Full text
For thirty years, the hardest part of a sophisticated cyberattack was the human labor behind it. Finding the vulnerability. Writing the exploit. Chaining the access. Staying quiet long enough to matter.
That work required teams, time, and tradecraft. It’s the reason nation-state operations looked different from criminal ones, and why most organizations could plan around the gap between them.
That gap is closing.
We are entering what I think of as the Mythos era, in which machines can do in minutes what used to take skilled human operators months. Cybersecurity defenses are improving, but the layer where final decisions are made, the human one, is now the easiest to exploit.
The advantage that protected most organizations, most of the time, is going with it. Precision at scale is no longer a contradiction. It’s a feature.
The Human Stack: what it is and why it matters
Most of the conversation about this shift has focused on what these systems do to vulnerabilities. That conversation is accurate, but incomplete. The harder problem is what machine-speed attacks do to the systems those vulnerabilities ultimately route through: systems that depend on human decisions.
That’s a layer most security programs don’t explicitly own. I call it the Human Stack, the point where every system finally comes down to a person deciding whether a wire transfer goes through, whether an email is trusted, or whether a voice on a phone call is real. We have spent a generation hardening everything above it, and almost nothing on the layer itself.
For most of cybersecurity's history, that was a tolerable bet. Attackers had to choose between going wide and crude, or narrow and precise. The Human Stack held because precision didn’t scale, and scale didn’t achieve precision.
That tradeoff is gone.
What the next wave of attacks looks like
The next wave won’t arrive as malware . It’ll arrive as evidence. A voicemail that sounds exactly like the person it claims to be. A video call with a face you have known for ten years. An email thread that picks up a conversation you actually had, in the cadence you actually use, referencing a project that actually exists. The technical indicators will be clean, and the social indicators will be perfect. The only thing that will be wrong is the conclusion the human is being led to.
Last year, I spent time with the team behind Midnight in the War Room, a documentary premiering August 5 at Black Hat USA. It brings together over 50 experts, from global CISOs and military strategists to reformed hackers and victims of cyber conflict. The conversations were about something that has been happening for a long time and is about to be accelerated: the industrialization of social engineering, and the steady weaponization of the behavioral attack surface.
That surface doesn't stop at your perimeter. It extends through every vendor, managed service provider, and cloud services administrator your business depends on. Your operations going offline may have nothing to do with your own people, and everything to do with someone three vendors deep making a decision under synthetic pressure.
What this means for enterprises
For businesses, this isn’t theoretical. Financial risk is direct. We're already seeing fraudulent wire transfers, manipulated approval chains, and finance chiefs impersonated so convincingly that payments clear before anyone notices.
Operational disruption can come with no malware on your systems. The behavioral attack surface doesn't stop at your perimeter. It extends through every vendor, managed service provider, law firm, auditor, and cloud administrator your business depends on.
A compromised third party, manipulated through a perfectly constructed social engineering campaign, can take your operations offline without leaving a fingerprint anywhere near your network. Most organizations scrutinize their own security posture far more rigorously than the human decision-making environments of the third parties they rely on, leaving that exposure largely unmanaged.
Regulators and insurers are starting to ask harder questions about that exposure, and most organizations don't yet have good answers.
The shift from prevention to resilience
There's a second shift that boards need to start preparing for, and it's bigger than any single control or technology. We're leaving the era in which security success is measured by attacks prevented. We're entering one in which the realistic measure is how quickly an organization recovers when belief fails.
Prevention still matters, and the investments organizations have made in it have been the right ones. But in a world where attacks will sometimes succeed because they're indistinguishable from legitimate activity, prevention alone is no longer a coherent strategy. Resilience is.
What resilience means at the human layer is different from what it means at the technical one. Technical resilience is about systems that fail gracefully and recover quickly. Human resilience is about decision-making environments that can absorb a successful deception, recognize it, and contain it before it compounds. Most organizations have invested in the first. Very few have invested in the second. That's the gap the next decade will judge us on.
What leaders should do
The security stack remains necessary, but this era exposes that even the best systems hand their hardest decisions to humans, and we haven't invested in that layer with the same rigor. Here’s where to start:
Measure recovery, not just prevention
When belief fails, how fast can your organization catch it, contain it, and get back up? That has to be designed into your operating model now, not figured out after an incident.
Design for decision-making under deception
Training people to spot phishing isn't sufficient when the phishing email is indistinguishable from a real one. Build institutional processes that don't rely on a single person making the right call under pressure.
Treat people as operational infrastructure.
Human judgment is a critical system. It needs redundancy and failure protocols, just like any other.
Extend your security culture to your vendor ecosystem
The behavioral attack surface runs through your entire supply chain. Your third-party risk program needs to account for the human layer, not just the technical one.
The window is closing
Midnight in the War Room will make this visible in a way an op-ed cannot.
The Mythos era did not create this problem. It revealed it. The cost of exploiting human decision-making precisely was high enough to keep most attackers out. That barrier is collapsing now.
What comes next will not announce itself. It’ll arrive looking like someone you trust, asking for something that feels completely reasonable, right up until the moment it isn't.
The question is no longer whether your systems can withstand attack. It's whether your people are prepared to make decisions in a world where the evidence itself can no longer be trusted, and whether your organization is built to recover when those decisions go wrong.
We've reviewed and ranked the best cloud antivirus .
This article was produced as part of TechRadar Pro Perspectives , our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit
Comments
No comments yet — be the first to weigh in 👇
No comments yet. Be the first!