Veriato Recon

Insider Threat Detection Software

Veriato Recon

Veriato Recon insider threat detection software identifies risks and threats that other solutions miss. People are the perimeter. Secure yours.

Get Started Watch Video

How it works

Powered by a mix of machine learning, advanced statistical analysis, and natural language processing, Veriato Recon creates an integrated user view by analyzing both structured and unstructured data.

The software then automatically establishes a baseline of normal user behavior, detecting and alerting on anomalous activities that are indicative of insider threats. This actionable intelligence is critical to early detection and prevention of insider attacks. .

Anomaly Alert Threshold

Veriato has a long history of providing insight into user activity. We understand the ways a true insider can exfiltrate data, as well as how hackers can lever compromised credentials to ‘become an insider’, and we watch for the changes in behavior that indicate your data security is at risk. This includes data access and movement, as well as credential usage activity and a range of additional attributes.


Our insider threat detection software employs an endpoint agent-based approach for superior continuous visibility.

We focus on user activity and behavior at the point of intersection with corporate data and systems. When insiders attack, they most often do so from the endpoint.

Veriato Recon is used to enhance data leak prevention. Specifically designed to augment traditional DLP and other preventative security measures, Veriato Recon identifies insider risk and threat to sensitive data security by watching for changes in data access and movement.
diagram DLP data
Malicious insiders and departing employees target valuable intellectual property. Veriato Recon not only alerts on the deviations in data movement that occur when IP is taken, it creates a system of record that supports best practices related to the threat that exists when employees leave. This helps protect intellectual property of all kinds, including source code and confidential business plans.
Insider Threat
Highly privileged user’s behavior needs to be more closely inspected and monitored to protect against a damaging attack, both while they are working on shared accounts, privileged accounts and when they are in ‘normal user’ mode. Veriato Recon evaluates behavior shifts in real-time, so security teams can focus resources where they can be most effective.
Employees involved in negative workplace events, contractors with access to critical systems and sensitive data, and departing employees all present elevated risks to your information security. These high-risk insiders attack with greater frequency than others in their peer groups. Insider threat detection software uses anomaly detection to flag early warning signs of attack, and Veriato Recon also creates a log of user activity facilitate rapid investigation and response.



52% of employees who leave an organization say they take sensitive date with them.
Veriato Recon also detects insider threats by analyzing the communications fabric of your organization, watching for changes to language usage that are known indicators of insider activity. The way people think, act, and communicate are linked. Shifts in tone and intensity and changes in language usage are detected, providing additional richness that aids in identification and prioritization of threats.

A robust data security and insider threat program requires visibility at the device, data, and user levels. Adding Veriato Recon to your security stack provides you with powerful insight into the user behaviors and activities occurring within your organization.


Import groups from Active Directory, or let the software identify groups within your organization through automated pattern analysis of resource and application usage.


Self-learning of behavioral patterns for individuals and groups, driven by machine learning, enables no-touch understanding of what normal looks like in your environment.

Anomaly Detection

Detecting deviations from established patterns enables early warning of insider threats.  An attacker, no matter how sophisticated, will cause a deviation from normal behavior. 

User Activity Log

Unlike many other User & Entity Behavior Analytics solutions, Veriato Recon maintains a definitive record of user activity for use in forensic investigations and incident response.


When an anomaly is detected, alerts can be fired based on your configuration settings so they fit into your workflow. 

Veriato 360 Integration

Move from detection to investigation within one console, with just a few clicks – enabling eyes on glass inspection of activity to inform and speed response.

Frequently Asked Questions

How Veriato 360 and Veriato Recon work together?

The two solutions are designed to work together seamlessly. Operating from one console, you can deploy both User Behavior Analytics via Veriato Recon and User Activity Monitoring via Veriato 360.

This tight integration enables a proper coverage model – insuring lower risk employees behavior is baselined and analyzed, while higher risk employees activity is more closely monitored.

In addition, when Veriato Recon detects a meaningful anomaly in behavior, it’s a simple process to engage the power of Veriato 360 to quickly review the underlying user activity data – so you get the intelligence you need to act quickly and appropriately.

I own Veriato 360. Do I get the user behavior analytics functionality?

No. User behavior analytics is a function of Veriato Recon, and requires a Recon license.

How do I view the underlying activity data in Veriato Recon?

Veriato Recon logs the data it collects so it is available if you need it. Accessing the underlying activity data requires a Veriato 360 license. For many organizations, Veriato Recon stand-alone meets their goals. Organizations that recognize the benefits of combining User Behavior Analytics with User Activity Monitoring frequently purchase “floating” Veriato 360 licenses along with Veriato Recon. These floating licenses can be moved throughout the organization, so when the need arises to view the underlying data it is a quick and easy process to do so.

What is the difference between using an endpoint license rather than a floating license to unlock the data recorded by Recon?

If an endpoint license is used to unlock the recon recorded data, then this license cannot be used again on a different computer; it can only be used on the same computer. If a floating license is used to unlock the recon recorded data, once that machine is set back to recon mode, then the floating license can be used again on a different computer.

How long does Veriato Recon store the user activity data it logs?

The data can be stored for up to 30 days. On the 31st day data is logged, the first day’s activity log rolls off. The 30-day temporary retention period supports the best practice of reviewing the online activity of departing employees for the 30 days prior to notice of resignation, or prior to termination.

Does Veriato Recon take a user's behavior across multiple computers into consideration?

Yes, when a user uses more than one computer, transactional / metadata is shipped to the central database so that their behavior across each computer they use can be combined to generate an appropriate baseline of their behavior.

How does Veriato Recon’s baselining account for vacations, days off, or other similar schedule changes?

The solution has intelligence built in that allows it to, with no manual configuration, accommodate for users who log in for a full workday, partial workday or don't log in at all.

To Get Started

Recorder (for computers & laptops being monitored)

  • Windows® 10, Windows® 8, Windows® 7, Windows Server 2012, Windows Server® 2008
  • Mac OS X 10.10 Yosemite, 10.11 El Capitan, 10.12 Sierra or 10.13 High Sierra running on a 64-bit Intel processor
  • Mobile devices running Android 5.0 Lollipop, 6.0 Marshmallow, 7.0 Nougat and 8.0 Oreo
  • Network Access (Networked on a Windows Domain or Workgroup)
  • Administrator share level access to computer for remote installation from the Management Console

Server (management console and data retention)

  • 64-bit Windows Operating System
  • Windows 10, Windows Server 2012 or Server 2016
  • Business-class Desktop (Quad Core I7 with 8 GB RAM)
  • 40 GB minimum free disk space (60 GB recommended)