Part of the Maximizing Mimecast Customer Series
If you missed our recent Insider Risk Management and Data Protection webinar, or if you attended and want a quick recap to share with your team, this post is for you. Our Vice President of Product Management for Incydr, Dave Capuano, packed a ton of valuable insight into the session, and we want to make sure you can take advantage of everything that was covered.
You can watch the full on-demand recording here, and you can also sign up for the other sessions in our Maximizing Mimecast series while you're there.
Why Human Risk is the Conversation Everyone is Having
Dave opened by framing the broader market context. Analysts like Forrester and Gartner are zeroing in on what many of us already know: human behavior is at the root of 80–90% of security incidents. Despite major investments in network, endpoint, and identity security, organizations haven't made the same progress when it comes to the human element.
The Three Insider Risk Use Cases We See Over and Over
Based on conversations with customers and prospects, Dave's team consistently sees three use cases rising to the top:
Mimecast’s AI tools risk dashboard shows exactly who is sending what data to which untrusted GenAI tools
1. Shadow AI Employees are using generative AI tools every day, and not always the ones your organization has approved. When staff upload files or paste sensitive data into public AI instances like ChatGPT, DeepSeek, or others, they can inadvertently expose customer data, business information, or intellectual property. Our own anonymized customer data tells a striking story: in just a 30-minute snapshot, we detected thousands of data uploads and pastes going to generative AI tools, most of which contained valuable source code. We’ve tracked over 600 distinct AI tools in use across a small sample of anonymized data.
Incydr allows you to automatically add departing employees from HCM systems, and add specific preventative controls to stop data exfiltration
2. Departing Employees Most organizations have a solid offboarding checklist, cut off access, collect the badge, retrieve the laptop. But is a data review part of your process? It should be. Employees who are leaving sometimes take data they feel entitled to, and without visibility into data movement, you may not know what’s walked out the door until it's too late.
Mimecast’s Source Code dashboard provides in-depth insight into your Git repositories and source code exposure
3. Source Code Exposure Developers handle some of the most valuable IP in any organization. Are they pushing source code to corporate repositories, or to personal ones? The financial and reputational consequences of source code leaving your environment can be significant, and visibility here is critical.
A Look at Mimecast Incydr: Visibility Meets Action
Dave walked through the product live, and the demo illustrated just how much visibility and control Incydr provides from day one of deployment.
With the MCP Server integration, customers can bring their own LLM and conduct investigations with plain language requests, speeding investigations and saving valuable analyst time
One of the highlights of the demo was a live look at the MCP Server integration, which lets customers bring their own LLM AI models to streamline investigations. This connects your preferred LLM (like Claude) directly to your Incydr data, which helps analysts automate investigations using plain language requests, gather context, and recommend actions.
Dave demonstrated using natural language queries to pull a 7-day snapshot of data activity:
- Which users were sending data to AI tools
- Which tools were most popular
- Which high-value data sources were involved
Claude then assembled that information into an interactive dashboard, complete with severity breakdowns, destination categories, and top risk actors, and generated a shareable PDF report for CISO consumption.
This kind of capability means analysts and security leaders can get to answers faster, without needing to know every filter or query parameter in the product.
Visibility Across Endpoints and Cloud
Incydr dashboards make it easy to see all unsanctioned data movement from one place
Incydr combines a lightweight endpoint sensor (for Windows, Mac, and Linux), a browser extension, and dedicated connectors into leading cloud platforms, including OneDrive & Sharepoint, Google Drive, Box, Microsoft 365, Gmail, and Salesforce, to give you a complete picture of where your data is going.
The endpoint sensor monitors activities like AirDrop, removable media, and desktop applications, while the browser extension looks at all web data movement. The cloud integrations more closely monitors the related systems and detects improper file sharing from within those platforms. Together, they eliminate the blind spots and provide a comprehensive overview of untrusted data movement.
Risk Attribution: Context Is Everything
Customizable risk indicators make it easy to prioritize high-risk events, filter details, and focus on risk that matters to your organization
What makes Incydr different is that visibility alone isn't the end goal, it's paired with risk attribution via risk indicators. Every data movement event is automatically enriched with context: Who moved the data? Where did it come from? Where did it go? What type of file was it? What does the content contain? How risky was this data movement given these inputs?
This context lets you prioritize and respond appropriately rather than chasing every alert.
Responding to Risk: Adaptive Controls From Nudge to Block
Not every risky action warrants the same response. Incydr gives you a full spectrum of adaptive controls to prevent exfiltration, reduce risk, and contain incidents:
- Preventative controls that block specific exfiltration channels, uploads of high-value data, browser-based pastes to AI tools, and more
- Temporary Allow prompts employees to explain a data movement before it completes, providing a full audit trail without slowing collaboration
- Real-time micro-learning videos via Instructor, which delivers in-the-moment nudges when an employee does something like upload a file to Google Drive instead of your corporate OneDrive
- Revoke public shares in OneDrive & Sharepoint or Google Drive directly from the product
- Low-code integrations with tools like CrowdStrike, SentinelOne, Microsoft Entra, and Okta for endpoint isolation or conditional access enforcement
Watch Lists for Focused Monitoring
Incydr's Watchlist feature lets you group users, like contractors, departing employees, or those with elevated access, and apply enhanced monitoring and targeted controls to those groups. Watch lists can be populated manually or linked to Active Directory groups to ensure the right controls are applied automatically to the right people.
See It for Yourself
If you're working on an active data security project and want to understand what's happening in your environment, a 30-day Proof of Value is a great place to start. It's a structured engagement where our team works alongside yours to deploy Incydr, surface your data activity, and show you exactly what actions you can take.
You can also explore the product on your own terms with our product tour. And of course, watch the full on-demand webinar and check out the other sessions in the Maximizing Mimecast series. There's a lot more to explore, and we'd love to see you there.
