Guidance from institutions like Carnegie Mellon University's CERT program laid the foundation for modern insider risk strategy. CERT standardized the field and shaped national doctrine. Their work remains essential. But the models built on that foundation—data hubs and endpoint agents—have reached their limit… Agentic threats now operate below the OS: in firmware, out-of-band controllers, and microarchitectures. Often deployed by insiders—sometimes unknowingly—they observe, learn, adapt, and persist without touching the OS. No malware signature. No alert. Just execution.

Executive Summary

RustDesk is an open‑source remote‑desktop utility whose self‑hosting and relay‑tunnelling features have made it a favorite of ransomware operators, state‑sponsored teams, and trusted insiders seeking unsanctioned remote access. This white paper puts RustDesk through several scenarios involving malicious internal and external actors and translates forensic artefacts into KQL/SPL hunt queries. Any playbook is living, so please take a moment to let us know how we can improve ours. Some of the playbook recommendations included herein have been field tested – others are based on best practices and require independent validation.

Unintended Consequences