What the Latest DHS Document Breach Tells Us About America’s Insider Threat Crisis-
By TMPC, Inc. — Insider Threat & User Activity Monitoring Specialists
On March 9, journalist Ken Klippenstein published a DHS “critical incident note” warning that two senior Iranian religious leaders had issued fatwas calling on Muslims worldwide to avenge Ayatollah Ali Khamenei’s death. The document—intended for restricted distribution within the homeland security apparatus—laid out IRGC proclamations threatening that “the enemy will no longer have security anywhere in the world, even in their own homes.” CNN and ABC subsequently confirmed the bulletin’s existence and its core findings.
The substance of the note is serious. It belongs in the hands of law enforcement and intelligence professionals who can act on it. But for those of us who spend our days inside insider threat programs, the headline isn’t what the document says. It’s that someone with authorized access decided to hand it to a reporter.
And that’s a problem we know how to solve.
This Isn’t a One-Off. It’s a Hemorrhage.
Zoom out from this single incident and the scale of the problem becomes staggering. In January 2026, the entire draft 2026 Homeland Threat Assessment—marked “For Official Use Only”—landed on Klippenstein’s Substack before DHS had even finalized it for public release. Around the same time, a Border Patrol official angry about ICE’s conduct leaked a 15-page operational briefing detailing 21 secret enforcement programs with codenames like Abracadabra, Tidal Wave, and Dust Off. Internal ICE memos on warrantless home entry procedures made their way to the Associated Press via a congressional whistleblower channel. DHS operational security guidance for agents deployed to Minneapolis after the Renee Good shooting was published verbatim.
Then came the worst of it. In January 2026, the personal data of roughly 4,500 DHS and ICE employees—names, email addresses, phone numbers, job titles—was exfiltrated and handed to a foreign-operated doxxing website called ICE List. The site’s operator told reporters that a DHS employee provided the dataset directly. WIRED’s investigation found the list mixed insider-sourced data with publicly available information, making the breach harder to scope and remediate.
Every one of these incidents follows the same playbook: someone with legitimate access to sensitive government information made a deliberate decision to move it outside the security boundary. No zero-day exploit. No APT group. No sophisticated phishing campaign. Just an insider with credentials and a grievance.
The Operational Damage Most People Miss
Public discourse tends to focus on whether any given leak was “good” or “bad.” That’s a political conversation. The operational conversation is different, and it matters more to the people tasked with keeping this country safe.
When a critical incident note on Iranian threat streams hits the open internet, Tehran’s intelligence services don’t need to hack DHS—they just need a Substack subscription. They can map how we assess their fatwa infrastructure, what collection methods underpin our warnings, and how quickly our interagency distribution works. The finished intelligence product is more valuable than the raw data, because it shows adversaries how we think.
The downstream effect inside government is equally corrosive. Agencies that see their sensitive products appearing in the press within days of distribution do the rational thing: they tighten distribution lists, add caveats, compartment more aggressively, and share less. The paradox is brutal. Chronic leaking doesn’t produce a more informed government. It produces a more siloed one—right when the threat environment demands exactly the opposite.
The Technical Reality: These Leaks Leave Fingerprints
Here’s what non-practitioners often miss: every single one of these exfiltration events had a digital footprint. Someone logged into a system. Retrieved a file. Emailed it, printed it, copied it to removable media, screenshotted it, or pasted it into a personal messaging app. The network saw it happen. The endpoint recorded it. Logs exist.
The question isn’t whether the evidence is there. It’s whether anyone was watching.
User Activity Monitoring—UAM—exists to close that gap. Mandated under Executive Order 13587 and operationalized through CNSSD No. 504, UAM programs continuously observe and analyze what authorized users do on government networks. Not metadata. Not just login/logout timestamps. The actual behavior: what files they access, what they do with them, what they print, where they send data, and whether any of that activity deviates from their established baseline.
A mature UAM capability doesn’t just catch leakers after the fact. It changes the calculus before the act. When personnel know their activity is monitored, when anomalous access triggers a real-time alert to a trained analyst, the risk equation for a would-be leaker shifts dramatically. Deterrence is the first line of defense.
THE INSIDER THREAT EQUATION Authorized Access + Motivation + Opportunity + Weak Monitoring = Breach You can’t revoke access from everyone who needs it. You often can’t eliminate motivation. But you can shrink opportunity and eliminate monitoring gaps. That’s what UAM does. |
Why TMPC Was Built for This Fight
TMPC didn’t add “insider threat” to a capabilities slide deck because the market was trending that direction. This is what we do. It’s what we’ve always done. We built this company around insider threat detection, User Activity Monitoring, and counterintelligence support for the organizations where the stakes are highest: USSOCOM, JSOC, USCENTCOM, and DIA.
We Operate Where It Matters
TMPC holds a Top Secret Facility Clearance. Our people work inside the environments where these breaches are happening—SCIFs, classified networks, SOF headquarters, intelligence fusion centers. We don’t theorize about insider threat from the outside. We sit at the console and watch the data move.
We Practice What We Preach
CMMC Level 2 at a 110 out of 110 SPRS score. Full implementation across all 14 NIST SP 800-171 control families. DCAA-audited accounting systems. We don’t tell clients to implement controls we haven’t already implemented ourselves. The credibility gap that plagues so many cybersecurity consultancies doesn’t exist here.
Veterans Running a Veteran-Owned Business
TMPC is an SBA 8(a) certified Service-Disabled Veteran-Owned Small Business. Our leadership served in the same operational communities we now support. That background shapes how we approach insider threat work—with an understanding that these programs have to protect the mission without destroying the trust and cohesion that make organizations effective. Heavy-handed surveillance programs that alienate the workforce don’t reduce insider threat. They create it. We know how to strike the right balance because we’ve lived on both sides of the equation.
Full-Lifecycle Insider Threat Capability
We don’t hand clients a report and walk away. TMPC delivers end-to-end program support: standing up insider threat programs from scratch for organizations that have a mandate but no mature capability; assessing and hardening existing programs against CNSSD 504 and DoD standards; deploying and operating UAM toolsets on both classified and unclassified networks; building behavioral analytics that go beyond simple threshold alerts to catch the subtle patterns that precede an actual breach; running insider threat awareness training calibrated to the operational culture of military and IC organizations; and fusing UAM data with counterintelligence, cyber defense, and HR information to build a picture that no single data stream can provide alone.
The Uncomfortable Truth
These leaks are not happening in a vacuum. The federal workforce is under extraordinary stress. Policy whiplash, political polarization, RIFs, agency reorganizations, and high-profile internal disputes—all of these factors create the conditions where insider threats metastasize. People who feel alienated from their organization’s mission, who feel their concerns are being ignored through legitimate channels, or who feel morally justified in going around the system are exponentially more likely to take data out the door.
There’s a deep irony in the fact that DHS’s own 2026 threat assessment—the one that was leaked in its entirety—identified grievance-motivated domestic threats as the priority concern of the year. The document was right about the threat. It just didn’t account for the possibility that some of those grievances would come from inside the building.
No amount of perimeter hardening fixes this. Firewalls don’t stop a GS-13 with a clearance and a grudge from printing a critical incident note and handing it to a journalist. Endpoint detection and response tools weren’t designed to flag an employee who accesses a document within their authorized scope and then photographs their screen with a personal phone. The insider threat lives in the space between technical access controls and human decision-making. Closing that gap takes a dedicated program with trained analysts, continuous monitoring, behavioral baselines, and the organizational authority to act on what the data reveals.
That’s the program TMPC builds, operates, and sustains. Every day.
Talk to TMPC
If your organization handles classified or sensitive information and you don’t have a mature insider threat program—or you have one that clearly isn’t working—we should talk. TMPC helps defense and intelligence community organizations detect, deter, and mitigate insider threats through operationally proven UAM programs and deep mission expertise. New program standup, maturity assessments, active monitoring, incident response. We’re ready.