OPEN FRAMEWORK • VENDOR-NEUTRAL • PUBLICLY DEFINED

Insider Code Manipulation Framework

ICMF defines a structured taxonomy for identifying patterns of financial manipulation hidden inside enterprise code. It is the first framework focused exclusively on detecting deliberate financial logic abuse in ERP and business-critical software.

See how SecodX applies ICMF icmf.dev ↗
Why ICMF exists

No framework existed for financial code manipulation

MITRE ATT&CK gave defenders a language for adversary tactics. OWASP gave developers a language for web vulnerabilities. ICMF gives auditors, CISOs, and security teams a language for something that had no standard before: deliberate manipulation hidden inside legitimate-looking enterprise code.

Traditional SAST tools scan for CVEs and injection patterns. They are built for the external attacker model. ICMF addresses the insider model — where the actor has access, has commit rights, and introduces risk through syntactically correct code that only becomes suspicious when analyzed in context.

ICMF is intent-neutral. It classifies patterns, not people. A rounding manipulation is ICMF-FIN-002 regardless of whether it was introduced deliberately or accidentally. ICMF surfaces evidence — human investigators determine motive.
ICMF Risk Dashboard
Technique taxonomy

Five ICMF technique categories

Each category defines a distinct class of manipulation that can be detected, classified, and reported.

ICMF-FIN

Financial Calculation Manipulation

Techniques that alter financial computations to redirect value. Rounding direction changes, fee rate drift, threshold manipulation, exchange rate staleness exploitation. Even fractional changes compound to significant amounts at transaction scale.

FIN-001 Rounding FIN-002 Fee Rate FIN-003 Threshold
ICMF-AUD

Audit Suppression

Techniques that reduce visibility of financial activity. Exception swallowing that prevents failed transactions from being logged, time-based log deletion, conditional audit trail skipping. Makes activity invisible to monitoring systems.

AUD-001 Log Deletion AUD-002 Exception Swallow
ICMF-AUTH

Authorization Bypass

Techniques that circumvent approval workflows in ERP systems. Hardcoded approval conditions, system-user bypasses, threshold changes that avoid dual-approval requirements for financial postings.

AUTH-001 Hardcoded Approval AUTH-002 Threshold Bypass
ICMF-DATA

Master Data Tampering

Techniques targeting reference data that controls business rules. Vendor master records, bank account numbers, pricing tables, tax configurations. A single account number change can silently redirect all payments.

DATA-001 Vendor Record DATA-002 Bank Account
ICMF-XSYS

Cross-System Exfiltration

Techniques that move data or value outside the intended system boundary. Unexpected external API calls, data written to accessible locations, cross-company transfers without proper authorization checks.

XSYS-001 External API XSYS-002 Cross-Company
Open standard

Not tool-specific

ICMF is publicly defined. Any security tool, audit team, or organization can apply it independently of SecodX. The framework documents patterns — SecodX operationalizes them into production-grade detection.

Explore full technique library →
Financial Logic Drift
SecodX + ICMF

From framework to production detection

SecodX implements ICMF detection rules for every technique category, maps each finding to its ICMF code, and displays ICMF badges throughout the interface so audit teams can reference findings by standard technique ID.

ICMF-FIN Every financial calculation finding is tagged with its ICMF technique code and mapped to the affected business process.
ICMF-AUD Audit suppression patterns are detected across exception handlers, log writers, and transaction finalizers.
ICMF-AUTH Authorization bypass in SAP ABAP authority checks, D365 workflow gates, and BC permission sets.
See all features →