Secure your enterprise from insider access abuse
Palace learns how people normally use access across the SaaS systems you already run (Google Workspace, SharePoint, and more) and surfaces the handful of events that don't fit: insider threats and stolen-credential attacks no hand-written rule would catch. At Google, an earlier version of this system caught insider threat attacks with a detection budget below 1 alert per 10,000 employees per day.
Security Outcomes
Catch the attacker already holding the keys
Today's Challenge
Palace's Solution
Security Analyst
The business is too big to know what normal access looks like. What is everyone doing? Suspicious access looks exactly like the legitimate events around it, and your tools just bury you in false positives.
Palace provides a short, ranked list of the most deviant access events. Investigations stay tight and focused on only the events that matter.
Detection Engineer
Detection rules grow old, become brittle, and are hard to maintain. The original authors have moved on or lost context. Every new priority is one more rule nobody wants to touch.
Detection rules are simple score thresholds. The Palace foundation model automatically learns who is allowed to access what, and evolves with the organization.
CISO
The access that worries you most looks legitimate: the curious insider outside their lane, intruder reconnaissance using stolen credentials. What defends against these threats?
Palace is the last line of defense when your endpoint, credential, or malware security fail. When attackers live off the land and masquerade as insiders, Palace catches them — their activity deviates from normal business actions.
Our Technology
YouTube recognizes a video you should watch but haven't. Palace recognizes a corporate resource an employee should not access, but did.
Applying deep recommender system technology, Palace learns the access patterns already present in your logs — what normal looks like for every person and every resource. By recognizing and ignoring normal activity, Palace points your team and automation at just deviant access events.
Watch what they do, not who they claim to be.
Security Applications
One model powers the security stack
Detection
The model distills behavioral norms into a deviation score for every access event. Detection is then just a threshold on the score.
Investigation
See who touched a crown-jewel resource and spot the odd one out at a glance, or surface the out-of-pattern access a departing employee made in their final weeks — in minutes, not days.
Response
Close the loop with agentic response. Automatically ask the employee to justify anomalous access events, and route their response back to your team — so detection resolves itself instead of piling up.
Agentless deployment
Palace runs in your cloud, using the SaaS audit logs you already collect. No endpoint rollout required.
Proven Technology
Built on peer-reviewed academic research
Deployed at Google
The same technology was built and deployed at Google, serving as a last line of defense against insider threats since 2018. Red-team insider-threat attacks were caught with a detection budget of 1 alert per 10,000 employees per day.
Presented at Black Hat USA 2025
Shared with the security industry at its flagship practitioner conference. Black Hat USA 2025
Accepted at USENIX Security 2026
Peer-reviewed and accepted for publication at one of the field's top security research conferences. USENIX Security 2026
Unlock the intelligence of your logs
In the history of computer security, the attacker has held the asymmetric advantage — choosing the time, the place, and the method of attack. Palace unlocks one of the defender's most powerful advantages: the access logs every enterprise already collects, and all the behavioral patterns inside them. We bring the most powerful behavioral models ever invented, deep recommender systems, to the logs you already keep.