The Adaptive Defence Playbook

Executive Summary

AI is rapidly changing the nature of cyber attacks. This shift has fundamentally changed how social engineering happens, making attacks:

Faster: New tactics appear and iterate rapidly.
Deeper: Multi-step attacks are now embedded in real workflows.
Wider: Multi-channel, cross-role campaigns scale effortlessly.

These new social engineering threats range from AI-generated phishing emails to deepfake cloning that believably impersonates organisational leaders in order to extract sensitive information during phone calls or videoconferences.

Navigation:

Our core belief:

Human risk is a security performance problem. It is trackable through data and intelligence, and treatable through adaptive intervention loops. The goal is continuous risk reduction through sustained behaviour change.

NUMBER OF AI-ENGINEERED ATTACKS

67% report an increase in AI attacks

Over the last 12 months, 67% of security professionals surveyed reported that the number of AI-engineered attacks has increased.

NUMBER OF AI-ENGINEERED ATTACKS

71% report increased scope of AI attacks

The majority of security professionals said that the attacks now include multi-channel attacks, multi-step attacks, deepfakes, emails and SMSes.

According to the European Union Agency for Cybersecurity (ENISA) Threat Landscape report, phishing was by far the most common intrusion method, accounting for around 60% of attempted attacks, leading to malware deployment in the majority of cases. Ransomware is still the most impactful threat in the EU. Internet-exposed services and devices, like smartphones are also high value targets.

In the past 12 months, how have social engineering threats changed in your organisation in each area below?

The bottom line is that traditional attacks are becoming more sophisticated, partly due to AI, and the attack surface has significantly widened. Social engineering is rising fast, putting humans in the front line. This level of variety and increased power requires a wide-ranging, flexible adaptive defence methodology to keep pace with ongoing developing threats.

Our survey polled companies in The Netherlands, Belgium, Luxembourg, France, Germany, Austria, Switzerland, Italy and Spain.

Respondents were predominantly in the 35-44 age range, with almost half (49%) having 3-5 years of work experience. The rest had between 5 and 10 years.

This represents a wide spectrum of different sized companies across several sectors: finance and banking (48%); technology and software (26%); manufacturing and industry (10%); healthcare and pharma (6%); professional services and consulting (6%); and insurance (4%).

Those headline figures make it abundantly clear that organisations need to adapt the ways in which they pre-empt and defend against these new threats. With such a strong emphasis on social engineering, human resilience is becoming a critical cog in an organisation's defence posture. Companies need to reframe cyber defence from incident prevention to speedy behavioural adaptation as part of a comprehensive overall adaptive defence framework, using AI against hackers.

Next: The scale & speed of AI threats