Climbing the pyramid of pain: Tackling insider threats with NetClean ProActive

At NetClean, we’ve been working with organizations worldwide to confront one of the most difficult expressions of insider risk: the possession of child sexual abuse material (CSAM) on corporate devices. And as we deepen our work in this space, one framework continues to stand out in guiding our strategy—the Pyramid of Pain.

The pyramid of pain, explained

Originally introduced by cybersecurity expert David J. Bianco, the Pyramid of Pain is a model that helps security teams understand the relative difficulty attackers face when defenders block different indicators of compromise.

At the bottom of the pyramid are things like hash values—easy for attackers to change. At the top are TTPs (Tactics, Techniques, and Procedures)—the behavioral patterns that are deeply ingrained and hard to disguise.

What makes this model powerful is its applicability to insider risk. If we think about how insider behavior maps to these layers—from detectable hashes to behavioral patterns—it becomes clear where organizations often stop short, and where the real potential lies.

ProActive: Starting at the base, climbing higher

NetClean ProActive starts at the base of the pyramid, using high-confidence CSAM hashes to detect known material. While hash-based detection is often seen as "trivial" for attackers to bypass, CSAM is a very different case. These hashes reveal individuals whose behavior introduces serious risk to the organization. It's not just about what’s on the device — it’s about who’s behind it. The presence of CSAM often points to compromised individuals and endpoints, increasing exposure to extortion, spyware, data breaches, and insider threats. It’s a clear and actionable sign of a security vulnerability already in motion.

But here’s the kicker: ProActive doesn’t stop there.

We’ve designed it to enable security teams to connect those detections with behaviors, tools, and tactics. That means helping organizations move up the pyramid—toward understanding which accounts are involved, what software was used, what network activity occurred, and how it ties into broader patterns.

In essence, we help transform Indicators of Compromise (IOCs) into Indicators of Behavior (IOBs)—the kind of intelligence that drives deeper investigations, informs policy changes, and strengthens long-term resilience.

Why this matters more than ever

Insider threats aren’t going away. In fact, as digital workspaces expand and data becomes more accessible, the risks are multiplying. What’s needed is a smarter, more layered response—one that doesn’t just catch what’s already happened, but helps prevent what could.

By aligning ProActive with the Pyramid of Pain, we help our customers:

• Act immediately on high-confidence detections
• Contextualize those detections to understand intent and risk
• Support legal and HR processes with strong forensic data
• Strengthen their security posture over time