We built a trillion-dollar security industry on top of an unprotected layer | Tech Radar
Overview
News, deals, reviews, guides and more on the newest computing gadgets
Start exploring exclusive deals, expert advice and more
Details
Unlock and manage exclusive Techradar member rewards.
Unlock instant access to exclusive member features.
Get full access to premium articles, exclusive features and a growing list of member rewards.
We built a trillion-dollar security industry on top of an unprotected layer
Cybersecurity has a new fatal blind spot: the human decision layer
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
For thirty years, the hardest part of a sophisticated cyberattack was the human labor behind it. Finding the vulnerability. Writing the exploit. Chaining the access. Staying quiet long enough to matter.
That work required teams, time, and tradecraft. It’s the reason nation-state operations looked different from criminal ones, and why most organizations could plan around the gap between them.
We are entering what I think of as the Mythos era, in which machines can do in minutes what used to take skilled human operators months. Cybersecurity defenses are improving, but the layer where final decisions are made, the human one, is now the easiest to exploit.
The advantage that protected most organizations, most of the time, is going with it. Precision at scale is no longer a contradiction. It’s a feature.
Your security team doesn’t know about half its users
Gartner: Gen AI has broken traditional cybersecurity awareness – what comes next?
Most of the conversation about this shift has focused on what these systems do to vulnerabilities. That conversation is accurate, but incomplete. The harder problem is what machine-speed attacks do to the systems those vulnerabilities ultimately route through: systems that depend on human decisions.
That’s a layer most security programs don’t explicitly own. I call it the Human Stack, the point where every system finally comes down to a person deciding whether a wire transfer goes through, whether an email is trusted, or whether a voice on a phone call is real. We have spent a generation hardening everything above it, and almost nothing on the layer itself.
For most of cybersecurity's history, that was a tolerable bet. Attackers had to choose between going wide and crude, or narrow and precise. The Human Stack held because precision didn’t scale, and scale didn’t achieve precision.
The next wave won’t arrive as malware. It’ll arrive as evidence. A voicemail that sounds exactly like the person it claims to be. A video call with a face you have known for ten years. An email thread that picks up a conversation you actually had, in the cadence you actually use, referencing a project that actually exists. The technical indicators will be clean, and the social indicators will be perfect. The only thing that will be wrong is the conclusion the human is being led to.
Four key areas in cybersecurity that need fresh thinking and actionable steps in 2026
AI security is broken at runtime: Most enterprises don’t realize it yet
Security at machine speed: why the SOC must be rebuilt for the AI era
Last year, I spent time with the team behind Midnight in the War Room, a documentary premiering August 5 at Black Hat USA. It brings together over 50 experts, from global CISOs and military strategists to reformed hackers and victims of cyber conflict. The conversations were about something that has been happening for a long time and is about to be accelerated: the industrialization of social engineering, and the steady weaponization of the behavioral attack surface.
That surface doesn't stop at your perimeter. It extends through every vendor, managed service provider, and cloud services administrator your business depends on. Your operations going offline may have nothing to do with your own people, and everything to do with someone three vendors deep making a decision under synthetic pressure.
For businesses, this isn’t theoretical. Financial risk is direct. We're already seeing fraudulent wire transfers, manipulated approval chains, and finance chiefs impersonated so convincingly that payments clear before anyone notices.
Operational disruption can come with no malware on your systems. The behavioral attack surface doesn't stop at your perimeter. It extends through every vendor, managed service provider, law firm, auditor, and cloud administrator your business depends on.
A compromised third party, manipulated through a perfectly constructed social engineering campaign, can take your operations offline without leaving a fingerprint anywhere near your network. Most organizations scrutinize their own security posture far more rigorously than the human decision-making environments of the third parties they rely on, leaving that exposure largely unmanaged.
Regulators and insurers are starting to ask harder questions about that exposure, and most organizations don't yet have good answers.
There's a second shift that boards need to start preparing for, and it's bigger than any single control or technology. We're leaving the era in which security success is measured by attacks prevented. We're entering one in which the realistic measure is how quickly an organization recovers when belief fails.
Prevention still matters, and the investments organizations have made in it have been the right ones. But in a world where attacks will sometimes succeed because they're indistinguishable from legitimate activity, prevention alone is no longer a coherent strategy. Resilience is.
What resilience means at the human layer is different from what it means at the technical one. Technical resilience is about systems that fail gracefully and recover quickly. Human resilience is about decision-making environments that can absorb a successful deception, recognize it, and contain it before it compounds. Most organizations have invested in the first. Very few have invested in the second. That's the gap the next decade will judge us on.
The security stack remains necessary, but this era exposes that even the best systems hand their hardest decisions to humans, and we haven't invested in that layer with the same rigor. Here’s where to start:
When belief fails, how fast can your organization catch it, contain it, and get back up? That has to be designed into your operating model now, not figured out after an incident.
Training people to spot phishing isn't sufficient when the phishing email is indistinguishable from a real one. Build institutional processes that don't rely on a single person making the right call under pressure.
Human judgment is a critical system. It needs redundancy and failure protocols, just like any other.
Extend your security culture to your vendor ecosystem
The behavioral attack surface runs through your entire supply chain. Your third-party risk program needs to account for the human layer, not just the technical one.
Midnight in the War Room will make this visible in a way an op-ed cannot.
The Mythos era did not create this problem. It revealed it. The cost of exploiting human decision-making precisely was high enough to keep most attackers out. That barrier is collapsing now.
What comes next will not announce itself. It’ll arrive looking like someone you trust, asking for something that feels completely reasonable, right up until the moment it isn't.
The question is no longer whether your systems can withstand attack. It's whether your people are prepared to make decisions in a world where the evidence itself can no longer be trusted, and whether your organization is built to recover when those decisions go wrong.
We've reviewed and ranked the best cloud antivirus.
This article was produced as part of Tech Radar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of Tech Radar Pro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit
You must confirm your public display name before commenting
1 Samsung's first ever clip-on earbuds look slated to launch, as odd new name drops in the Galaxy Wearable app
2'We’re seeing a clear divide': Many business leaders admit they only have a 'limited understanding' of AI budgets
3 Dell 27 Plus S2725HSM review: An ultra-simple 1080p business monitor for work
4 How to watch Mexico vs England replay – it's spoiler-free
5 Quordle hints and answers for Monday, July 6 (game #1624)
Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.
Key Takeaways
- News, deals, reviews, guides and more on the newest computing gadgets
- Start exploring exclusive deals, expert advice and more
- Unlock and manage exclusive Techradar member rewards
- Unlock instant access to exclusive member features
- Get full access to premium articles, exclusive features and a growing list of member rewards



