At conferences and in boardrooms, everyone points to UEBA as the silver bullet for insider risk, fraud, and information security.

But the deeper I dig, the more I realise this view is dangerously incorrect.

While UEBA is a powerful processing engine, organisations often mistake its technical sophistication for total visibility. If we want to know if this technology actually meets your specific risk profile, we have to look past the vendor marketing.

To do that, we must understand the evolution of these systems, the specific use cases they were built to solve, and where they ultimately hit a ceiling.

The 90/10 Problem: Why We Are Blind To The Insider Risks That Matter Most

Below, I have outlined the four key areas that define the reality of UEBA in 2026:

The Evolution: From Human To Machine

The industry focus on insider threats was catalysed by the 2013 Snowden leaks, shifting attention toward information compromise.

UEBA is the result of that shift. It is a high-dimensional data science engine designed to ingest massive volumes of telemetry and establish a baseline of “normal.” Gartner formally defined it in 2015 as an evolution of UBA, moving us from just tracking human logins to tracking “Entities” – servers, routers, and IoT devices.

The UEBA Maturity Timeline:

The Detection Ceiling: 8 Core Use Cases

Historically, UEBA is built for IT environments. To provide comprehensive insider risk coverage, it must address these 8 specific vectors:

• IP Theft & Exfiltration: Monitoring the movement of sensitive intellectual property.
• Fraud & Conflicts of Interest: Identifying anomalies or relationships in financial systems, transaction patterns, or data.
• Internal Control Compromise: Spotting unauthorised “super user” creation or configuration backdoors.
• Terrorism: Correlating HR “disgruntled” markers with internal communication sentiment analysis.
• Espionage: Targeting “low and slow” data accumulation and “Whole Person” indicators (e.g., undocumented travel).
• Workplace Violence: Using NLP on communication logs to detect hostility precursors.
• Workplace Sabotage: Detecting virtual threats (encryption), OT (unauthorised access), and physical threats against critical assets.
• Foreign Interference: Monitoring third-party accounts for lateral moves into sensitive domains.

The Critical Infrastructure Blind Spot

Here is where the UEBA illusion shatters.

There is a fundamental difference between a standard corporate office and a complex environment like infrastructure, high tech, or advanced manufacturing.

If turning off your building’s HVAC system only causes an inconvenience for your staff, UEBA alone is ideally suited for your business.

But if you run an airport, a medtech factory, or an electricity network? Traditional UEBA has a massive blind spot.

These environments require a “Multi-Domain” fusion of IT, OT, HR, Facilities, and Physical Security (PACS) data. An IT-only view cannot detect an operational sabotage event that originates with a wrench in the physical domain or the theft of samples from a laboratory freezer.

It lacks the context to see the “Whole Person” risk.

The Detection Gap: Why High-Stakes Assets Require High-Maturity Defense

What Does “Good” Actually Look Like?

A mature insider threat detection capability is not bought in a box; it is built around your specific operating environment. “Good” requires a multi-domain solution capable of doing two things simultaneously:

1. Detecting statistical anomalies in cyber / IT data.
2. Executing scenario-based detection for Low-Probability, High-Impact (LPHI) kinetic events.

This multi-domain solution also needs to support the ‘8 Core Use Cases‘ outlined above as they relate to your organisation.

Scenario-based detection takes time and expertise to develop. My operational deployment process follows a strict methodology:

• Identify: Start with the specific kinetic and digital risks and the critical assets.
• Model: Develop detailed typologies for each scenario using intelligence analysis and threat modelling techniques.
• Engineer: Build the detection logic using detection engineering methods.
• Train: For LPHI scenarios, data availability is often minimal. You must rely on a rules-based approach or develop synthetic training data based on real-life scenarios and workplace monitoring.

The Bottom Line

Stop relying on generic IT baselines to protect critical infrastructure.

If your detection capability isn’t tailored to your specific physical and digital assets, you don’t have total visibility.

You just have a very expensive dashboard.

Further Reading

• Curwell, P. (2026). The Detection Gap: Why High-Stakes Assets Require High-Maturity Defense
• Curwell, P. (2026). The 90/10 Problem: Why We Are Blind To The Insider Risks That Matter Most

As published on LinkedIn.

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.