INSIDER THREAT ADVISORY (iTA) WORKSHOP
Anthropic’s New Insider Threat Toolkit: Claude CoWork, Chrome & Dispatch
When: Tuesday, June 23 | 1:00 — 2:00 PM PT
Brought to you by:
Overview
DTEX conducted testing of the DTEX Forwarder against Anthropic’s agentic surfaces — Claude Cowork and the Claude for Chrome plugin — to understand what is observable when an LLM, not a human, is driving endpoint activity. By issuing all prompts off‑device via Claude mobile Dispatch, the simulations isolate endpoint‑only telemetry across realistic workflows, including SharePoint access, document transformation, SaaS interactions, and Outlook‑based exfiltration.
The results show that agentic activity is highly observable when you focus on behaviour. DTEX captures Cowork execution via claude.exe process telemetry and surfaces high‑fidelity browser signals from the Chrome plugin, including API calls and prompt content. These signals can be chained into a coherent end‑to‑end trail across endpoint and SaaS activity. While off‑device prompting introduces an attribution gap, emerging approaches such as Project Dihedral highlight a clear path forward.
The takeaway is simple: agentic AI changes execution, not observability — behaviour remains the strongest signal.
What you’ll learn:
- Identify indicators that distinguish agent‑driven activity from human behavior
- Detect and investigate LLM-driven workflows across endpoint and Saas
- Correlate telemetry into end‑to‑end activity chains from access to exfiltration
RSVP for the workshop
View ITA library
The DTEX i³ Insider Risk Research Hub publishes regular insider threat research and advisories based on real-world investigations to help analysts stay ahead of insider threats as they arise.
Contact I3 team
DTEX i3 provides threat briefings on the latest insider risk research, early behavioral warning signs, and best practices, using data-driven insights from internal experts and partners like MITRE.