Start Free Trial
INTROSPECTUS

Session Integrity

Protect the Integrity of Your Digital Workplace

Session Integrity Overview

Detect tools and behaviours designed to misrepresent employee activity.

Hybrid and remote work have transformed how organisations operate. However, a small but increasing number of employees are using software and hardware tools designed to simulate activity without actually working.

Examples include:
  • mouse jigglers
  • keyboard keep-alive devices
  • activity simulation software
  • system configuration changes that prevent session lock

These tools can undermine attendance reporting, distort productivity metrics, and expose organisations to payroll fraud, compliance risk, and governance challenges.

Introspectus Session Integrity automatically detects these behaviours using endpoint telemetry and behavioural analysis, providing organisations with the visibility and evidence required to respond appropriately.

Instead of relying on suspicion or manual investigation, leaders gain objective detection, structured reporting, and defensible evidence.

When deployed by executives, managers and HR teams, Introspectus Session Integrity:

Detects activity‑spoofing tools

Protects digital workplace integrity

Prevents payroll and compliance risk

Provides objective, defensible evidence

What Session Integrity Enables

What Introspectus Session Integrity Helps You Achieve

Discover how objective detection reinforces workforce integrity through transparent, evidence‑based insight.

This allows organisations to achieve:

Protect workforce integrity

Detect activity simulation tools designed to falsify presence or productivity.

Reduce payroll fraud risk

Identify cases where automated activity may be misrepresenting time worked.

Support fair HR processes

Provide clear technical evidence to support investigations and disciplinary processes.

Maintain trustworthy workforce metrics

Ensure productivity and attendance data reflect genuine employee activity.

Strengthen governance and compliance

Provide audit-ready detection records and incident reports.

Automated Detection of Activity Simulation Tools

Introspectus Session Integrity continuously monitors endpoint telemetry to detect patterns associated with activity simulation tools.

Rather than relying on simple signatures or manual review, the platform uses behavioural analysis and pattern recognition to distinguish between normal user behaviour and automated activity.

Detection thresholds are fully configurable, allowing organisations to align monitoring sensitivity with their operational environment and risk appetite.

Detection Capabilities

ACTIVITY SIMULATION DETECTION
CapabilityWhat it DoesBusiness Impact
Mouse Jiggler DetectionIdentifies repetitive mouse movement patterns associated with hardware or software mouse-movement simulators. Pattern analysis distinguishes automated movement from normal user behaviour.Detects attempts to simulate activity while a workstation is unattended.
Keyboard Keep-Alive DetectionDetects repeated activation of non-functional keys such as Scroll Lock, Pause, or extended function keys used to prevent session idle timeout.Identifies scripts or devices used to artificially maintain active sessions.
Software Evasion DetectionMonitors running processes for activity-simulation tools including macro automation software, keep-awake utilities, and browser auto-refresh extensions.Prevents misuse of automation software to misrepresent work activity.
System-Level DetectionDetects configuration changes designed to disable screen lock or idle timeout, including registry or policy manipulation. Identifies attempts to bypass organisational security or session policies.

Configurable Detection Controls

PLATFORM CONFIGURATION OPTIONS
CapabilityWhat it DoesBusiness Impact
Configurable Detection ThresholdsDefine event frequency and observation windows for each detection class.Allows organisations to tune sensitivity based on their operational environment.
Severity ClassificationAutomatically classifies detections as High, Medium, or Low severity based on configured thresholds.Helps managers prioritise the most serious cases first.
Alert Noise ReductionOption to suppress low-severity detections while still recording them in logs.Ensures managers focus on meaningful incidents rather than minor anomalies.
Monitored Key ConfigurationAllows organisations to select which keys are included in keyboard activity monitoring.Reduces false positives by aligning detection rules with endpoint configurations.

Detection Reporting & Investigation Workflows

Detection alone is not enough to support organisational action.

Introspectus provides a complete investigation and reporting workflow, enabling managers and HR teams to review evidence, identify patterns, and document outcomes.

All detections are recorded with technical detail, timestamps, and classification levels, ensuring organisations have the documentation required for fair and defensible decision-making.

Investigation & Reporting Capabilities

DETECTION MANAGEMENT
CapabilityWhat it DoesBusiness Impact
Detection Overview DashboardProvides a real-time summary of detection activity including flagged users, event counts, and severity breakdowns.Gives HR and managers immediate visibility into potential integrity risks.
Detection HeatmapVisual calendar showing detection events across employees and days.Makes recurring or sustained behaviour patterns easy to identify.
Weekly Trend AnalysisTracks detection volumes over time to highlight emerging issues.Enables early intervention before behaviour becomes widespread.
Employee Detail ViewDisplays the full detection history for an individual employee, including event details and timestamps. Supports evidence-based HR discussions and investigations.
Automated Incident ReportsGenerates structured reports containing detection evidence and incident details.Provides documentation suitable for HR records or legal review.
Recommended Action PromptsSuggests appropriate follow-up actions such as monitoring, discussion, or formal investigation.Supports consistent and fair managerial responses.

Executive Insight

Evidence-Based Workforce Integrity.

Without clear technical evidence, addressing the use of activity-simulation tools can be difficult to defend.

Introspectus Session Integrity provides organisations with objective detection data, documented evidence, and structured reporting, enabling fair and consistent responses.

Managers gain the information needed to address potential misuse early, while organisations maintain the integrity of workforce metrics and payroll systems.

Read what Our Customers Say

Why Introspectus Session Integrity?

Activity simulation tools are becoming more common as hybrid work becomes permanent.

Yet most organisations have no visibility into whether these tools are being used at all.

Introspectus Session Integrity fills that gap by providing continuous monitoring, early detection, and defensible evidence.

Key Advantages:

Comprehensive detection coverage

Mouse, keyboard, software, and system-level evasion are all monitored within a single platform.

Flexible configuration

Detection thresholds and monitoring parameters can be tailored to suit organisational policies.

Evidentially sound detection records

Each detection is logged with sufficient technical detail to support HR processes or legal proceedings.

Integrated workforce intelligence

Session Integrity insights integrate with attendance and workforce analytics data across the Introspectus platform.

Early risk visibility

Trend reporting allows organisations to detect emerging patterns before they escalate.

Maintain integrity and protect organisational interests

Empower HR governance and ensure accountability for every user session.

Without Introspectus

No visibility of activity simulation tools
Attendance data may be unreliable
Difficult to prove misuse in HR processes

With Introspectus

Automated detection of evasion tools
Accurate workforce activity insights
Clear evidence for HR investigation and governance

How Introspectus Helps

Each agent compares the current patch list against what is actually installed on its device. Any gap between what has been released and what is deployed is immediately surfaced. Critically, Introspectus pays particular attention to the timing of patch deployment not just whether a patch is present, but when it was applied.

This temporal dimension is central to Essential Eight compliance, where the difference between a patch applied on day two versus day thirty can mean the difference between maturity levels, and between an environment that was protected and one that was exposed.

This combination of daily patch intelligence, severity-based filtering, agent-level validation, and deployment timing analysis gives organisations a real-time, evidence-based view of their operating system patch posture mapped directly to the ISM controls applicable to the Essential Eight patch operating systems strategy.

The Challenge with Patch Operating Systems

The visibility gap here is particularly consequential. A patch may be approved and scheduled, yet never successfully applied due to a failed deployment, a device that was offline during the maintenance window, a reboot that was deferred, or a system that exists outside managed channels entirely.

Organisations that rely solely on deployment tooling to confirm patch status are measuring intent, not reality. The ACSC is explicit on this point: organisations need to confirm patches have been applied successfully, not merely that they were dispatched.

Patch Operating Systems Overview

Within the Essential Eight framework, patching operating systems is a core and non-negotiable control. The ACSC sets clear expectations: patches for internet-facing infrastructure must be applied within 48 hours when identified as critical or where working exploits exist, and within two weeks for standard releases.

Patches for workstations, servers, and network devices must be applied within one month, with tighter timeframes applying in high-threat environments. Critically, the ACSC also mandates that vulnerability scanning occurs at least daily for internet-facing systems and at least fortnightly for workstations and non-internet-facing infrastructure not to replace patching, but to confirm it has actually occurred.

How Introspectus Works

From this inventory, Introspectus performs targeted web intelligence gathering. For each application identified, the platform locates the top five authoritative sources of patch and release information vendor security advisories, release notes, and vulnerability databases and retrieves that content into a central repository.

Aletheia, Introspectus’s AI analysis agent, then reads and analyses this content to extract the intelligence that matters for application patching: the latest available version, whether a release addresses a security vulnerability, the severity of that vulnerability, and all information relevant to the Essential Eight application patching requirements. This structured intelligence is mapped directly to the applicable ISM controls, producing defensible, audit-ready evidence of an organisation’s application patch compliance posture.

The Challenge with Patch Applications

A critical and frequently overlooked problem is the visibility gap. Organisations may believe their applications are current when, in reality, patches have silently failed, devices have missed deployment windows, or software has been installed outside of managed channels entirely.

Without continuous inspection at the endpoint level, these gaps go undetected until an audit or, worse, a breach.

Patch Applications Overview

Within the Essential Eight standard, patching applications is a dedicated and non-negotiable control. The ACSC specifies clear timeframes: critical vulnerabilities in internet-facing services must be addressed within 48 hours, commonly used applications such as office productivity suites, web browsers, email clients and PDF software must be patched within two weeks of release, and all other applications within one month.

For organisations in high-threat environments, the bar is higher still. Meeting these requirements consistently across hundreds of distinct applications deployed across thousands of endpoints is not achievable through manual effort alone.