Since the Morris Worm, organizations have spent billions on security awareness training. But attackers don't need zero-days when they can just call your help desk.
Since the Morris Worm, organizations have spent billions of dollars over four decades trying to reduce the risk of a cybersecurity breach by embracing mandated security awareness training, and common security standards. This action has been successful at ensuring that auditors are content, but it has done little for ensuring the security of the organizations itself. Day after day, new breaches are reported by major companies with little more than a whimper.
The GhostEye founding team first met while defending the world's most prominent financial institution, where we spent years trying a different approach. We thought like attackers, trying to prevent a potential incident by ensuring defenders were well trained at defense. This wasn't a hypothetical for us. We would take action, gaining access in ways that our organization couldn't anticipate, and every time helping defenders expand their understanding of the attack surface. Collectively, members of GhostEye have run offensive operations, built red teams, led defensive exercises, and conducted comprehensive social engineering campaigns against the world's most defended organizations. As scholars of our craft, every engagement taught us a lesson; defenders focus on technical controls they can measure, while attackers focus on humans they can abusively manipulate and take advantage of. That gap between paradigms hurts defenders, who are primarily reactive. Attackers gain a first-mover advantage, ensuring they have priority in choosing where and when an attack happens. Attackers get to set the tempo, and often, already over-worked staff at victim organizations can't keep up.
Training only works when a defender can detect, identify, and acknowledge an attack. When a defender can't, the best trained operators may as well not exist. GhostEye's mission is to invert this dynamic, and give defenders the advantage in setting the tempo.
The cybersecurity industry has become lethargic letting automated sensors do their intellectual work for them. Quarterly training, an alert, and organizations wipe their hands with their responsibility to defend; confident that liability has been passed. This security theater has been taken advantage of by cybercriminal groups like Scattered Lapsus$ Hunters who are working to create new organized crime ecosystems that incentivize people to act as the vulnerable gap in the defense.
Organizations negligently consider human attack vectors as compliance theater. Managers ensure that training gets done to make sure they get their bonus. Employees ensure that their training gets done to get good reviews. Security has become a secondary consideration for security professionals, and a forgotten component for most of an organization's employees.
Only 38% conduct monthly security awareness training, while 40% stick to infrequent training (18% annually, 12% twice yearly, 10% quarterly) - treating education like a checkbox rather than ongoing validation. As we look forward, AI-powered training platforms promise to solve this with personalized, adaptive content delivered more frequently, but more frequent education for an employee base that doesn't care is still just box-checking, except this time, even the educators are passing the effort over to automation. The industry is checking the box faster, but the premise is still flawed.
When organizations test employees, it's with templated phishing emails that employees can spot immediately, then they declare victory when click rates drop. Some employees even take pride in not checking their email as a way to pass phishing training, causing a breakdown in company operations that has a measurable financial impact. Data shows Microsoft found that awareness training by itself yields only a 3% reduction in phishing click rates; a negligible amount that looks great on a slide deck for executives, but might give adversaries a chuckle when they manage to breach your organization anyway.
This approach is not working. It's not a solution, that's statistical noise. When someone calls your help desk sounding distressed, or your CEO texts about an urgent transfer, training goes out the window because at the end of the day, employees are more conditioned to respond fast than they are to think critically about the messages they're receiving.
As we reflect on this, we have to consider organizations that go beyond training towards actual validation? They often turn to Breach and Attack Simulation (BAS) platforms that continuously test whether security controls work the way a vendor might claim they do. The findings don't inspire confidence. Among 400 Information Technology security professionals surveyed, only 17% say their BAS solution delivers "tremendous value." More concerning; even when they say a BAS platform worked perfectly, they only test technical controls. They validate if a firewall can block an attack but not whether the help desk would let attackers bypass it with a convincing phone call. At every step of the validation process, organizations fail to test the human component.
Regulatory requirements themselves reveal the problem. While the Security Exchange Commission (SEC) requires risk management strategy disclosure and the Office of the Comptroller of the Currency (OCC) examines cybersecurity controls every 12-18 months, neither regulator requires institutions to validate that the employees themselves are resistant to social engineering attempts. The Health Insurance Portability and Accountability Act (HIPAA) mandates "workforce training on policies and procedures" but fails to provide a framework for testing an employee's ability to resist an attempt by a motivated malicious threat actor. Organizations can achieve perfect compliance scores across every regulatory framework and still remain completely unprotected against social engineering attempts against unprepared employees.
Organizations can no longer afford compliance theater. Before a breach, they need to know which employees would hand over credentials, reset MFA without verification, or bypass security procedures under pressure. Training shows what people learned. Testing shows how they'll actually behave when targeted.
At GhostEye, we leverage multi-agent systems to orchestrate sophisticated social engineering campaigns that mirror real-world attacks. Our autonomous agents go beyond testing the checkbox of whether an employee clicks a phishing link, or fails a test. They are trained to execute a complete attack chain using tactics, techniques, and procedures that a real adversary would use. When social engineering succeeds, GhostEye agents move laterally within the network looking for additional infrastructure to compromise, escalate privileges to collect as much persistent access as possible, all while pushing the boundary on stealth to remain undetected by existing security controls.
GhostEye is a company built by red-teamers who have evaded the defenses leveraged by the world's most important institutions. We go as far as necessary to show you the full impact a successful social engineering attempt can have in your production environment; and we do it with safety and security at the forefront.
Our platform deploys at least three specialized agents to accomplish this goal. Agent 1 builds a convincing fictional persona with a comprehensive digital footprint and professional references. Agent 2 conducts deep Open Source Intelligence (OSINT) into the subject, mapping organizational relationships and identifying key personnel to ensure a complete understanding of the subject's defensive perimeter. Agent 3 dynamically generates AI voice clones of real world individuals to coordinate impersonation attacks across multiple channels.
These three agents operate continuously by sharing intelligence, and adjusting tactics in real-time. They aren't a script that runs, they're a flexible and adaptive autonomous system that is designed to persistently engage a subject the way a motivated cybercriminal would. When professional networking fails to build sufficient trust, the system adapts by pivoting to an alternative approach. It may engage in phone-based voice synthesis, SMS campaigns, or it may leverage different personas entirely to ensure that it accomplishes its task. If the subject resists authority-based appeals, agents shift to peer influence tactics informed by OSINT research.
This continuous operation is calibrated to your organization's risk tolerance, and will never go beyond boundaries you have set. High-risk roles may be validated monthly, while lower-risk employees may be tested quarterly with sufficient variations applied to the engagement approach to ensure that employees have difficulty pattern-matching to identify tests. This builds resilience. This ensures success.
GhostEye's agents achieve production-safety through experience. By simulating millions of attacks in environments that mirror production infrastructure, GhostEye's agents learn what actions trigger alerts, what actions remain undetected, and how to operate safely at scale. This dynamic feedback loop of action and reflection reinforces a learning approach that means every client engagement benefits from the collective intelligence of thousands of previous simulations; ensuring that GhostEye can deliver clear, verifiable, actionable insights that quantifiably improve security posture.
As a cultural priority, we map EVERYTHING to industry standards. Every attack scenario uses the MITRE ATT&CK framework to describe threat behavior as a GhostEye agent moves across the kill chain. When GhostEye identifies an exploitable human vulnerability, we don't just report "Employee X, John Doe, clicked a link"; we show you the complete attack flow that followed from the initial security failure. GhostEye highlights which security controls failed to detect lateral movement, and the exact mechanism a GhostEye agent used to gain domain administrator privileges.
Then, once we've comprehensively reviewed the engagement, we give you the fix to ensure that you are empowered to defend yourselves against an adversary: GhostEye will highlight specific verification procedures for high-risk roles, detection rules for the attack techniques that succeeded, and policy recommendations that take into account the real behavior of a victim under pressure.
This is our promise: as the paradigm shifts from human-awareness training to human-centric security validation, GhostEye will ensure you can understand and defend your attack surface. Just as Red Teams simulate sophisticated technical attacks against infrastructure, GhostEye simulates sophisticated social engineering attacks against people. When the next breach happens, it won't be because your firewall failed, it will be because someone convinced a human to let them in.
The Lapsus$ group proved this when they systematically breached Microsoft, NVIDIA, Samsung, and Okta. They proudly flaunt that they accomplish this not through zero-day exploits, but by calling help desks with convincing stories. They targeted outsourced help desk support where personnel could elevate privileges, exploiting supply chain relationships with devastating effectiveness. After the Red Hat Consulting GitLab breach, Lapsus$ advertised they were actively recruiting vulnerable employees to target.
Security teams shouldn't learn about novel social engineering techniques from breach reports; they should be drilling their defenses against these attacks before attackers start knocking. Organizations need to treat the human attack surface with the same continuous, rigorous testing they already apply to technical infrastructure.
GhostEye's approach through human-centric security validation acknowledges a fundamental truth: it is impossible to train people out of being human, but you can ensure that the best qualities of being human are highlighted. Instead of fighting human psychology, we work with it, building security controls and processes that account for how people actually behave under pressure, not how we wish they would behave after training. It is a foolish warrior who sees an enemy as they wish and not as they are – and that's twice as true for how defenders view themselves. The future isn't about eliminating human error; it's about understanding it, measuring it, and accounting for it.
The next major breach won't come from a technical vulnerability, it will come from a human one.
While you're scheduling quarterly training sessions to pass liability and conduct security theater, motivated threat actors are deploying AI agents that can engage every employee in your organization simultaneously to find their way in.
Organizations that are most prepared for the next wave of attacks won't be the ones with the best training programs, but the ones who took defense seriously and reinforced their entire defensive posture; including the humans who defend the walls.
Here at GhostEye we're working to define a new standard for defense by going back to the fundamentals. Train the people through drills and action, not talks and lectures. For the industry, the question isn't whether organizations will validate their human attack surface, it's whether they'll do it before or after the major breach that cripples the company and causes chaos.
Getting started is simpler than you think. Initial setup requires minimal configuration. GhostEye only requires read-only access to directory services and publicly available OSINT. GhostEye provides your security team with comprehensive attack reporting, and remediation guidance without specialized training.
Think your people are ready? Prove it. Book a demo.
