Virtual Private Network (VPN) Logs

The subject installs and uses an unapproved VPN client, potentially violating organizational policy. By using a VPN service not controlled by the organization, the subject can bypass security controls, reducing the security team’s visibility into network activity conducted through the unauthorized VPN. This could lead to significant security risks, as monitoring and detection mechanisms are circumvented.

A subject performs work-related activities from a location or jurisdiction that is not approved by the organization, in violation of policy, contractual restrictions, or regulatory requirements.

This behavior includes remote work conducted outside authorized geographic boundaries, the use of undisclosed travel locations, or deliberate concealment of true working location through technical means. Unauthorized work location infringements introduce material risk across legal, regulatory, data protection, and operational domains. These risks include unlawful data transfer across jurisdictions, breach of client or government restrictions, tax and employment violations, and exposure of corporate systems to untrusted environments.

Unauthorized work location activity is often initially perceived as low-severity or convenience-driven. However, in practice it represents a critical control failure, particularly in organizations with geo-restrictions, data residency obligations, or sensitive access environments. Left unchallenged, this behavior can contribute to Behavioral Drift, where location-based controls are progressively disregarded across the organization's population.

This section captures all forms of location-based policy infringement, whether deliberate (concealment, evasion) or negligent (failure to disclose travel).

A subject connects their personal device, under a Bring Your Own Device (BYOD) policy, to organization resources, such as on-premises systems or cloud-based platforms. By leveraging this access, the subject exfiltrates sensitive or confidential data. This unauthorized data transfer can occur through various means, including copying files to the personal device, sending data via email, or using cloud storage services.

The subject is a current or former asset of a nation-state intelligence service, operating inside the organization with pre-existing loyalty to, or direct affiliation with, a foreign government. Unlike insiders who develop espionage motives post-employment, this subject is often inserted, recruited prior to hiring, or cultivated externally over time and then encouraged to seek access to a target organization.

Their motive is the advancement of strategic objectives on behalf of a foreign nation-state. These objectives may include extracting sensitive information, degrading operational resilience, manipulating internal systems or decisions, weakening public or partner trust, or embedding long-term access for future exploitation. Such subjects may be formal intelligence officers, contract operatives, ideological affiliates, or individuals acting under recruitment, coercion, or influence.

Example Scenarios:

• A subject recruited during university by a foreign security service secures a role in a telecommunications provider and enables covert surveillance access for state-level eavesdropping.
• A subject hired into a biopharmaceutical firm has pre-existing links to a state-sponsored “talent program” and transfers research data to affiliated institutions abroad via covert cloud channels.

The subject accesses a corporate hardware asset, most commonly a laptop or corporate mobile device, after their employment has formally ended. This typically occurs due to gaps in deprovisioning, delayed hardware recovery, or the subject physically retaining the device despite offboarding procedures. Post-termination access may be opportunistic or intentional, and may precede or coincide with data exfiltration, sabotage, or unauthorized continuation of internal access.

This sub-section is relevant in cases where the hardware asset is no longer linked to an active identity in HR systems but remains technically functional and capable of network, VPN, or service access. Such access undermines the assumption that termination alone revokes operational capability and may point to procedural drift in IT, HR, or facilities handover workflows.

The subject purchases a laptop (or similar endpoint) using a corporate payment method but does so outside established procurement and provisioning processes. By bypassing IT and asset management workflows, the subject introduces a corporate-funded but unmanaged device into the environment.

Such devices often lack standard security controls—such as endpoint detection and response (EDR), encryption, configuration baselines, or patching—and may not be tracked in asset inventory systems. While the subject may rationalize the purchase as operationally necessary (e.g., urgency, convenience, or perceived lack of IT responsiveness), the result is a sanctioned but invisible device with the potential to bypass monitoring and governance controls.

This behavior undermines organizational asset control, complicates investigative attribution, and introduces unmanaged endpoints capable of accessing sensitive networks and data.

The subject deliberately uses Virtual Private Network (VPN) technology in a manner that circumvents organizational oversight, masking the nature, destination, or content of network activity. This includes installing unapproved VPN clients, as well as reconfiguring sanctioned VPN software to route traffic through unauthorized exit nodes, personal infrastructure, or third-party services not governed by corporate policy.

By diverting traffic away from monitored pathways, the subject obstructs standard telemetry collection - evading logging of session destinations, data transfers, or identity-bound usage. This behavior frustrates forensic reconstruction, hinders real-time monitoring, and degrades the reliability of investigative artifacts. Unauthorized VPN usage is an intentional anti-forensics measure aimed at concealing potentially harmful activity behind layers of encrypted and unsanctioned transit.

The subject intentionally disconnects from monitored corporate networks (such as managed Ethernet, enterprise Wi-Fi, or secure VPN tunnels) and reconnects using alternative, unmonitored connectivity options. This may include switching to a guest Wi-Fi network, tethering through a personal mobile hotspot, or leveraging an unmanaged residential or public access point.

By exiting the boundaries of controlled infrastructure, the subject avoids endpoint-level inspection, network logging, and identity-based access enforcement. This maneuver is particularly effective in environments where endpoint telemetry is only collected while connected to corporate networks or VPN channels. In such cases, activity conducted over unmonitored networks leaves no observable trace in central logging systems, severely degrading investigative visibility.

This behavior is commonly paired with additional anti-forensics techniques (such as unauthorized VPN use, encrypted transfer protocols, or private browsing) to further frustrate detection. The deliberate choice to operate from unmonitored networks signals a clear intent to conceal operational activity and evade forensic scrutiny.

The subject performs work-related duties from a foreign jurisdiction without notifying or obtaining approval from the organization, in violation of defined location, legal, or contractual requirements.

This behavior commonly occurs when a subject travels internationally and continues to access corporate systems while physically located outside their approved working jurisdiction. In many cases, the subject does not disclose the travel, preventing the organization from applying appropriate legal, regulatory, and security controls.

A frequently observed variant involves annual leave extension abuse, where the subject initially travels abroad under approved leave but remains in that jurisdiction beyond the authorized leave period and resumes work remotely without declaration. In this scenario, the subject transitions from compliant absence to unauthorized international working, often assuming the original approval implicitly extends to remote work activity.

Undeclared international remote work introduces material risk, including:

• Breach of data residency and cross-border data transfer restrictions
• Violation of employment law and tax obligations
• Exposure of corporate systems to untrusted or high-risk environments
• Breach of contractual or client-imposed geographic controls

This behavior is often rationalized by the subject as low impact or temporary. However, it represents a failure of governance and visibility over where sensitive systems are being accessed. In regulated environments, even short periods of undeclared international access may constitute a compliance breach.

If repeated or unchallenged, this behavior may contribute to Behavioral Drift, where undeclared cross-border working becomes normalized within teams or functions .

The subject performs work-related activities from a jurisdiction explicitly prohibited or classified as high-risk by the organization, in violation of policy, regulatory obligations, or contractual restrictions.

These jurisdictions are typically defined based on legal, regulatory, geopolitical, or security considerations. This includes sanctioned countries, regions subject to export control restrictions, locations with elevated cyber threat activity, or jurisdictions where data access is restricted due to sovereignty or client requirements.

Unlike general undeclared international remote work, this behavior involves access from locations where work is explicitly disallowed, regardless of disclosure. Even where the subject has notified the organization of travel, performing work from these jurisdictions constitutes a direct infringement due to the inherent risk profile.

Operating from prohibited or high-risk jurisdictions introduces severe exposure, including:

• Breach of international sanctions or export control laws
• Unauthorized cross-border transfer or access to regulated data
• Increased likelihood of interception, monitoring, or compromise by hostile entities
• Violation of contractual obligations with clients, governments, or partners

In some cases, subjects may knowingly disregard restrictions due to convenience or personal circumstances. In more serious scenarios, this behavior may indicate coercion exposure, or deliberate or inadvertent data exfiltration to a third-party.

This sub-section represents a high-severity infringement category, as the risk is intrinsic to the location itself, not just the lack of approval.