Continuous threat detection, permission auditing, and compliance monitoring for your recruiting pipeline. Know when something is wrong before damage is done.
* Coverage varies by platform and tier — see Plans.
Pipeline Defender continuously monitors your ATS for insider threats, hiring fraud, and permission drift — visibility into the security blind spot most ATSes leave open. Purpose-built for the recruiting pipeline, not a generic security tool adapted to it.
Your recruiting pipeline handles sensitive PII, compensation data, and executive hiring details. No SSPM tool monitors it. Pipeline Defender changes that.
Recruiters leaving for competitors export candidate databases. Admin accounts access compensation data, interview notes, and EEO records without oversight.
North Korean operatives submit hundreds of AI-generated applications per day using synthetic identities. They've successfully placed workers at hundreds of companies including security firms — per DOJ indictments and CISA advisories.
Most ATS platforms retain audit logs/events for only 30 days. Most compliance frameworks require 1+ year. Without long-term retention, you're flying blind during audits.
Pipeline Defender connects to your ATS via API and begins continuous monitoring. First results appear within minutes.
Connect your ATS via OAuth or API key — credentials you generate yourself, no enterprise procurement required. We validate read-only access and begin ingesting your audit log history. All data encrypted at rest in a private, tenant-isolated vault.
We poll your ATS audit log/events every 5 minutes and capture a fresh permission snapshot. Events retained for 365+ days — your own data, exportable any time.
Detection rules analyze every event. Threat Detection: 26 single-event rules + 8 behavioral pattern detectors + 4 DPRK fraud playbook rules = 38 total. Coverage varies on other platforms — see Plans.
Alerts delivered via Slack, Teams, PagerDuty, or generic webhook. Forward events to Splunk, Datadog, or Sentinel. Triage from the dashboard.
26 single-event rules fire immediately. 8 behavioral pattern detectors analyze event batches. 4 DPRK / fraud playbook rules catch nation-state hiring fraud.
Full 38-rule coverage on Greenhouse (with Greenhouse Audit Log add-on) SmartRecruiters Threat Detection delivers 14–23 rules (some rules unavailable due to missing actor IP and certain event types). Lever ships the Identity Watch tier only (9–12 rules — no DPRK fraud playbook, no advanced exfiltration patterns). See the per-platform matrix in Plans.
System takeover and mass data loss.
Privilege abuse and integration tampering.
Data movement and workflow changes that need a second look.
Routine activity worth tracking for audit trails.
Behavioral analysis across event batches catches threats that no single event reveals.
Available on Greenhouse. SmartRecruiters coverage varies (see matrix). Not available on Lever or other platforms.
Detects high-volume programmatic data access indicative of exfiltration via API.
Flags users viewing an unusually high number of candidate profiles.
Catches multiple report exports in a short window — a pre-departure exfiltration signal.
Identifies users logging in from 4+ distinct IPs, indicating credential sharing or compromise.
Detects concentrated activity outside business hours suggesting unauthorized access.
Detects significant data access by API keys rather than interactive users.
Detects create-then-delete webhook patterns used to cover up data exfiltration.
Alerts on activity from non-approved IP addresses or CIDR ranges.
Based on CISA advisories on nation-state hiring fraud patterns.
Available on Greenhouse. SmartRecruiters coverage varies (see matrix). Not available on Lever or other platforms.
Detects 20+ applications from a single source — coordinated fraud indicator.
Detects candidates modified 5+ times — profile tailoring to match job requirements.
Detects rapid multi-candidate deletions — evidence destruction pattern.
Detects newly permissioned users immediately accessing sensitive data.
Pipeline Defender scans all your ATS users, detects permission changes, scores your security posture, and runs structured access review campaigns.
Permission Audit — included in all PD tiers. Works on every supported ATS platform.
Dormant accounts, over-permissioning, excessive admins, disabled users with active permissions, agency access scope, and confidential job access.
0-100 permission health score with letter grade. Detects new users, deactivations, admin promotions, permission grants and revocations between audits.
Structured approve/revoke campaigns for periodic reviews. Role comparison with outlier detection flags users with more access than their peers.
Pipeline Defender ships with three built-in roles so security teams can detect and respond while administrators retain control of configuration. Roles are additive — Analyst includes everything in Viewer; Admin includes everything in Analyst.
Read-only access across the entire product.
Security observers, compliance leads, and executives. SOC 2 auditors and external reviewers. HR partners who own the ATS but don't operate the security tooling day-to-day.
Everything a Viewer can do, plus day-to-day operational actions.
SOC analysts, IT security engineers, detection engineers, and compliance analysts who pull SOC 2 / GDPR reports on a schedule.
Full configuration and operational control of the product.
Security leads / CISOs, IT administrators owning SaaS lifecycle, and Heads of People Operations who own the ATS account. Recommend keeping Admin small — typically 2 to 4 people.
The person operating the security tool isn't the same person who configures it. An Analyst can detect and respond, but cannot disable detections or change webhook destinations to hide alerts. Every Admin action is logged to an immutable audit trail — queryable and exportable for SOC 2, ISO 27001, and NIST 800-53 evidence. SSO with attribute-based role mapping is available on the Identity Watch and Threat Detection tiers.
| Capability | Viewer | Analyst | Admin |
|---|---|---|---|
| Read access | |||
| See the security dashboard | ✓ | ✓ | ✓ |
| See alerts and audit events | ✓ | ✓ | ✓ |
| See user-permission audit results | ✓ | ✓ | ✓ |
| Operational | |||
| Acknowledge and resolve alerts | — | ✓ | ✓ |
| Run an on-demand permission audit | — | ✓ | ✓ |
| Trigger event ingestion | — | ✓ | ✓ |
| View and export compliance reports | — | ✓ | ✓ |
| Administrative | |||
| Manage organization settings | — | — | ✓ |
| Add, edit, or remove user accounts | — | — | ✓ |
| Manage API keys | — | — | ✓ |
| Configure Slack / Teams / PagerDuty webhooks | — | — | ✓ |
| Configure SIEM (Splunk, Datadog, Sentinel) | — | — | ✓ |
| Manage the IP allowlist | — | — | ✓ |
| Deactivate ATS users in response to alerts | — | — | ✓ |
| Connect or reconnect your ATS | — | — | ✓ |
| Rotate encryption keys | — | — | ✓ |
Permission Audit works on every supported ATS. Identity Watch and Threat Detection unlock real-time detection where your ATS exposes an audit feed — coverage varies by platform.
Access governance for the recruiting pipeline. Point-in-time snapshots of users, roles, and permissions, with change detection between audits. No real-time event monitoring.
Available on: Greenhouse, SmartRecruiters, Lever, Teamtailor, Ashby, BambooHR, Workable.
Real-time alerts on identity and credential events. Catch credential theft, privilege escalation, and unauthorized exports before damage is done.
Includes everything in Permission Audit, plus
Available on: Greenhouse, SmartRecruiters, Lever. Rule count varies by platform — Greenhouse 12, SmartRecruiters ~10, Lever ~9.
* Requires audit log/events API access from your ATS
Full insider-threat program with DPRK hiring fraud playbook, advanced exfiltration patterns, and behavioral analytics. For high-risk recruiting orgs.
Includes everything in Identity Watch, plus
Available on: Greenhouse (full 38-rule coverage) and SmartRecruiters (~13–20 rules; some rules unavailable — no actor IP, no 2FA events, no webhook lifecycle events). Not available on Lever, Teamtailor, or other ATS platforms.
* Greenhouse Threat Detection requires the Greenhouse Audit Log API add-on
| Platform | Permission Audit | Identity Watch | Threat Detection |
|---|---|---|---|
| Greenhouse | ✓ | ✓ (12 rules) | ✓ (26 rules — full 38) |
| SmartRecruiters | ✓ | ✓ (~10 rules) | ✓ (~13 rules + partials) |
| Lever | ✓ | ✓ (~9 rules) | — (no candidate events) |
| Teamtailor | ✓ | — | — |
| Ashby / BambooHR / Workable | ✓ | — | — |
Rule-by-rule coverage for each tier and platform is documented in our capability matrix — ask us for the current version.
Pipeline Defender is currently in development. Join the waitlist to get early access on your platform of choice.