The present invention relates to an insider threat detection system which includes at least two stages: a front end sensor stage with activity detection from detectors, and a behavior reasoning component (BRC) with following automated reporting. As opposed to typical monitoring systems that seek to identify network activities as endpoint activities, work on a small number of static triggered rules or anomalous deviations from established norms, the present invention includes a behavior reasoning component (BRC) that uses network activity as precursor indicators to subsequent malicious or non-malicious behaviors, using BRC pattern classifiers, to predict likely malicious insider behaviors and alert security personnel to insider threat from high probability sabotage, fraud, or theft of sensitive, proprietary, classified data/information.