Blindspotter™ is a monitoring tool that maps and profiles user behavior to reveal human risk. It integrates a variety of contextual information in addition to logs, processes them using various unique algorithms, and offers a wide range of outputs from warnings to automatic interventions. Blindspotter™ is an advanced component of the Contextual Security Intelligence Suite. It discovers previously unknown risks and guides the investigation of threats through CSI.Risk.

The new perimeter is our users
Many companies’ worst nightmare is already lurking inside what was previously thought to be its perimeter, a sophisticated external attacker or malicious insider. Nowadays, attackers are intelligent, well-funded and their attacks are increasingly complex and well targeted. The common theme of recent, high-profile breaches is that they were carefully planned and went undetected for some time with the attackers moving freely inside the victim’s IT environment. Malicious insiders hold an advantage over a company’s primary security tools in that they are designed to protect against external threats, not against trusted employees. Targeted attacks by humans use a combination of IT vulnerabilities, social engineering and ordinary crime to gain unauthorized access. It means that the new perimeter, where you have to focus, is your users. They are the new focus of your security measures instead of the infrastructure. Blindspotter is the incarnation of this approach, the user focused IT security: it concentrates on what internal and external users are doing in the system.

More monitoring less control
Balabit is an IT security innovator for more than 15 years, which specialized in log management and advanced monitoring technologies, developed Blindspotter™, a next generation IT security tool that analyzes all user activity and reveals suspicious events occurring throughout IT systems. By detecting deviations from normal behavior and assigning a risk value, it helps companies focus their security resources on important events and also allows them to replace some controls, yielding greater business efficiency. Adding more tools that restrict users won’t make your company safer, it will just make your employees less productive.


Blindspotter™ integrates a variety of contextual information in addition to standard log data (like application logs, SIEM data, HR and CRM system inputs, LDAPs, etc.), processes them using unique sets of algorithms, and generates user behavior profiles that are continually adjusted using machine learning. It tracks and visualizes user activity in real-time for a better understanding of what is really happening inside the IT system and offers a wide range of outputs from a priority dashboard to automatic interventions. It doesn’t require pre-defined correlation rules; it simply works with your existing data. The built-in algorithms have customizable parameters that allow you to fine-tune the output without being a skilled data scientist. Data is analyzed in multiple ways to adjust the risk and deviation level of each activity. Blindspotter™ reveals all new deviations from normal operation in a well-prioritized dashboard. With advanced monitoring across every aspect of an IT system, Blindspotter™ prevents sensitive and critical data from potential security breaches, from both internal and external attackers.



Shell Control Box is a user monitoring appliance that controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SCB is a quickly deployable enterprise device, completely independent from clients and servers – integrating seamlessly into existing networks. SCB is a core component of the Contextual Security Intelligence Suite. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigation in CSI.User.


SCB acts as a centralized authentication and access-control point in your IT environment which improves security and reduces user administration costs. The granular access management helps you to control who can access what and when on your servers.


SCB perfectly isolates your sensitive systems from unknown intruders or from non-authorized users. In addition, it tracks all authorized access to sensitive data and provides with actionable information in the case of human errors or unusual behavior.



SCB monitors privileged user sessions in real-time and detects anomalies as they occur. In case of detecting a suspicious user activity (for example entering a destuctive command, such as the “delete”), SCB can send you an alert or immediately terminate the connection.


SCB audits “who did what”, for example on your database or SAP servers. Aware of this, your employees will do their work with a greater sense of responsibility leading to a reduction in human errors. By having an easily interpreted, tamper-proof record, finger-pointing issues can be eliminated.


SCB makes all user activity traceable by recording them in high quality, tamper-proof and easily searchable audit trails. The movie-like audit trails ensure that all the necessary information is accessible for ad-hoc analyses or custom activity reports.


When something wrong happens, everybody wants to know the real story. Analyzing thousands of text-based logs can be a nightmare and may require the participation of external experts. The ability to easily reconstruct user sessions allows you to shorten investigation time and avoid unexpected cost.