Description
This detector identifies devices that show no evidence of personal use, presenting a usage profile that is exclusively and unnaturally work-focused. Paradoxically, a device that appears perfectly professional raises suspicion: genuine employees accumulate personal digital traces on their work machines over time - personal browser tabs, non-work applications, casual web browsing, personal communications, and idiosyncratic software choices. A device stripped of all of this is a strong signal that it was configured specifically to play a role.
This signal is most clearly surfaced by the deployed agent over time, and is complementary to, but distinct from, the Clean/Burner Device detector, which focuses on session-time browser state. This detector examines the device's overall usage history.
Common indicators include:
Absence of personal browser activity
No history of personal email platforms, social media sites, news outlets, entertainment services, or consumer e-commerce in browser history or cached credentials, across any browser on the device. Real employees visit personal sites on work machines; this is normal and expected.
No personal applications installed
The device contains only work-issued software with no personal choices: no personal productivity apps, games, messaging applications, media players, photo libraries, or tools installed at the user's discretion rather than by IT policy.
Unrealistically disciplined application usage
Application telemetry shows the device is used only during declared work hours, for only work-sanctioned software, with no drift or off-hours activity. This level of discipline is statistically rare among real employees and suggests scripted or controlled operation.
No personal file artifacts
The file system shows no personal documents, downloads, photos, or personal project files. Downloads consist exclusively of work-related materials, and file metadata shows no personal authorship or personal email addresses.
Pristine work accounts
Email and calendar accounts show patterns consistent with role performance rather than authentic daily work: no personal forwards, no off-topic threads, no casual internal exchanges, and calendar entries that exactly match the expected job description.
Relevance to Social Engineering Attacks
Attackers and fraudsters who construct long-term fake employee identities must configure a device to appear as a legitimate work machine. While they can install work applications and follow work processes, they frequently fail to reproduce the accumulated personal character that develops naturally on a genuine employee's machine over months or years.
Key attack-related patterns include:
Ghost employee and AI worker operations
In sustained fraud campaigns where fake employees are placed within organizations, the supporting device is configured to mimic an employee environment. The absence of authentic personal usage traces distinguishes a purpose-built fraud machine from a real person's work laptop.
Recruited insider with a secondary device
A complicit insider operates a secondary, clean device for fraudulent activity while using their personal work machine normally. The secondary device is used exclusively for role-playing the fraudulent identity, producing an unnatural work-only profile.
AI-assisted persona maintenance
In operations where language models or scripted automation partially handle email and messaging, the device's usage profile becomes unnaturally consistent: responses are generated, meetings are attended, but no ambient personal usage accumulates.
Examples of Behavioral Patterns
This detector is effective at surfacing:
New device with no personal history after extended tenure
A device used by a claimed employee of two years that shows no personal browsing history, no personal account logins, and no personal files is inconsistent with normal human device use.
Identical usage profiles across different claimed identities
When multiple supposed individuals produce the same sterile usage signature - same installed applications, same absence of personal activity, this suggests a common template or operator rather than independent individuals.
Suspiciously bounded working hours
Device activity that starts and stops exactly at declared working hours, with no weekend browsing, no early-morning email checks, and no accidental personal activity, reflects a controlled or automated operation rather than a real person.