All Posts
5 min read

Attackers Don't Hack In. They Call In.

Written by
Published on
October 14, 2025

Since the Morris Worm, organizations have spent billions of dollars over four decades trying to reduce the risk of a cybersecurity breach by embracing mandated security awareness training and common security standards. This action has been successful at ensuring that auditors are content, but it has done little for ensuring the security of the organizations themselves. Day after day, new breaches are reported by major companies with little more than a whimper.

The GhostEye founding team first met while defending the world's most prominent financial institution, where we spent years trying a different approach. We thought like attackers, trying to prevent a potential incident by ensuring defenders were well trained at defense. This wasn't hypothetical for us. We would take action, gaining access in ways that our organization couldn't anticipate, and every time helping defenders expand their understanding of the attack surface.

Collectively, members of GhostEye have run offensive operations, built red teams, led defensive exercises, and conducted comprehensive social engineering campaigns against the world's most defended organizations. As scholars of our craft, every engagement taught us a lesson: defenders focus on technical controls they can measure, while attackers focus on humans they can abusively manipulate and take advantage of.

That gap between paradigms hurts defenders, who are primarily reactive. Attackers gain a first-mover advantage, ensuring they have priority in choosing where and when an attack happens. Attackers get to set the tempo, and often, already overworked staff at victim organizations can’t keep up.

Training only works when a defender can detect, identify, and acknowledge an attack. When a defender can’t, the best-trained operators may as well not exist. GhostEye’s mission is to invert this dynamic and give defenders the advantage in setting the tempo.

The cybersecurity industry has become lethargic, letting automated sensors do their intellectual work for them. Quarterly training, an alert, and organizations wipe their hands of responsibility to defend—confident that liability has been passed. This security theater has been taken advantage of by cybercriminal groups like Scattered Lapsus$ Hunters, who are working to create new organized crime ecosystems that incentivize people to act as the vulnerable gap in the defense.

The Validation Gap

Organizations negligently consider human attack vectors as compliance theater. Managers ensure training gets done to secure bonuses. Employees complete training to earn good reviews. Security has become a secondary consideration for security professionals, and a forgotten component for most employees.

Only 38% of organizations conduct monthly security awareness training, while 40% stick to infrequent training (18% annually, 12% twice yearly, 10% quarterly), treating education like a checkbox rather than ongoing validation. As we look forward, AI-powered training platforms promise to solve this with personalized, adaptive content delivered more frequently—but more frequent education for an employee base that doesn’t care is still just box-checking. This time, even the educators are passing the effort to automation. The industry is checking the box faster, but the premise is still flawed.

When organizations test employees, it’s with templated phishing emails that employees can spot immediately, then they declare victory when click rates drop. Some employees even take pride in not checking email as a way to pass phishing training, causing operational breakdowns with measurable financial impact.

Microsoft found that awareness training alone yields only a 3% reduction in phishing click rates—a negligible amount that looks great on an executive slide deck but might give adversaries a chuckle when they breach your organization anyway.

This approach is not working. It’s not a solution—it’s statistical noise. When someone calls your help desk sounding distressed, or your CEO texts about an urgent transfer, training goes out the window. Employees are conditioned to respond quickly, not to think critically under pressure.

As organizations reflect on this, many turn to Breach and Attack Simulation (BAS) platforms to validate whether security controls work as vendors claim. The findings don’t inspire confidence. Among 400 IT security professionals surveyed, only 17% say their BAS solution delivers “tremendous value.”

More concerning: even when BAS platforms work perfectly, they only test technical controls. They validate whether a firewall blocks an attack—but not whether the help desk would bypass it after a convincing phone call. At every step of validation, organizations fail to test the human component.

Regulatory requirements themselves reveal the problem. The SEC requires risk management disclosures. The OCC examines cybersecurity controls every 12–18 months. HIPAA mandates workforce training. None require validation that employees can resist social engineering by a motivated adversary.

Organizations can achieve perfect compliance scores and still remain completely unprotected against social engineering attacks.

Organizations can no longer afford compliance theater. Before a breach, they need to know who would hand over credentials, reset MFA without verification, or bypass procedures under pressure. Training shows what people learned. Testing shows how they actually behave.

The Ghost in the Machine

At GhostEye, we leverage multi-agent systems to orchestrate sophisticated social engineering campaigns that mirror real-world attacks. Our autonomous agents go beyond checking whether an employee clicks a link. They execute complete attack chains using real adversary tactics, techniques, and procedures.

When social engineering succeeds, GhostEye agents move laterally through the network, escalate privileges, and collect persistent access—while pushing stealth boundaries to remain undetected by existing controls.

GhostEye is built by red teamers who have evaded the defenses of the world’s most important institutions. We go as far as necessary to demonstrate the full impact of a successful social engineering attack in production environments—safely and responsibly.

Our platform deploys at least three specialized agents:

  • Agent 1 builds a convincing fictional persona with a complete digital footprint and professional references.
  • Agent 2 conducts deep OSINT, mapping relationships and identifying key personnel to understand the defensive perimeter.
  • Agent 3 dynamically generates AI voice clones of real-world individuals to coordinate impersonation attacks across channels.

These agents operate continuously, sharing intelligence and adapting tactics in real time. They are not scripts. They are persistent, adaptive systems designed to engage targets the way real cybercriminals do.

If authority-based appeals fail, agents pivot to peer influence. If professional networking fails, they switch to phone, SMS, or alternate personas—ensuring objectives are achieved.

This continuous operation is calibrated to your organization’s risk tolerance and never exceeds defined boundaries. High-risk roles may be tested monthly, lower-risk roles quarterly, with enough variation to prevent pattern recognition. This builds resilience.

GhostEye achieves production safety through experience. By simulating millions of attacks in environments mirroring production infrastructure, our agents learn what triggers alerts, what remains undetected, and how to operate safely at scale.

Every engagement benefits from collective intelligence gained across thousands of simulations—delivering clear, verifiable, actionable insights that measurably improve security posture.

Every scenario maps to the MITRE ATT&CK framework. We don’t report “Employee X clicked a link.” We show the complete attack flow, failed controls, lateral movement paths, and exact privilege escalation mechanisms.

After each engagement, we deliver fixes: verification procedures, detection rules, and policy recommendations grounded in how people actually behave under pressure.

Human-Centric Security Validation

This is our promise: as the paradigm shifts from human awareness training to human-centric security validation, GhostEye ensures you understand and defend your true attack surface.

Just as red teams simulate technical attacks against infrastructure, GhostEye simulates sophisticated social engineering attacks against people.

The next breach won’t happen because your firewall failed—it will happen because someone convinced a human to let them in.

Lapsus$ proved this by breaching Microsoft, NVIDIA, Samsung, and Okta not with zero-days, but by calling help desks. They targeted outsourced support, exploited supply chain relationships, and even recruited vulnerable employees.

Security teams shouldn’t learn about new social engineering techniques from breach reports. They should be drilling defenses before attackers knock.

GhostEye’s approach acknowledges a fundamental truth: you cannot train people out of being human—but you can design systems that account for human behavior.

Instead of fighting psychology, we work with it. The future isn’t about eliminating human error. It’s about understanding it, measuring it, and accounting for it.

The Path Forward

The next major breach won’t come from a technical vulnerability. It will come from a human one.

While organizations schedule quarterly training to pass liability, motivated attackers deploy AI agents that can engage every employee simultaneously.

The most prepared organizations won’t have the best training programs. They’ll have the strongest defenses—including the humans who guard the walls.

GhostEye is defining a new defensive standard by returning to fundamentals: train through drills and action, not lectures.

The question isn’t whether organizations will validate their human attack surface—it’s whether they’ll do it before or after the breach.

Getting started is simpler than you think. Initial setup requires minimal configuration and only read-only access to directory services and public OSINT.

GhostEye delivers comprehensive attack reporting and remediation guidance without specialized training.

Think your people are ready? Prove it.
Book a demo.

If you want this converted to Markdown, MDX, CMS-ready HTML, or trimmed for a landing page, say the word.

Subscribe to newsletter

Subscribe to receive the latest blog posts to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.