This study addresses the challenge of achieving high detection accuracy while minimizing false positives in insider threat detection, a limitation commonly attributed to insufficient modeling of behavioral intent and contextual dynamics. To overcome this, the authors propose a hybrid framework that integrates multi-agent simulation, behavioral and communication forensics, trust-aware machine learning, and Theory of Mind (ToM) reasoning. Notably, this work introduces ToM-based inference and an email forensics module pretrained on the Enron corpus into a SIEM architecture for the first time, complemented by an evidence-gating mechanism designed to enhance alert credibility. Experimental results demonstrate that the proposed EG-SIEM-Enron variant achieves perfect confirmed-alert precision (1.000), zero false positive rate, a role-level F1 score of 0.933, and an average detection latency of only 10.26 steps in simulated environments—significantly outperforming existing baseline systems.

We present a hybrid framework for adaptive insider-threat detection that tightly integrates multi-agent simulation (MAS), layered Security Information and Event Management (SIEM) correlation, behavioral and communication forensics, trust-aware machine learning, and Theory-of-Mind (ToM) reasoning. Intelligent agents operate in a simulated enterprise environment, generating both behavioral events and cognitive intent signals that are ingested by a centralized SIEM. We evaluate four system variants: a Layered SIEM-Core (LSC) baseline, a Cognitive-Enriched SIEM (CE-SIEM) incorporating ToM and communication forensics, an Evidence-Gated SIEM (EG-SIEM) introducing precision-focused validation mechanisms, and an Enron-enabled EG-SIEM (EG-SIEM-Enron) that augments evidence gating with a pretrained email forensics module calibrated on Enron corpora. Across ten simulation runs involving eight malicious insiders, CE-SIEM achieves perfect recall (1.000) and improves actor-level F1 from 0.521 (LSC) to 0.774. EG-SIEM raises actor-level F1 to 0.922 and confirmed-alert precision to 0.997 while reducing false positives to 0.2 per run. EG-SIEM-Enron preserves high precision (1.000 confirmed-alert precision; 0.0 false positives per run), slightly improves actor-level F1 to 0.933, and reduces detection latency (average TTD 10.26 steps versus 15.20 for EG-SIEM). These results demonstrate that cognitive context improves sensitivity, evidence-gated validation enables high-precision, low-noise detection, and pretrained communication calibration can further accelerate high-confidence insider threat identification.