This Is HUGE
← July 31, 2026 edition

ghosteye

Vulnerability management for human risk

GhostEye Simulates Deepfake Attacks on Your Employees Because the Real Attackers Already Are

By Danny Kowalski

AICybersecuritySecurity AwarenessSocial Engineering
Visit Official Site →

The Macro: Security Awareness Training Is Broken and Everyone Knows It

I am going to say something that will not surprise anyone who has worked in cybersecurity. The way most companies train employees to recognize social engineering attacks is a joke. It has been a joke for years. And it continues to be a joke because the industry settled on a format that is easy to sell but does almost nothing to reduce actual risk.

Here is the standard playbook. A company buys a security awareness platform. KnowBe4, Proofpoint, or Cofense. The platform sends simulated phishing emails to employees. Some employees click the fake malicious link. Those employees get assigned a training video. They watch the video. They pass a quiz. The company checks a compliance box. Everyone moves on. Then three months later, someone in accounting wires $400,000 to a fraudster who impersonated the CEO on a phone call.

The phishing simulation model was a reasonable idea in 2015. In 2026, it is wildly insufficient. Attackers are not sending poorly formatted emails about Nigerian princes anymore. They are calling your help desk with AI-cloned voices and asking for password resets. They are sending deepfake video messages that look exactly like your CFO. They are texting employees from spoofed numbers with messages that reference real internal projects scraped from LinkedIn posts.

The attack surface has expanded from email to voice, SMS, messaging apps, and video. The simulation tools have not expanded with it. KnowBe4 is a $4 billion company that still primarily tests email. That is like testing your home security by checking whether the front door locks while leaving every window open.

The financial damage from social engineering is staggering. The FBI reported over $12 billion in losses from business email compromise alone in 2025. Voice phishing and deepfake fraud are growing at triple-digit rates. And the common factor in nearly every major breach is that a human made a mistake. Not a firewall misconfiguration. Not a zero-day exploit. A person trusted something they should not have trusted.

The Micro: Two BlackRock Security Veterans Building What Red Teams Cannot Scale

GhostEye is a platform that maps employee attack surfaces, then launches autonomous simulated attacks across every channel attackers actually use. Email, voice calls, SMS, and deepfake video. It profiles each employee’s digital footprint, generates personalized attack scenarios, executes the simulations, measures who falls for what, and delivers targeted training based on actual behavior.

Mohammad Eshan is CEO and Charles Antoine Malenfant is CTO. Eshan was the Red Team Lead at BlackRock and ran offensive operations at MITRE. Malenfant was a Senior AI Engineer at BlackRock. That background matters a lot here because this is not a team that read about social engineering in a textbook. These are people who ran real attack simulations against one of the largest financial institutions in the world and saw firsthand where conventional awareness training fails.

The platform has two core components. IRIS, the Integrated Reconnaissance and Intelligence Suite, maps the workforce attack surface. It scrapes public information about employees, social media profiles, job titles, conference appearances, published papers, anything that a real attacker would use to craft a targeted approach. It then builds individual exposure profiles that score how vulnerable each person is based on their digital footprint.

BEACON is the autonomous agent system that actually conducts the simulated attacks. It uses the exposure profiles from IRIS to craft personalized scenarios. This is not generic phishing. If an employee recently posted on LinkedIn about attending a specific conference, BEACON might send them a follow-up email referencing that conference with a malicious link. If a help desk worker is the target, BEACON might call them with an AI-generated voice impersonating a senior executive and request a password reset.

The voice agent testing feature is the one that stands out. AI-powered voice calls to help desks that test whether employees will bypass MFA protocols or reset passwords based on social pressure from someone who sounds like leadership. This is exactly how real attacks happen. The MGM Resorts breach in 2023 started with a voice call to the help desk. A single phone call led to hundreds of millions in damages.

The team is three people, based in New York, part of Y Combinator’s Summer 2025 batch. For a company this early, the founder credentials are unusually strong. Red team experience at BlackRock and MITRE is the kind of background that opens doors with enterprise security buyers who are otherwise skeptical of startups.

The Verdict

GhostEye is building the security awareness tool that should have existed five years ago. The gap between how attackers operate and how companies train employees to resist attacks has been widening every year. Phishing simulations via email are table stakes. Testing across voice, SMS, and deepfake channels is where the actual risk lives now.

The competitive advantage is the attack simulation breadth. KnowBe4, Proofpoint, and Cofense all focus primarily on email. Hoxhunt does adaptive phishing but still within the email channel. GhostEye is the first platform I have seen that treats human vulnerability management the way traditional security treats technical vulnerability management, by scanning every attack surface, not just the easiest one to test.

In thirty days, I want to see a case study from a pilot deployment. What percentage of help desk workers reset passwords during a simulated voice attack? That number tells you everything about whether companies actually need this. In sixty days, the question is whether CISOs will pay for it. Enterprise security budgets are large but they are also heavily committed to existing vendors. GhostEye needs to prove it replaces spend rather than adding to it. In ninety days, I want to know how employees react. If people feel surveilled and hostile, adoption stalls. If they feel like they are getting better at spotting attacks, the product creates its own demand. The difference between security theater and actual security training is whether the training changes behavior. Fake phishing emails stopped changing behavior years ago. It is time for something harder to ignore.

Visit Official Site →
← Back to July 31, 2026 edition

More on this

Hex Security Runs Penetration Tests 24/7 So You Stop Pretending Annual Audits Are Enough

Hex Security builds AI agents that run continuous penetration tests against your apps and infrastructure, replacing the once-a-year pentest with an always-on attack simulation that finds vulnerabilities before real attackers do.

BeeSafe AI Deploys Undercover AI Agents to Waste Scammers' Time

BeeSafe deploys AI agents that engage with scammers directly, wasting their resources and uncovering the financial accounts used for fraud. Backed by YC, Obvious Ventures, and America's Seed Fund.

Veria Labs Was Built by the Top Hackers in America and Now They Are Coming for Your Pentest Budget

Annual pentests are a compliance checkbox, not a security strategy. Veria Labs replaces them with AI agents that hack your application continuously, prove exploits are real, and suggest fixes. The founders are ranked number one in US competitive hacking, which is exactly the kind of credential that makes this believable.