Veriato Recon
Veriato Recon User and Entity Behavior Analytics

Insider Threat Detection Software

Veriato Recon

Get a Quote Watch Video Try It Free
Interop 2018 Best of Winner

Veriato Recon insider threat detection software combines machine learning and advanced statistical analysis to uncover indicators of compromise traditional preventative security measures miss, so you can better detect insider threats.

Behavioral Analytics Baseline

Behavioral Baselines

The insider threat detection software learns the behavior patterns in your company, and evaluates changes versus historical self and peer groups.
User Anomaly Detection

Anomaly Detection

Changes in behavior are identified in near real-time, and compared to sensitivity settings you control for prioritization.
Actionable Intelligence

Actionable Intelligence

Alerts are triggered on behavioral anomalies most indicative of insider threat in your organization, and rich activity data is stored for rapid review.

Your organization is, and will be, compromised by insiders.

Regardless of industry or company size, the fact is that people have become the perimeter. If you are not specifically looking for insider attacks, you are missing them. Veriato Recon combines behavioral analysis of technical indicators and psycholinguistic indicators to provide early warning of threats to your data security. An attacker, no matter how sophisticated, will cause a deviation from established behavioral patterns.

Elegantly Simple Tuning

Provides you with the ability to alert on meaningful behavioral changes that may indicate insider threat detection, without contributing to over-alert syndrome.

Anomaly Alert Threshold
Behavioral Baselines mini icon

Behavioral Baselines

Veriato Recon watches user activity, and using a combination of data science and machine learning, establishes what normal user behavior looks like.

Veriato Recon profiles multiple entities, includes users, peer groups, and groups created based on observed behavioral characteristics, enabling greater accuracy in anomaly detection.

Behavioral Groups mini icon

Behavioral Groups

After a short training period, Veriato Recon identifies groups of users based on observed behavior to enable more accurate baselines. Behaviors evaluated include resource and application access and usage.

Anomaly Detection mini icon

Anomaly Detection

Rules-based approaches to anomaly detection rely on human knowledge to be effective. Veriato Recon applies sophisticated algorithms to identify anomalies that would otherwise go undetected.

Alerting mini icon


Alerts are routed to your SIEM or other 3rd party data aggregation solution via direct connections or via syslog.  You can also choose to receive alerts directly, on a frequency you control. 

Veriato Recon looks at a wide range of user attributes to enhance insider threat detection

Indicators Compromise

Indicators of Compromise

Veriato has a long history of providing insight into user activity.  We understand the ways a true insider can exfiltrate data, as well as how hackers can lever compromised credentials to ‘become an insider’, and we watch for the changes in behavior that indicate your data security is at risk.  This includes data access and movement, as well as credential usage activity and a range of additional attributes.

Psycholinguistic Attributes

Psycholinguistic Attributes

Because Veriato Recon can see into the communications fabric of your organization, it is able to watch for changes to language usage that are known indicators of insider activity. The way people think, act, and communicate are linked. Shifts in to me and intensity and changes in language usage are detected, providing additional richness that aids in identification and prioritization of threats.

Common Uses

Data Leak Prevention

Specifically designed to augment traditional DLP and other preventative security measures, Veriato Recon identifies insider risk and threat to data security by watching for changes in data access and movement. A robust data security strategy requires focus on device, data, and user.

IP Theft

Malicious insiders and departing employees target valuable intellectual property. Veriato Recon not only alerts on the deviations in data movement that occur when IP is taken, it creates a system of record that supports best practices related to the threat that exists when employees leave.

High Risk Insiders

The behaviors of highly privileged users, employees involved in negative workplace events, and contractors need to be more closely inspected and monitored to protect against a damaging attack. Veriato Recon evaluates behavior shifts in near real-time, so security teams can focus resources where they can be most effective.


Designed to deliver the visibility and context you need to monitor and track employee activity.

Technical Indicators


Import groups from Active Directory, or let the software identify groups within your organization through automated pattern analysis of resource and application usage.


Self-learning of behavioral patterns for individuals and groups, driven by machine learning, enables no-touch understanding of what normal looks like in your environment.
Anomaly Detection 2

Anomaly Detection

Detecting deviations from established patterns enables early warning of insider threats.  An attacker, no matter how sophisticated, will cause a deviation from normal behavior. 

User Activity log

User Activity Log

Unlike many other User & Entity Behavior Analytics solutions, Veriato Recon maintains a definitive record of user activity for use in forensic investigations and incident response.



When an anomaly is detected, alerts can be fired based on your configuration settings so they fit into your workflow. 

Work with Veriato

Veriato 360 Integration

Move from detection to investigation within one console, with just a few clicks – enabling eyes on glass inspection of activity to inform and speed response.

Third Party Integration

Flow alerts into Splunk and Arcsight using direct connections, or via syslog to any application for aggregation, correlation, and reporting.

Get the information needed for decisions makers


See Veriato Recon Overview

Veriato Recon analyzes insider behavior, detects anomalies, and alerts when behavioral shifts suggest insider threats.

User Behavior Analytics and the Benefits to Companies

All companies should implement an effective insider threat detection program.

Frequently Asked Questions

How Veriato 360 and Veriato Recon work together?

The two solutions are designed to work together seamlessly. Operating from one console, you can deploy both User Behavior Analytics via Veriato Recon and User Activity Monitoring via Veriato 360.

This tight integration enables a proper coverage model – insuring lower risk employees behavior is baselined and analyzed, while higher risk employees activity is more closely monitored.

In addition, when Veriato Recon detects a meaningful anomaly in behavior, it’s a simple process to engage the power of Veriato 360 to quickly review the underlying user activity data – so you get the intelligence you need to act quickly and appropriately.

I own Veriato 360. Do I get the user behavior analytics functionality?

No. User behavior analytics is a function of Veriato Recon, and requires a Recon license.

How do I view the underlying activity data in Veriato Recon?

Veriato Recon logs the data it collects so it is available if you need it. Accessing the underlying activity data requires a Veriato 360 license. For many organizations, Veriato Recon stand-alone meets their goals. Organizations that recognize the benefits of combining User Behavior Analytics with User Activity Monitoring frequently purchase “floating” Veriato 360 licenses along with Veriato Recon. These floating licenses can be moved throughout the organization, so when the need arises to view the underlying data it is a quick and easy process to do so.

What is the difference between using an endpoint license rather than a floating license to unlock the data recorded by Recon?

If an endpoint license is used to unlock the recon recorded data, then this license cannot be used again on a different computer; it can only be used on the same computer. If a floating license is used to unlock the recon recorded data, once that machine is set back to recon mode, then the floating license can be used again on a different computer.

How long does Veriato Recon store the user activity data it logs?

The data can be stored for up to 30 days. On the 31st day data is logged, the first day’s activity log rolls off. The 30-day temporary retention period supports the best practice of reviewing the online activity of departing employees for the 30 days prior to notice of resignation, or prior to termination.

Does Veriato Recon take a user's behavior across multiple computers into consideration?

Yes, when a user uses more than one computer, transactional / metadata is shipped to the central database so that their behavior across each computer they use can be combined to generate an appropriate baseline of their behavior.

How does Veriato Recon’s baselining account for vacations, days off, or other similar schedule changes?

The solution has intelligence built in that allows it to, with no manual configuration, accommodate for users who log in for a full workday, partial workday or don't log in at all.

In the News


Blog Posts

Press Releases


To Get Started

Recorder (for computers & laptops being monitored)

  • Windows® 10, Windows® 8, Windows® 7, Windows Server 2012, Windows Server® 2008
  • Mac OS X 10.10 Yosemite, 10.11 El Capitan, 10.12 Sierra or 10.13 High Sierra running on a 64-bit Intel processor
  • Network Access (Networked on a Windows Domain or Workgroup)
  • Administrator share level access to computer for remote installation from the Management Console

Server (management console and data retention)

  • 64-bit Windows Operating System
  • Windows 10, Windows Server 2012 or Server 2016
  • Business-class Desktop (Quad Core I7 with 8 GB RAM)
  • 40 GB minimum free disk space (60 GB recommended)

Trusted by thousands of companies in more than 110 countries around the world.