Skip to content
CASE STUDY

Insider Threat Investigations with Liferaft

Organizations today face an increasingly complex insider threat landscape. From disgruntled employees posting threats on social media to high-risk terminations that could escalate into workplace violence, security teams need proactive tools to identify and monitor potential risks before they materialize into incidents.

This case study examines how multiple organizations successfully implemented Liferaft to transform their insider threat programs from reactive to proactive, enabling them to detect concerning employee behavior, monitor high-risk individuals, and prevent potential workplace violence incidents through comprehensive social media investigation capabilities.

Background.

The organizations featured in this case study represent diverse industries, including healthcare, financial services, technology, and corporate security, all facing similar challenges with insider threat detection and employee wellfare. These teams ranged from small security operations with 2-3 analysts to enterprise global security operations centers managing thousands of employees across multiple locations.

 

Common characteristics:

  • Responsibility for workplace violence prevention and employee safety

  • Need to liase on employee wellfare during high-risk periods such as layoffs, terminations, or organizational changes

  • Limited tools for proactive social media investigations

  • Manual processes for investigating concerning employee behavior

  • Gaps in coverage between HR incident reporting and security response

The Challenge.

Security teams face multiple interconnected challenges when managing insider threats:

  • Reactive threat detection: Incidents were often identified only after escalation, limiting teams’ ability to intervene early.
  • Manual, resource-heavy investigation:
Tracking threat actors required time-consuming manual effort and still left gaps in coverage.
  • Intellectual property exposure risks:
Insider access to sensitive data created vulnerabilities, especially during offboarding or employee transitions.
  • Difficulty tracing
insider leaks:
Identifying the source of information leaks was complex and often relied on informal or reactive investigation methods.
  • Limited visibility
post-termination: 
Organizations lacked tools to ensure workplace safety during high-risk periods after departure.
  • Missed behavioral
warning signs: Teams struggled to detect subtle changes in online activity or behavior that could signal emerging risk.

The Solution.

Liferaft for Insider Threat Investigations

 

Automated Employee Social Media

Investigations Teams set up queries to monitor for concerning language patterns: “We're looking at any sort of executive mentions combined with certain keywords that may indicate physical violence,” explained one implementation. The system automatically collected posts mentioning the company combined with threat terms like “kill,’ “murder,” or “gun.”

 

Deep & Dark Web Monitoring

Security teams also leverage Liferaft to surface potential insider activity or data exposure across deep and dark web sources. “We’re able to identify leaked credentials, internal documents, or employee discussions appearing in restricted forums and marketplaces,” noted one customer. This visibility helps organizations quickly assess potential compromises and mitigate risks before they escalate.

 

Standard Operating Procedures For High-Risk Terminations

“What we're seeing more and more often is teams will automatically as a standard operating procedure, mark that person's account as a following just for a set period of time, typically 60 to 90 days post termination, where you can then monitor and document all of the posts that are made public,” described one implementation.

 

Workplace Chatter Monitoring

Teams monitored sites like Glassdoor, The Layoff, and Team Blind for employee grievances. “We can track any website of interest through the custom buckets capability. A lot of teams will do is some of them are actively mentioned on forums where people can register for those sites using a company email domain and then post anonymously about pending layoffs, mergers, or acquisitions, changes in leadership.”

 

Rapid Identity Resolution

When threats emerged, teams used People Search to quickly identify other social media accounts and personal information. “This workflow makes sense to kind of go a little bit more in depth and actually validate that it actually is or is not the same person,” noted one investigator. “Having that whole workflow within this platform, I think I see a lot of value in that.” 

Customer Perspective

“I think it's a great tool,” summarized one healthcare security professional after implementing Liferaft for insider threat investigations.

An investigator highlights the workflow benefits: “This platform is incredibly thorough. I appreciate how the workflow goes in depth on areas that other platforms often overlook. Having the entire workflow built into one system delivers tremendous value.”

For organizations managing workplace violence prevention programs, the impact was clear: “What we're going to do is we need some type of alerting service that can prompt us to say, hey, this person is commenting on the company in a negative way... This person just showed up in a local newspaper or just got arrested... So we need something reliable that can give us that real time alerting so that we can be proactive.”

Real World Example.

Nuclear Facility Insider Threat 

One particularly compelling case involved an employee at a nuclear power facility who exhibited escalating concerning behavior on social media. “This is an individual that we found posting about their job at a nuclear power plant. They ended up posting some very questionable content over the next few days, ended up getting fired and then said they were going to come back and do some pretty nasty things to their former employer” the analyst explained. “Using this following tool and not worrying about the types of keywords that he was posting was really impactful. We could just start to pull in every single post he made. And because it’s from X, it was very much in real time.”

The Key Insight

The key insight: “A lot of this stuff would end up getting removed or shut down, or maybe the account even taken off of X or Facebook or Instagram. But now you have this, it’s memorialized in the system. If you need to share with authorities or just need to retain access to it.”

The Liferaft Following feature captured the complete timeline

Initial posts bragging about the job and posting photos from the facility 

Posts about being intoxicated and having to go to work in a company vehicle
Termination for showing up to work drunk
Post-termination threats including purchasing a shotgun and planning to "stream the event live"
Posts about fleeing to the Canadian border

CONCERNING POST DETECTED ON X USING LIFERAFT

“Ordered my mossberg 500 12 gauge shotgun... picking it up tomorrow at 8 AM, eastern time... will post the link tomorrow, so you can witness this live.”

Customer Outcomes.

Protected employees and secured operations during multiple crises

 

Advance warning enabled employee safety measures

The platform identified major protests near their Bangkok manufacturing facility three weeks in advance, giving the security team time to coordinate evacuation plans for expatriate employees, arrange secure transportation, brief local staff on safety protocols, and work with facility management to implement enhanced security measures. Two American managers and their families were relocated to safe accommodations before protests intensified.

Real-time visibility prevented asset damage

During active protest situations in Jakarta, the team received real-time social media posts showing exactly what was happening near their distribution center. "They were getting people posting pictures during the event. They could see the windows being smashed. They had all that information, kind of boots on the ground sort of coverage" (manufacturing client quote). This intelligence allowed them to implement facility lockdown procedures, secure valuable equipment, and coordinate with local security forces before the protests reached their location, preventing an estimated $2 million in potential property damage.

Coordinated response across multiple countries

When civil unrest spread across the region, the platform provided simultaneous monitoring of threats in Thailand, Indonesia, and the Philippines from a single interface, enabling the corporate security team to coordinate protective measures across all locations without requiring boots on the ground in each country.

Results & Outcomes

  • Proactive Threat Detection: Organizations moved from reactive incident response to proactive threat identification. “We were struggling to gain insight on our employees’ social media activity for potential insider threats, and Liferaft’s platform allowed us to set up automated alerts for concerning behavior patterns,” one security team reported. 
  • Time savings through automation: “Having an automated service that can do that would be great,” noted one investigator who previously spent hours manually checking social media accounts. The platform eliminated the need to manually check multiple social media accounts daily, with one team noting: “You don’t have to be in the platform to get an alert. We can set up that automated alert. Nice one lens that people will look at.”
  • Complete evidence retention: “Text is retained indefinitely. So it could be two years down the road. The person has been suspended from the platform. They deleted that post. None of that matters as long as you’ve already collected that content in Liferaft, you’ll always be able to come back in here and review it.” 
  • Improved collaboration: Teams could share intelligence across HR, legal, and security functions while maintaining appropriate access controls. “We can make that definitely siloed. So HR and legal, maybe they’re working on a particular investigation. Certain team members aren’t supposed to see that,” explained one implementation. 
  • Enhanced executive protection: Teams used the same capabilities to protect executives from insider threats, monitoring for doxing, personal information leaks, and targeted harassment from current or former employees.

Conclusion.

Liferaft has proven to be an essential tool for organizations seeking to transform their insider threat programs from reactive to proactive.

This is achieved through a unified platform that combines critical capabilities: comprehensive social media investigations, anonymous following, rapid identity resolution, and case management.

Security teams now have the power to systematically monitor high-risk individuals, identify concerning employee behavior at its earliest stages, and secure critical evidence, even when perpetrators attempt to delete their digital footprints.

The platform delivers significant value across diverse sectors, including healthcare, financial services, and technology. Its ability to automate manual processes, provide real-time alerts, and seamlessly integrate with existing security workflows is essential for organizations managing complex insider threat landscapes where employee-related risks present major operational and safety concerns.

dossiers-mobile-02

Eliminate blind spots across your global operations.

Liferaft gives security teams early warning of emerging threats, real-time visibility during active events, and the intelligence needed to protect people and assets worldwide. Book a meeting to see how Liferaft helps you stay ahead of global risk.