Data threat evaluation systems and methods are described. A data model structure includes a root object query that, when executed, returns a third data subset from the plurality of data types that predate a known threat, the third data subset including data types in both the first data subset and the second data subset; and a model schema to extract, from the third data subset, data types of the first subset that predicate and indicate the threat, the model schema to produce at least an individualized data threat regression model, a script originator regression model, and a script filler data threat regression model using the extracted data types. The system may use the individualized data threat regression model, the script originator regression model, and the script filler data threat regression model back on the data set to identify potential threats. The system can be applied as a fraud, waste or abuse detector.