ZTA-RAD - Zero Trust Architecture – Risk Assessment Dataset

Insider threats constitute one of the main risks to information security, particularly in corporate environments that handle sensitive data. Unlike external threats, these attacks exploit valid credentials and prior knowledge of the infrastructure, rendering traditional perimeter-based security models insufficient. In this context, Zero Trust Architecture (ZTA) emerges as an essential paradigm, adopting the principle of “never trust, always verify” through continuous verification, microsegmentation, and real-time monitoring. Motivated by the lack of datasets specifically designed for this scenario, this work proposes ZTA-RAD (Zero Trust Architecture – Risk Assessment Dataset), derived and expanded from CERT, incorporating logon, device, and HTTP access metrics. The dataset was labeled through two approaches: (i) expert curation and (ii) risk analysis performed by five LLMs. For evaluation, training and validation experiments were conducted with three machine learning algorithms (MLP, Random Forest, and SVM), under both balanced and imbalanced scenarios. The results indicate that MLP and Random Forest achieved superior performance, particularly after balancing with SMOTE, while SVM proved more sensitive to imbalance. Furthermore, it was found that expert labeling enabled the construction of more consistent classifiers compared to LLMs, highlighting the importance of human curation. In summary, this work contributes by providing a novel dataset for the study of insider threats in ZTA, offering methodological and practical support for the advancement of machine learning–based solutions.