A method for detecting unauthorized and/or malicious hands-on-keyboard activity in an information handling system derived from the telemetry from one or more client systems, tokenizing a plurality of partial values/idiosyncrasies detected in the telemetry to form a plurality of tokens, aggregating the plurality of tokens or features over a selected time window to at least partially develop an aggregate feature vector, submitting the aggregate feature vector to one or more machine learning subsystems, and applying an ensemble model to one or more outputs from the one or more machine learning subsystems to generate an overall behavioral threat score of the potentially malicious hands-on-keyboard activity.