such as departure, or who have risk factors that require closer monitoring, such as contractors.
  • Adding users to a lens kicks off system alerts and user management workflows so you can programmatically protect data when it is most vulnerable.
High-Fidelity Alerts
  • Provide comprehensive event, file, vector and user information to quickly assess priority.
  • Can be emailed or sent to your system of record and are triggered based on a number of file and event criteria.
  • Alerts rules determine when you are notified by Incydr and not what activity is monitored. This ensures there are no gaps in context during Insider Risk investigations.

Incydr risk prioritization & signal capabilities

Off hours
Incydr identifies when an employee is typically active on their computer and uses this behavioral pattern to determine when a given user's endpoint file activity takes place at unusual times.

Untrusted domains
Incydr surfaces when files are emailed or uploaded to domains and URLs that are not considered trusted. Security users establish the trusted domains for their company.

Suspicious file mismatch
Incydr identifies when the MIME/Media type of a high-value file, such as a spreadsheet, is disguised with the extension of a low-value file type, such as a JPEG. This is indicative of attempts to conceal exfiltration.

Remote activity
Incydr uses IP addresses to determine which activity is taking place off-network and may indicate increased risk. Security users establish their in-network IP addresses.

User attributes
Incydr ingests user attributes like name, title, department, manager, and employment type (full-time, part-time, contractor) from a company's identity management system.

File categories
Incydr analyzes file contents and extensions to determine a file's category (e.g. source code, document or spreadsheet). Categories help to determine a file's sensitivity and value.

Lifecycle milestones
Incydr uses employment milestones, like employee departure, to identify when employees are at a higher likelihood of putting data at risk.

Activity thresholds
Security users can set thresholds for acceptable activity based on file count or size. These can be customized for a given user or vector.

Risk factors
Employees can be labeled with risk factors including contract employee, high impact employee, flight risk, performance concerns and elevated access privileges.

File archive (ZIP) detection
Incydr highlights exposure events involving .zip files since they may indicate an employee is attempting to take many files or hide files using encrypted zip folders.

Application monitoring
By default, Incydr monitors applications such as web browsers, Slack, Airdrop, FileZilla, FTP, and cURL. Organizations can easily add monitoring for additional applications such as WeChat, WhatsApp, Zoom and Amazon Chime.


Incydr integrates with top technologies to help correlate data risks, deliver actionable insights and improve the efficiency and effectiveness of customer workflows.

See all integrations right arrow icon

Interested in a free trial?

For companies with 200+ employees, we’d like to give you our best product plan at no cost for 60 days, with no commitment whatsoever.