.png)
Traditional data loss prevention stops at detection. You get an alert. You know something happened. But you don't see the full picture.
When a departing engineer downloads your entire codebase over the holiday break, you need more than a policy violation. You need to see what they were doing before that moment, where the data came from, and what happened after. You need context, timeline, and the ability to trace every action.
This is the gap we kept hearing about from security teams: DLP alerts are the starting point, not the finish line. Real insider risk investigations require forensic visibility across all user activity, paired with intelligence about which applications pose the greatest exposure.
We've been listening. Today, we're introducing two capabilities designed to close that gap: Forensic Search and App Intelligence.
The Problem: Alerts Without Context
Policy-based detection works. It catches violations. But insider risk scenarios rarely present themselves as single, isolated events. Consider these situations:
A sales associate gets flagged for moving customer lists to a USB drive on January 1st. Was this an isolated incident or part of a pattern? What else did they download that day? Which systems did they access in the days leading up to it?
Your CISO wants to understand Gen AI adoption across the company. How many employees are using Claude or ChatGPT? Are they using corporate accounts with proper governance, or personal accounts that bypass your controls?
An engineer starts syncing code repositories to a personal Google Drive. The activity happens outside business hours, just before they submit their resignation. How much data moved? How long has this been happening?
These aren't hypothetical. They're the scenarios security teams face daily. And without complete visibility into user behavior over time, you're left guessing.
Forensic Search: Complete User Activity Timelines
Forensic Search provides a comprehensive view of all endpoint activity, enabling security teams to reconstruct exactly what happened during an insider risk incident.
The system captures raw events from endpoints: every file download, upload, copy-paste, sync operation, and application interaction. These events are indexed and searchable across 180 days of history, with timeline visualizations that make patterns immediately visible.
How It Works
The interface presents three core elements: a risk-coded timeline showing event density and severity, advanced filtering across dozens of parameters, and detailed event metadata including user identity, asset information, source and destination accounts, and session context.
Every data point is clickable. Select a user and the view updates to show only their activity. Click a destination like "Google Drive personal" and you see all uploads to personal cloud storage. The system handles hundreds of millions of events while maintaining responsive query performance.
Three Investigation Scenarios
Departing employee investigation: HR notifies you that an engineer has given notice. You search their username, expand the timeline to 90 days, and immediately spot a spike in critical risk activity during the holiday break. Zooming in reveals code files downloaded from GitHub to their device, then immediately synced to a personal Google Drive account. The identity metadata confirms it's a personal account (visible through account naming conventions and the person icon indicator). The timing—holidays, just before resignation—combined with the volume of code movement, signals clear exfiltration risk.
Policy alert follow-up: A sales associate triggers an alert for downloading customer lists. Forensic Search shows the complete story: multiple downloads from corporate Google Drive, followed by USB transfers. The files include customer lists, prospect data, and financial projections. The timeline reveals this wasn't a one-time action but a deliberate sequence of data gathering and removal.
Threat hunting: Routine checks surface a CFO uploading board meeting notes and financial projections to ChatGPT. The session metadata reveals the issue: they're using a personal ChatGPT account instead of the corporate-approved instance. This exposes a gap in your LLM policies where you've sanctioned the tool but haven't enforced account-level controls to prevent personal account usage.
In each case, you can export the complete event set and file manifest for documentation, compliance, or legal proceedings.
App Intelligence: Visibility Into Shadow IT and AI Adoption
While Forensic Search answers "what did this user do," App Intelligence answers "what applications are employees using, and how safely?"
The reality of modern workplaces is that employees adopt tools faster than IT can provision them. A developer discovers an AI coding assistant. A sales rep starts using an automation workflow tool. A team begins collaborating in a new project management app. All outside the sanctioned software catalog.
App Intelligence surfaces this activity automatically, classifying every application by function and risk, tracking adoption trends, and providing the context needed to make governance decisions.
Application Discovery and Classification
The system identifies applications by analyzing endpoint activity across all web interactions with distinct functions. Google is more than one app. It's Gmail, Google Drive, Docs, Sheets, Slides, and each is classified separately. The same granularity applies to every service your employees use.
Each application receives a risk score based on data handling practices, identity controls, and compliance posture. Classification tags identify Gen AI tools, AI agents, cloud storage, messaging platforms, and other categories relevant to data security.
The dashboard shows total application count, category breakdowns (like 19 AI applications currently in use), top apps by user adoption, and seven-day trend analysis highlighting the fastest-growing tools.
Adoption Trends and Early Adopter Identification
The seven-day snapshot reveals which applications are gaining traction. Workday appearing makes sense if you just migrated HR systems. Blue Shield of California showing up aligns with your benefits enrollment period. But what about Claude and Granola?
Clicking into Granola reveals 47 users, first seen four months ago, with high risk classification due to its audio recording and transcription capabilities. The user list shows who's adopted it. Now you can reach out to understand their use case before making a policy decision.
This isn't about blocking everything. It's about understanding what employees need to do their jobs, evaluating the risk, and making informed decisions about sanctioning, governing, or restricting each tool.
Instance-Level Visibility for Context
For applications with multiple instances, workspaces, or repositories, App Intelligence shows the breakdown across apps like GitHub: corporate repository, the React.js library some engineers contribute to, and potentially your users’ personal repos where they push code from their work machines.
That last one deserves investigation. Clicking through to Forensic Search shows user activity: what they’re pushing, when, and from which device. Maybe they’re innocently working on a side project using his work computer (still a policy violation). Or maybe they’re exfiltrating intellectual property. The data lets you determine which.
Direct Policy Integration
App Intelligence enables action. If you identify an unsanctioned file-sharing service with no identity controls and no legitimate business use, you can add it to a domain collection directly from the interface. That collection feeds into your exfiltration policies, blocking uploads immediately.
The same applies to specific instances. Blocking Bob Smith's personal GitHub repo takes seconds, while leaving corporate repositories and sanctioned open-source contributions intact.
Why This Matters: The Shift from Detection to Investigation
Traditional DLP operates in a binary: policy match or no match. This works for preventing obvious violations like blocking credit card numbers in Slack, flagging source code uploads to personal cloud storage.
But insider risk is rarely that clean. It's an engineer who gradually loses engagement and starts hoarding code over several weeks. It's a sales rep who doesn't realize customer lists are company IP. It's an executive who accidentally uses a personal AI account instead of the corporate instance.
These scenarios require investigation, not just detection. You need to understand intent, establish patterns, and differentiate between mistakes and malicious behavior.
Forensic Search provides the timeline. App Intelligence provides the application context. Together, they give security teams the visibility needed to move from reactive alerting to proactive risk management.
Built on the Same Endpoint Client
Both capabilities run on Nightfall's existing endpoint client, with no additional performance impact. The same agent that enforces your DLP policies now captures comprehensive event telemetry for forensic analysis and application discovery.
This architecture matters. It means no new agents to deploy, no additional endpoint overhead, and unified visibility across detection and investigation workflows.
The data remains fully under your control. All detection models run in Nightfall's secure AWS environment. Customer data is never used for training. Forensic Search and App Intelligence surface metadata, risk indicators, and event counts. Never the sensitive payloads themselves.
What's Next
Forensic Search and App Intelligence will be available in February 2025 as part of the Nightfall Complete bundle. Both features are built to support iterative improvement based on customer feedback as deployment scales.
The goal isn't just to add features. It's to fundamentally change how security teams approach insider risk by moving from isolated alerts to complete investigative workflows, from reactive blocking to informed governance, and from guessing about application sprawl to making data-driven adoption decisions.
See our full session on forensic search and app intelligence from our product webinar here.
If you're dealing with insider risk scenarios that require more than policy alerts, or if you need visibility into which applications your employees are actually using, schedule a demo to see Forensic Search and App Intelligence in action.
.svg)
.svg)
