A legitimate user whose credentials or devices have been compromised by external attackers.
Compromised insiders occur when external threat actors gain access to legitimate user accounts through credential theft, social engineering, or malware. These incidents represent 12% of insider threats but are growing rapidly. The average detection time is longer because the activity appears to come from authorized users, making behavioral analytics crucial for detection.