For decades now we’ve been locked in this game of cat-and-mouse where attackers develop a new technique and defenders catch up, or defenders introduce a new control and attackers adapt. From the evolution of network security to identity and access control, many of our technical controls have matured into strong and reliable defences. Yet as we continue to see in the media, attackers continue to get in, compromising even the most mature and secure of environments, in seemingly simple way.
Some might think this is because our tools have failed, but it’s not quite so simple. This is because the battleground has shifted, and our tools just weren’t built to succeed in this new environment.
The Landscape has Shifted
Many of today’s breaches don’t begin with zero-day exploits or sophisticated malware. They begin with people. A distracted employee, a well-meaning contractor, or even a convincing AI-generated deepfake. Attackers no longer need to force their way in; they just need to convince or manipulate someone into letting them in.
From high-profile breaches like Twitter back in 2020, MGM and Ceasars in 2023, and even attacks on the UK retail sector in 2025, a pattern is clear, the new attack surface is human behaviour. Yet our existing defences still only really focus on systems.
Now, human-centric attacks are nothing new, however, our traditional focus on system-centric defences has encouraged attackers to double down on human exploitation. Instead of being deterred by the security controls we’ve built, they’ve innovated, creating more efficient ways to manipulate the people we’ve forgotten to protect.
We Need to Rethink Security
Currently our security teams are drowning in alerts, many of which they can’t action. Our users are bombarded with training, most of which they don’t remember. And attackers are slipping through the cracks, not because we didn’t have the data, but because we can’t connect the dots or intervene when it matters.
The last thing we need is more alerts or more training. A solution that generates more alerts will only exacerbate the problem, and it is impossible to train users to identify and understand every type of cybersecurity threat out there, especially in a world where AI-powered deception is growing.
What we need is an intelligent, user-centric security solution. One built around visibility, contextualisation, and real-time intervention at the human layer, shifting our focus from “what are our system doing” to “how are our people being targeted, and why."
Behavioural Intelligence
We should start with collecting and correlating environmental and behavioural telemetry from the tools, and systems our people use every day. Using this, we can then detect early signs of human compromise and answer many questions long before an attacker has an opportunity to escalate this into a breach.
Is a user reusing passwords found in a breach?
Are they joining unexpected SaaS tenants for the first time?
Have they entered credentials into a known phishing website?
Are they uploading confidential data into GenAI platforms?
Are they receiving suspicious MFA push notifications?
Each of these may seem minor in isolation, however, together they paint a clear picture of behavioural risk, and provide a chance to act.
Real-Time Intervention
Simply identifying more risks and active threats doesn’t get us much further from where we are now though. The next step is key: Automated real-time interventions.
With the behavioural intelligence at hand, we’re now in a position to detect risky or suspicious behaviour and respond. And we can response immediately and in context, through the end-users, without causing additional alert fatigue for our security teams.
This doesn’t mean we simply block everything though. This means working with the user, not against them:
Nudging them to verify unusual activity.
Guiding them to reset a weak password.
Explaining, in the moment, why uploading source code to ChatGPT poses a risk.
Automatically restricting access if behaviour crosses a pre-defined threshold.
This is where nudge theory meets autonomous defence, by embedding security into the natural flow of day-to-day work. This allows our people to resolve risk before it escalates into an incident, without even needing the SOC to get involved.
If 20,000 users are found using compromised passwords, don’t raise 20,000 tickets. Inform them, nudge them to reset it, and many will fix it within minutes.
If a user joins a suspicious SaaS tenant, intervene directly. Offer just-in-time education, nudge to confirm intent or provide a warning, and unlink the account if needed.
If an employee pastes source code or confidential data into a GenAI prompt, notify the user, redact it immediately, log the event, and block future access if repeated.
Humans – our First Line of Defence
The old narrative is that “people are our weakest link”. This is wrong, or at least it’s outdated.
When provided with the right support, visibility, and feedback, people can become our most adaptive and scalable line of defence. Not a weak link, not a passive recipient of training, but an active and key participant in security.
To defend against threat actors in the current cyber-threat landscape we need to shift:
From awareness to intelligence-driven protection.
From alerts and policies to real-time defence playbooks
From seeing users as risks, to seeing them as part of the solution.
Security isn’t just about keeping systems safe. It’s about protecting the people who use them. And if we do it right, we will protect everything else too.
&w=64&q=100){kind=small}
)
)
&w=64&q=100)
)
&w=64&q=100)
)
&w=64&q=100)