Insider risk agent: Understanding CPU usage

Overview

The insider risk agent is designed to have minimal impact on user endpoints. In most cases:

• CPU usage is very low and does not affect device performance.
• There is little or no user-facing indication the agent is running at all. 

However, because the agent continuously monitors file system activity, certain conditions—such as high-I/O workloads, interactions with other security tools, or certain software development tasks—can cause a temporary increase in CPU usage.

This article describes how the insider risk agent uses CPU resources, what normal usage looks like, and how to identify and address elevated usage.

How the agent uses CPU

The insider risk agent performs four main tasks that affect CPU usage:

• File system monitoring: The agent monitors file activity in real-time to identify exfiltration risks. CPU usage depends primarily on how active the file system is on the endpoint. Developer workstations, build machines, and endpoints with aggressive antivirus (AV) or endpoint detection and response (EDR) scanners tend to generate more file system activity than a typical endpoint.
• Event collection and packaging: As file events occur, the insider risk agent compiles batches of event metadata to be sent to the Incydr cloud. CPU usage for event metadata processing is intermittent: short bursts during each batch, with idle periods in between.
• Network encryption and upload: The insider risk agent uses TLS to encrypt and transmit events to the Incydr cloud. Encrypting and uploading a large batch of events can cause brief CPU spikes.
• Background tasks: Periodic operations such as health checks and agent upgrades are short-lived and have minimal effect on CPU usage.

Normal CPU usage

Under typical conditions, the insider risk agent uses 0–4% CPU and approximately 100MB of memory. It is normal for endpoints to experience short periods of higher CPU usage, but usage quickly returns to a low baseline.

Examples

• Typical user laptop/desktop: 0–4% at idle, with occasional spikes to 5–10% for a few seconds during intensive user actions such as copying a folder with many files or uploading a large number of files to cloud storage.
• Developer workstation or build server: Short CPU spikes of up to 10–20% of a single processor core during active builds or large file operations (such as cloning a large repository).

Expected CPU spikes

Some activities require higher CPU usage for a short time:

• Initial agent installation: When first installed, the insider risk agent performs an initial file inventory, which temporarily increases CPU usage. Usage returns to a low baseline once the inventory is complete.
• Agent upgrades: Automatic upgrades to a new version of the insider risk agent may cause a brief spike during the update process.
• Large file operations: Moving large folders, cloning code repositories, compressing archives, or bulk cloud sync operations can generate a high volume of file events in a short time, which may temporarily use more CPU resources.

Troubleshooting unexpected high CPU usage

If CPU usage is elevated outside of the scenarios above, the most common causes are:

• AV and EDR interaction. When Incydr and AV and EDR tools monitor the same files, each tool's access can trigger the other to re-scan, creating a feedback loop. See Reducing interaction with AV and EDR tools below.
• Noisy system directories. Temporary or build directories with frequent file activity can cause continuous scans if they haven't been excluded from monitoring. See File event exclusions for details about how to exclude specific processes and file paths from Incydr monitoring. 

Reducing interaction with AV and EDR tools

In most cases, Incydr works seamlessly with AV and EDR tools and does not require any configuration changes. In rare cases, however, if both tools are scanning the same files, one tool's file access can trigger the other to re-scan, creating a cycle that amplifies CPU load. If you identify sustained high CPU usage related to AV or EDR tools, adding exclusions to those tools may help. See Best practices for using Incydr with EDR software for details.

When to contact support

If CPU usage regularly exceeds the ranges above, or you observe sustained high usage with no obvious associated file activity, contact our Technical Support Engineers with the following information:

• Insider risk agent version and operating system version on the affected endpoint.
• A description of the workload on the machine (standard user, build server, etc.)
• Any AV and EDR tools installed on the endpoint
• Agent logs from the affected endpoint
• CPU usage graphs or screenshots

Related topics

• Best practices for using Incydr with EDR software
• Initial file metadata collection scan FAQs
• Deploy the insider risk agent