Modern cybersecurity is extremely good at detecting external attackers.

Firewalls, intrusion detection systems, vulnerability scanners and SAST tools are all designed with one primary assumption: the attacker is outside the organization.

But what happens when the attacker is already inside the codebase?

A developer modifies a financial calculation. An engineer silently removes an audit log. A DevOps operator changes the ownership of a commit.

Each change may look harmless in isolation. But together, they can manipulate financial systems, erase evidence, or create hidden logic that benefits a single individual.

These types of attacks are rarely detected by traditional security tools because they are not classic vulnerabilities. They are intentional manipulations performed by trusted insiders.

This gap led to the creation of ICMF — the Insider Code Manipulation Framework.

ICMF is designed to identify, classify, and analyze patterns of insider-driven code manipulation across enterprise systems.

Instead of focusing on vulnerabilities, the framework focuses on behavioral patterns within code changes.

Examples include:

• financial logic manipulation
• audit trail destruction
• authorization bypass through code changes
• commit ownership manipulation
• hidden recalculation logic

The goal of ICMF is to provide a structured way to describe and detect these patterns.

The framework was created by the team behind SecodX, a platform focused on detecting insider-driven manipulation risks within enterprise software systems.

This article introduces the core concepts behind ICMF and explains why traditional security models struggle to detect insider code manipulation.