What is Incydr and
why do I need it?

Incydr is going to revolutionize your insider risk posture.

But don’t take our word for it, check out this explainer then trust yourself to make the right call.


If you’re reading this, you’re probably a Security Architect and (quite frankly) hats off to you.

You’re not only a strategic planner, you’re also the person who actually builds and executes the security strategy in the field.

That ain’t easy.

We’d love to preach the time-saving, cost-saving, personal benefits of Code42’s Incydr…but that’s not really what you need right now.

Maybe you’ve got a new security mandate, or you’ve identified a gap in your tech stack and need a solution to close it.

Either way, as you consider Incydr, you’re going to want to get into the nitty-gritty of how it actually works.

Because the only way you’ll know if it’s a fit is by looking under the hood.

So, let’s pop it.


Under the hood

An overview of Incydr fundamentals

Incydr is a SaaS, data risk detection and response product for managing Insider Risk.

Using a sophisticated endpoint agent and API integrations, it monitors file activity and intelligently detects data exposure events (like when data is moved, shared, or taken outside your perimeter).

With Incydr, security isn’t lumbered with defining what’s acceptable or unacceptable through policy—minimizing deployment time.

That’s because it monitors for any file moving activity then removes noise by filtering out data moved to trusted sources. This lets you prioritize users and file activity that need immediate attention.

This prioritization, combined with Insider Risk Indicators, ensure you only get the alerts you need.

Incydr sends file, vector, and user information on detected events to the Code42 cloud to power Incydr’s detection, investigation and response capabilities.

And because the analysis takes place in the cloud, the Incydr agent’s impact on user devices is miniscule

(we’re talking average specs like 0-5% CPU and 30-80MB memory).

It’s lightweight because we value productivity and because no one likes pushback during rollout.

We rolled out Incydr in two months. I don’t know anybody who’s able to do that with a company of 500 people.
— Dustin Fritz, 
Senior Security Architect at UserTesting

Before we get into exactly how it does this, feel free give your mouse a workout and click around for some more info on the different components.

This diagram shows the workflow and architecture of the product. It starts with the data collected by Incydr, moves into the key ways that data is analyzed and presented, and ends with Incydr’s response control mechanisms.

Prioritize & Alert
Investigate & Contain
Respond & Remediate

Endpoint + Media

The agent is configured to monitor files transferred via USB, browsers, Airdrop, applications, and more.


Incydr monitors files that are publicly shared or sent to external users.


Incydr monitors emails with attachments that are sent to untrusted email addresses.

Incydr Context Flows

Automatically ingest important context in order to to streamline Insider Risk Management workflows.

Identity IAM

Incydr integrates with Identity Access Management (IAM) to authenticate users and ingest contextual attributes.


Incydr integrates with HR platforms to streamline workflows around key milestones such as departure.

User PAM

Incydr integrates with Privileged Access Management (PAM) to get context that helps you better monitor privileged users.

Endpoint Agent

Incydr’s agent can be installed on Windows, Mac, and Linux desktops/laptops.

Cloud + Email Connectors

Incydr uses direct integrations to monitor corporate data systems like OneDrive, Google Drive, Box, Gmail, and Microsoft 365.

Open APIs & SDKs

Incydr’s open API, SDK, and CLI allow you to automate workflows and integrate into your existing tech stack.


Incydr sends file, vector, and user information on detected events to the Code42 cloud to power Incydr’s Insider Risk Management capabilities.

File Context

Incydr monitors all file activity and collects rich file metadata—allowing you to investigate any file exfiltration event.

Vector Context

Incydr covers vectors across laptops, email, cloud, and mobile to accurate pinpoint how files left and where they went.

User Context

Incydr ingests and correlates user attributes, milestones, and behavior to detect when data is at a higher likelihood of risk.


Incydr’s Trust and Prioritization Models ensure you know the difference between harmless file movement and actual data leak or theft.

Prioritize & Alert

Trust: Defined and Inferred Trust capabilities reduce noise by focusing only on data moving outside the perimeter of trusted devices and destinations.

IRIs: Incydr’s library of Insider Risk Indicators (IRI) are activities or characteristics that suggest data is at a higher likelihood of exposure.

Prioritization: Incydr uses IRIs to prioritize the users and activities that matter most, so you know what needs your immediate attention.


Incydr makes it easy to compile the evidence you need to take fast, informed action.

Forensic Search

Incydr’s powerful search interface allows you to quickly query all file, vector, and user metadata in seconds, even when devices are offline.

File Access

Incydr uses Risk Detection Lenses to provide a focused view of activity for a subset of users who are at higher likelihood of putting files at risk with authorized security team members viewing the file contents and activity so you can verify the accuracy of anything flagged as a risk.


Cases allow you to document notable details from your investigation, then disseminate them to stakeholders in legal or HR.


Incydr employes containment, resolution, and education strategies so you can take a right-sized response at speed.


Stop further data exposure while you investigate using user, network, or device controls.


Address and remediate a data exposure event detected by Incydr.


Make users more risk-aware to decrease future data exposure events.


Incydr integrates with systems such as Security Orchestration, Automation and Response (SOAR) to avoid blanket responses and controls.

Incydr Response Flows

Automate integrations with corporate systems to enable controls that are right-sized to an event’s severity.

Spec sheet:

  • Mac, Windows, and Linux compatible
  • 2-week average deployment time
  • 230% ROI in 3 years
  • Agent on endpoint can be deployed silently

Ready to see this thing in action?

Let’s talk about a Proof Of Value experience.

Alternatively, read on as we dive into the details…


The Nitty-Gritty

Here come the nuts and bolts

Let’s talk monitoring.

Incydr monitors all file activity—allowing you to investigate any file exfiltration event.

Goodbye, policy creation—hello, speedy deployment.

The way our agent and cloud integrations monitor events also means there are no proxies, SSL inspection or browser plugins to configure and maintain.

Incydr covers the most common data exfiltration vectors including laptops, cloud applications, browsers, and mobile devices (among others) and pulls events together in a Risk Exposure Dashboard, giving you a holistic view of all the data movement within your organization.

Protecting data is what it’s all about, so we’ve tied all monitoring to file activity, avoiding the way keystroke monitoring and “big brother” techniques erode mutual trust in the organization and damage workplace culture.

All this monitoring sounds pretty noisy, right?

Not if you’re a supremo at filtering out what’s harmless and prioritizing what matters.

Let’s talk trust and prioritization.

We don’t like noise and neither do you.

So Incydr begins by automatically filtering out Trusted Activity—the sanctioned stuff. From there it prioritizes your highest risk users and activity to provide you with a clear understanding of risk.

Which is why we broke free of the I-am-not-going-to-explain-why- something-is-flagged approach many solution providers take in an attempt to protect their “special sauce.”

We’ve decided it only works if we 
“show our work”, so here goes nothing…

The good stuff is automatically detected using Incydr’s Defined and Inferred Trust capabilities.

If a file is moved to a corporate-owned destination (e.g. your enterprise’s Google Drive), the event is marked as trusted.

Trusted activity is logged for reporting purposes, but since the file hasn’t left your managed environment, it doesn’t meet the risk detection criteria needed to trigger alerts.

The risky stuff is detected using Insider Risk Indicators (IRIs).

These are activities or characteristics which indicate your data is at a higher risk of exposure or exfiltration.

Some examples:

Off hours activity: File activity outside normal behavior patterns.

Suspicious file mismatch: When high-value files like spreadsheets are disguised with low value file type like .jpg.

Employee departure: A milestone indicating employees are at a higher likelihood of putting data at risk.

Incydr looks for these (and 60+ more) IRIs when monitoring file activity—and does so across all vectors of exfiltration.

Each IRI has a numerical risk score. Added together, this cumulative score defines the severity of the event and gives you prioritized activity alerts. Incydr also prioritizes your highest risk users based on the number and severity of events they trigger.

These IRI scores are based on rigorous qualitative research into security practitioner experiences as well as our product telemetry.

And if you want to adjust things to meet your personal risk tolerance—you can with ease.

Examples of Risk Scoring

Triaging crazy amounts of alerts isn’t practical, so our model tightens the focus on critical security events. Our customer averages show that between 1% and 4% of users trigger a critical severity event in a given week.

But once you’re alerted to real data risk, what controls are available to you?

Time for some informed responses…

Let’s talk right-sized responses.

So thanks to Incydr’s monitoring, you have:

  • Visibility to which files are being moved, where, when and by whom.
  • Prioritized alerts on file, vector and user IRIs.

This means you know what to act on and have the context you need to respond—fast.

But what is that response?

We believe there’s no one-size-fits-all response to Insider Risk, so we’ve broken them down into three categories:


Occurs at a user, network, or device level to stop further data exposure while security investigates.

  • Conditional access controls
  • Disable USB
  • Stop local sync apps
  • Network contain device
  • Lock device


Address and remediate a data exposure event detected by Incydr.

  • Require action from user
  • Escalate to manager
  • Escalate to HR
  • Escalate to legal


Reduces future data exposure by changing user behavior (over time this will also improve your organization’s risk posture).

  • Assign microtraining
  • Send policy for acknowledgement

These controls can be used together or exclusively, for example, you may have an event that involves a Contain and an Educate control.

You can find out more about our responses here.

Contain, resolve, and educate in response to a critical severity event

A departing employee sends a 2021_Documents.xip file using ProtonMail
Incydr alerts you to this critical severity activity
Use Incydr Flows with the following tool to a right sized response


Remove identity access in Okta


Reach out to the user via a pre-populated Slack message, and follow up with an attestation of deletion via DocuSign


Assign a microtraining on their rights to corporate data when leaving the company

Code42 Instructor lessons

These responses are primarily delivered through Incydr Flows, Code42 Instructor lessons, and direct integrations with products such as SOAR, IAM, and EDR.

What are Incydr Flows?

  • Monitor everything
  • Filter out trusted activity, leaving only untrusted activity
  • Prioritize your biggest risks
  • Respond to detected risk by containing, resolving, and educating
  • Protect data and see risk posture improve over time

And once you’ve identified malicious or high-impact incidents, Incydr’s Cases feature provides an efficient way to compile, document and disseminate the pertinent investigation details.

We all love a filing cabinet but let’s get real.

If you want to explore how we stack up to the competition, you can read our

Code42 – Build vs. Buy Guide


How needy is it?

Here come big results… and minimal requirements

No one likes a prima donna.

That’s why Incydr is big on results and small on requirements in the areas that matter most.


Our specialists achieve an average deployment time of 2 weeks with less than 10 hours of committed time.

This is possible because there’s no heavy duty policy creation—Incydr monitors everything (then intelligently filters and prioritizes).


Incydr is cloud-native and environment-agnostic.

Incydr integrates with technologies across the SIEM, SOAR, IAM, PAM, ITSM, and HCM categories to provide a complete Insider Risk Management solution. You also can integrate with any SIEM via command line interface integration.

You can leverage the Developer Portal to perform your own custom automations and scripting.

Development Portal:

Develop your own REST-based application leveraging the Code42 API for automation and scripting. And find resources on how to do it.


We can also provide consultation and tech resources to help you during integration (and beyond).

Our integrations include:


What’s in it for me?

Here comes the what it could look like moment

We believe that by using Incydr you can assess
(and improve) your Insider Risk Posture in 6 key areas:

Click to find out more

Corporate Date Leak

  • Source code exfiltration
  • Salesforce report exfiltration
  • Business document exfiltration

Security Policy Compliance

  • USB file exfiltration
  • AirDrop file exfiltration
  • Zip file exfiltration
  • Printer exfiltration
  • Suspicious file mismatch

Cultural Risk Awareness

  • Departing employees who exfiltrate data
  • Employees by department who exfiltrate or expose data
  • Employees by management level who exfiltrate or expose data

Insider Risk Cases

  • Open insider risk cases
  • % of cases by user risk factor (departing employee, flight risk, elevated access, etc.)
  • % of cases by right-sized response action (contained, resolved, educated)

Shadow IT Use

  • Corporate cloud files shared outside trusted domains
  • Files exposed to personal emails
  • Files exfiltrated via messaging systems (Slack, Teams, WhatsApp, Facebook, etc)

3rd Party Risk

  • Contractors who exfiltrate or expose data
  • Events of non-company users modifying files in corporate cloud apps
  • Publicly shared links

So this all sounds pretty great, right? But how good is Incydr at actually doing this? And how will it behave with your data?

There’s only one way to find out…

Sign up for our Proof of Value experience.


What’s next?

Here comes the test drive

Hopefully it’s clear why so many leading security architects choose Incydr to strengthen their insider threat strategies.

The only thing left is to show you how it behaves in the field.

Because with insider threat management, seeing is believing.

So the next step is setting up a Proof of Value –a free, mini-deployment.

The Proof of Value experience allows you to get a snapshot of your risk posture with a focus on the six areas outlined in Chapter 4.

You’ve already read about how simple and fast Incydr deployment is, and with the PoV, you’ll be up and running in as little as an hour with no disruption to end-users or rules to set up.

If seeing how Incydr integrates into your security stack is the most important next step for you, we also have a full product pilot option.

What’s included in the PoV?


20 users for 20 business days, in your own environment, with your own data

Cloud Connectors

Set up Box, Google Drive, or OneDrive and see how Incydr detects and responds in cloud applications

Deployment Software:

MDM solutions, Jamf, SCCM, and InTune

Operating Systems

PoV deployment is available for Windows 
or Mac

I joked that Code42 Incydr is like opening Pandora’s Box because you’re suddenly going to see all of the activity, along with a lot of great telemetry data points. Our eyes were opened to things we weren’t expecting to see… the Insider Risks we weren’t looking for.
-KT Boyle, Senior Manager of Cybersecurity.

If you’re ready to take your security strategy to the next-level,

Let’s talk options.