Black Hat USA 2025 | FACADE: High-Precision Insider Threat Detection Using Contrastive Learning

The emergence of Facade marks a pivotal shift in insider threat mitigation, moving away from reliance on scarce incident data toward self‑supervised models that learn normal behavior from massive benign logs. By employing contrastive learning, the system creates nuanced representations of user actions across document accesses, SQL queries, and network requests, enabling it to flag subtle deviations that traditional rule‑based tools miss. This methodological breakthrough not only improves detection precision but also dramatically reduces the operational overhead associated with labeling and maintaining attack datasets.

Beyond the core algorithm, Facade integrates a sophisticated clustering layer that groups similar anomalous events, enhancing robustness against noise and isolated false alarms. The result is an exceptionally low false‑positive rate—under 0.01% overall and 0.0003% for single‑action anomalies—making the solution viable for high‑volume environments where alert fatigue is a major concern. Over seven years, the system has processed billions of daily events within Alphabet, proving its scalability and reliability at enterprise scale.

The decision to open‑source Facade expands its impact beyond Google, offering security teams a ready‑made framework for building context‑aware insider threat detectors. Organizations can adapt the model to their own log sources, benefiting from the same contrastive learning principles without the need for extensive labeled attack data. As cyber‑risk executives prioritize proactive defenses, Facade provides a cost‑effective, high‑accuracy tool that aligns with modern zero‑trust and data‑centric security architectures, potentially setting a new industry standard for insider threat detection.