Veriato  Formerly  known  as  spectorsoft-logo       Learn More

Veriato Recon Detect Insider Threats

Veriato Recon

Formerly Known as Spector 360 Recon

User Behavior Analytics Software

Veriato Recon analyzes insider behavior, detects anomalies, and alerts when behavioral shifts suggest insider threat to your data security. Veriato user and entity behavior analytics software uses advanced machine learning algorithms to deliver actionable alerts.

Veriato Recon - Detect Insider Threats - Analyze Detect Repond

Intelligent Baselining

The behavioral analytics solution understands what normal looks like, and focuses on behavioral indicators related to the security of information.
Veriato Recon - User Behavior -Actionable Alerts

Actionable Alerts

When insiders deviate from their technical or psycholinguistic baselines in a way that suggests insider attack, Veriato Recon alerts are triggered.
Veriato Recon - User Behavior Monitoring - Prioritize Act

Prioritize and Act

A secure log of the leader actions triggering the alert is maintained, enabling rapid investigation informing incident response.

Anomaly Detection and Alerting

When insiders go “rogue” their behavior changes as they shift from simply performing their function to engaging in activities that harm your organization.

The behavior analytics software watches for signs of change that are directly related to insider threats, and alerts you as soon as meaningful anomalies are detected. Armed with this early warning, you can proactively respond and protect your organization from the damage caused by insider attacks.

Behavioral Baselining

Veriato Recon user behavior analytics software watches user activity, and using a combination of advanced data science and machine learning algorithms, establishes what normal user behavior looks like.

Veriato Recon profiles multiple entities, includes users, peer groups, and groups created based on observed behavioral characteristics, enabling greater accuracy in anomaly detection. Built to be usable, the software’s simple step-by-step configuration and intuitive tuning enable organizations to rapidly benefit from the power of user behavior analytics.

Comprehensive User Activity Logging

Veriato Recon user and entity behavior analytics software collects and logs the underlying user activity data for up to 30 days. The activity is collected where it occurs – at the point where the user interacts with the systems and data. This provides the most accurate picture of what insiders are doing … and supports best practices for preventing IP theft by departing employees.

See Veriato Recon In Action



How Veriato Recon works

Veriato Recon records all of the same activity information that Veriato 360 user activity monitoring software collects. It analyzes this information to learn the normal behaviors with an organization. It also stores the information, securely and obfuscated, on the endpoint where the activity occurred for up to 30 days. Should a need arise to review the detailed activity data, Veriato 360 employee monitoring software can unlock the data and move it from the endpoint to the 360 database for review. When used together, Veriato Recon & Veriato 360 provide critical insider threat detection as well as powerful forensic capabilities - from one console and using one agent.

Powerful Features to keep you protected against insider attack



Attacks are not normal behavior. Having an established baseline of what normal behaviors exist within your organization gives you the starting point you need to effectively detect, prioritize, and respond to insider threats. Veriato Recon builds those baselines, and enables comparison against the historical patterns of individuals and groups, including groups created by the software based on observed behaviors.
Tech Indicator

Technical Indicators

There are many different ways a true insider can get data out of company control. Veriato Recon watches and learns the patterns and characteristics of insider use of each of these means, from moving data to shadow IT cloud storage solutions to tried and true methods like email and even low tech means like printing.

Psycholinguistic Indicators

One of the things that sets Veriato Recon apart from other offerings is its ability to flag psycholinguistic anomalies - changes in the way an insider uses language that are proven warning signs of attack. These range from shifts in tone and intensity to changes in word choice that linguistic experts and studies have shown to be indicative of heightened risk.
Anomaly Detection

Anomaly Detection

Detecting shifts from established behavioral patterns is a powerful method of identifying potential insider attacks that would otherwise be missed by solutions not specifically looking for them. Veriato Recon “sees” changes to behaviors that suggest data exfiltration potential and insider threat. These changes are compared to established baselines, and if they are meaningful enough, alerted on.


Alerts are triggered when anomalies are detected. Veriato Recon alerts on changes to both technical and psycholinguistic indicators, providing a unique and powerful source of information about potential problems. Alert frequency and delivery methods are configurable based on user preferences.


Many User Behavior Analytics solutions require significant professional service and expertise to tune to a particular environment.  Veriato Recon was built with ease-of-use and time-to-value in mind.  Alert thresholds can be easily tightened or loosened based on your requirements and situational awareness.


Direct integration with leading SIEM solutions are available. Anomaly alerts can also be sent via syslog and numerous other formats to align with security workflow and tools in use at your organization.
User Activity Log

User Activity Log

The software creates a comprehensive recording of activity data, and stores it securely for up to 30 days. This data can be accessed using Veriato 360 should the need to investigate arise. Controls exist to prevent unauthorized access of the data. For a complete listing of the activity data types Veriato Recon records, click here.
Veriato Recon & Veriato 360 Work Together

Works with Veriato 360

When User Behavior Analytics and User Activity Monitoring are utilized together, the time spent moving from detection to investigation and response is greatly reduced, and the ability to see clearly, exactly what occurred leading up to, and after, an alert is greatly enhanced. Veriato Recon and Veriato 360 work together seamlessly, from one console, to deliver maximum utility.

Frequently Asked Questions

How Veriato 360 and Veriato Recon work together?

The two solutions are designed to work together seamlessly. Operating from one console, you can deploy both User Behavior Analytics via Veriato Recon and User Activity Monitoring via Veriato 360.

This tight integration enables a proper coverage model – insuring lower risk employees behavior is baselined and analyzed, while higher risk employees activity is more closely monitored.

In addition, when Veriato Recon detects a meaningful anomaly in behavior, it’s a simple process to engage the power of Veriato 360 to quickly review the underlying user activity data – so you get the intelligence you need to act quickly and appropriately.

I own Veriato 360. Do I get the user behavior analytics functionality?

No. User behavior analytics is a function of Veriato Recon, and requires a Recon license.

How do I view the underlying activity data in Veriato Recon?

Veriato Recon logs the data it collects so it is available if you need it. Accessing the underlying activity data requires a Veriato 360 license. For many organizations, Veriato Recon stand-alone meets their goals. Organizations that recognize the benefits of combining User Behavior Analytics with User Activity Monitoring frequently purchase “floating” Veriato 360 licenses along with Veriato Recon. These floating licenses can be moved throughout the organization, so when the need arises to view the underlying data it is a quick and easy process to do so.

What is the difference between using an endpoint license rather than a floating license to unlock the data recorded by Recon?

If an endpoint license is used to unlock the recon recorded data, then this license cannot be used again on a different computer; it can only be used on the same computer. If a floating license is used to unlock the recon recorded data, once that machine is set back to recon mode, then the floating license can be used again on a different computer.

How long does Veriato Recon store the user activity data it logs?

The data can be stored for up to 30 days. On the 31st day data is logged, the first day’s activity log rolls off. The 30-day temporary retention period supports the best practice of reviewing the online activity of departing employees for the 30 days prior to notice of resignation, or prior to termination.

Does Veriato Recon take a user's behavior across multiple computers into consideration?

Yes, when a user uses more than one computer, transactional / metadata is shipped to the central database so that their behavior across each computer they use can be combined to generate an appropriate baseline of their behavior.

How does Veriato Recon’s baselining account for vacations, days off, or other similar schedule changes?

The solution has intelligence built in that allows it to, with no manual configuration, accommodate for users who log in for a full workday, partial workday or don't log in at all.

System Requirements


  • Windows® 10, 8, Windows® 7, Windows Vista®, Windows Server 2012, Windows Server® 2008
  • Mac OS® X 10.9 or higher running on a 64-bit Intel processor
  • Network Access (Networked on a Windows Domain, Workgroup, or Novell® Network)
  • Administrator share level access to computer for remote installation

Control Center

  • Windows 10, 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008
  • Network access to servers, database, PCs, and Macs monitored


  • Windows 10, 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008
  • Network access to the SPECTOR 360 SQL instance
  • Windows login or login privileges to the Database

Server Components

  • Windows operating system, x32 or x64
  • Windows Server 2012
  • Windows Server 2008
  • Windows Server 2003
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Vista
  • Enterprise class server (Pentium® III / Intel® Xeon®, 8 GB RAM) is recommended for ongoing use, but any newer Windows system is appropriate for evaluation.
  • SQL Server Host Server—OS in native English
  • SQL Server Host Server—NTFS file system (not FAT32)
  • Static IP address is recommended
  • 40 GB free disk space

Ready to get started? Try it Now