Chief Executive Officer
Published: June 12, 2026
Human defense is the discipline of protecting people, not just systems, from social engineering, phishing, and AI-driven impersonation. It combines human risk management (HRM), behavior analytics, and identity controls with the layer most programs are still missing in 2026: live deepfake and impersonation detection across voice, video, and email. Sometimes called human-centric cybersecurity or the human firewall, it turns employees from the weakest link into a continuously verified, actively defended layer.
Most breaches start with a person, not a system. The opening move is almost always a phishing email, a cloned voice, or a fake meeting invite.
Awareness training alone has stopped being enough. AI-generated phishing and live deepfakes routinely beat human pattern recognition.
Human defense layers training, identity controls, behavior analytics, and impersonation detection into a single program.
Human risk management (HRM), human-centric cybersecurity, and the human firewall are overlapping ideas that all sit under human defense.
Live deepfake and voice-clone detection is the newest layer, and the one most programs have not yet adopted.
A mature human defense program reduces breach likelihood, shortens detection time, and maps to NIST CSF 2.0, ISO 27001, NIS2, and DORA.
In This Article
Most modern cyberattacks do not break in. They log in, with credentials a person handed over after a convincing phishing email, a cloned voice asking for a wire transfer, or a deepfake on a video call posing as the CFO.
According to Verizon's 2025 Data Breach Investigations Report, the human element was involved in 60% of all breaches. IBM's 2025 Cost of a Data Breach Report puts the average global breach at $4.44 million, with U.S. breaches averaging a record $10.22 million. And the FBI's 2024 Internet Crime Report attributes $2.95 billion in adjusted losses to business email compromise alone.
That is why human defense, sometimes called human-centric security or human risk management, has moved from a nice-to-have awareness program to a discipline of its own. It assumes people will be targeted. It assumes AI-generated impersonation will get past traditional filters. And it assumes the only durable answer is a layered program that trains, monitors, and defends every human interaction as it happens.
This guide covers what human defense actually is in 2026, why awareness alone has stopped being enough, the five layers every modern program needs, and a practical 30/90-day rollout.
Human defense is a security strategy that protects users, not only systems, from social engineering, phishing, AI-generated impersonation, credential theft, and insider risk. It treats employees as active participants in security, not the weakest link. A human defense program combines continuous behavioral training, identity and access controls, behavior analytics, and live detection of synthetic or anomalous communications.
Traditional security stops at the firewall, the endpoint, and the email gateway. Human defense extends protection to the moment a person interacts with a message, a phone call, a Zoom window, or a login screen, the moments where attackers are spending most of their effort in 2026.
These terms get used interchangeably. They are not identical. Here is how they relate:
Term | What it means |
|---|---|
Human defense | The umbrella discipline. Includes training, identity, behavior analytics, and active defense (live impersonation detection). |
Human risk management (HRM) | The data-driven sub-discipline of measuring and reducing human risk. Phish-prone scores, behavior baselines, role-based exposure ratings. |
Human-centric cybersecurity | A design philosophy: building security around how people actually work, not against it. Sits inside human defense. |
Human firewall | A metaphor. Employees acting as the first line of defense by spotting and reporting threats. One component, not the whole program. |
Security awareness training (SAT) | The training and simulation layer of human defense. Necessary, but not sufficient on its own. |
Cybercriminals shifted years ago from breaking systems to manipulating users. The 2024 DBIR placed the human element in 68% of breaches; the 2025 report's revised methodology (excluding malicious privilege misuse) still puts it at 60%. Either way, more than half of every modern incident hinges on a human decision.
Three shifts pushed impersonation from a state-actor specialty to a routine attack:
Voice cloning is now a 3-second job. A LinkedIn video, a podcast clip, or an earnings call is enough source material for a convincing clone.
Live video deepfakes run on commodity GPUs. The barrier to on-camera impersonation has collapsed since 2023.
LLMs write fluent, context-aware spear phishing at scale, in any language. The grammar errors employees were trained to spot are gone.
Proofpoint's 2024 State of the Phish reported that one in four employees fell for a phishing attempt in the prior year. Industry surveys from Gartner and Deloitte (verify the exact figure for your region before publishing) suggest more than two-thirds of organizations experienced a deepfake-related incident or attempt in the past 12 months.
Cloud apps, SaaS sprawl, contractors, BYOD, and hybrid work have multiplied the number of interactions where a person can be tricked. Every Zoom call, every WhatsApp message from a "colleague," every shared link is a potential vector. The perimeter is the person.
Attackers do not target people randomly. They target roles with money, access, or authority. The four most-targeted in 2024-2025 incident reports:
Finance and accounts payable. Wire authority, vendor relationships, BEC primary target.
HR and payroll. PII, payroll redirect attacks, recruitment-themed lures.
Executives. Public profiles feed voice cloning; authority makes urgent requests harder to refuse.
IT and security admins. Privileged access, MFA fatigue attacks, vendor-impersonation tickets.
Reusing passwords across personal and work accounts.
Approving urgent requests without verifying through a second channel.
Clicking unexpected links in messages from "known" senders.
Ignoring or dismissing security warnings due to alert fatigue.
Oversharing organizational detail on public channels (org charts, vendor relationships, project codenames).
Most human defense programs in the market today run four of the five layers below. The fifth, live multi-channel impersonation detection, is what separates a 2024-era awareness program from a 2026-ready human defense posture.
Continuous, role-relevant, scenario-driven training. Short modules instead of annual seminars. Phishing simulations that match the role's actual threat profile. Contextual feedback the second a user clicks a simulated lure. KnowBe4's 2024 benchmark shows continuous programs cut click rates by 60–85% over twelve months versus baseline.
If a credential leaks, identity controls determine the blast radius. The non-negotiables:
Phishing-resistant MFA (FIDO2 / passkeys) for every privileged and high-risk account.
Least privilege as a default; just-in-time elevation for sensitive workflows.
Conditional access tied to device, geography, and behavioral signal.
Quarterly access reviews; automated deprovisioning on role change.
Behavior analytics establishes a baseline of normal for each user, typical login times, locations, files, and communication patterns, then flags anomalies. Logins from a new country minutes after a local session, sudden access to a finance share by a marketing user, unusual download volume; these are the breadcrumbs of a compromised account or an insider threat.
This is where most programs stop short and where modern attackers are now operating. Layer 4 verifies, at the moment of interaction, that the voice on the call, the face on the video, and the email in the inbox are who they claim to be.
Voice: detect synthetic speech and replay attacks during a live call.
Video: catch deepfake and face-swap artefacts inside Zoom, Teams, Webex.
Email: spot impersonation (executive look-alikes, tone or style anomalies, vendor look-alike domains) beyond what SEGs catch.
Netarx is built around this layer, real-time deepfake and impersonation detection across voice, video, and email, designed to plug the gap that no SAT or HRM vendor closes alone. [Internal link: Netarx platform overview]
A program that doesn't measure cannot improve. The metrics every CISO should report monthly:
Phish-prone score, by role and department.
Reported-suspicious-email rate (a leading indicator of culture).
MFA bypass attempts and outcomes.
Anomalous login and behavior alerts triaged.
Impersonation events caught (voice / video / email).
Mean time to detect human-element incidents.
For a decade, human defense meant teaching employees to spot suspicious emails. That model breaks when the suspicious email was written by a large language model in flawless English, the suspicious phone call is a one-shot voice clone of the CEO, or the suspicious Zoom guest is a live deepfake.
In February 2024, an Arup employee in Hong Kong wired roughly $25 million after a video conference where every other participant, including the CFO, was a deepfake. Later that year, attackers attempted to clone the WPP CEO's voice and likeness on a Microsoft Teams call. Ferrari's CEO was impersonated in a 2024 voice-cloning attempt that was only stopped because an executive asked a personal question the attacker couldn't answer.
The human eye and ear can no longer reliably tell a deepfake from a real colleague, not in a 30-second voicemail, not on a Zoom call, not in an urgent Slack DM. Awareness training cannot keep pace with the rate of capability change. What is needed is a defense that runs at machine speed, in the moment of interaction, at the same speed the attack is operating.
How Netarx fits. Netarx provides real-time deepfake and impersonation detection for voice calls, video meetings (Zoom, Teams, Webex), and email. It runs as Layer 4 of a complete human defense program. [Internal link: see how it works on a live demo]
Threat | How it works | Detection signal |
|---|---|---|
Phishing (email, SMS, voice) | Mass or targeted lures designed to harvest credentials or trigger a click. | URL reputation, sender anomalies, click telemetry. |
Spear phishing & whaling | Highly tailored attacks against specific individuals, often executives. | Tone or style anomaly, look-alike domain, behavioral mismatch. |
Business Email Compromise (BEC) | Compromised or impersonated email used to redirect wires, payroll, or vendor payments. | Auth-record check, vendor-history baseline, urgency cues. |
Vishing & smishing | Phone or SMS social engineering, increasingly with voice clones. | Synthetic voice detection, caller-ID anomalies, behavior. |
Deepfake / AI impersonation | Voice clones or live video deepfakes posing as executives or vendors. | Live deepfake detection (voice and video), liveness. |
Insider threat | Malicious or accidental misuse by an authorized user. | UEBA baseline + sensitive-action monitoring. |
MFA fatigue / push bombing | Repeated MFA prompts to coerce a user into approving access. | Velocity rules, anomalous geography, FIDO2 enforcement. |
Credential stuffing | Reused credentials replayed across services after a breach. | Login anomaly detection, bot signal, password hygiene. |
These three are stacked, not competing. Awareness trains; HRM measures and targets; human defense adds active controls.
Security Awareness Training | Human Risk Management | Human Defense | |
|---|---|---|---|
Primary goal | Educate | Measure and reduce per-user risk | Train, measure, and actively defend |
Method | Training, phishing simulations | Behavioral data, risk scoring | Training + identity + behavior + live detection |
Cadence | Monthly / quarterly | Continuous | Continuous, in the moment |
Stops a live deepfake call? | No | No (but flags risky users) | Yes (Layer 4) |
Outputs | Click-rate dashboards | Per-user risk scores | Risk scores, live blocks, incident response |
You do not need to overhaul your stack. Most teams can move from baseline to a working v1 program in 90 days.
Run a baseline phishing simulation across the workforce; segment results by role.
Audit logins, MFA enrolment, and access patterns for the last 90 days.
Identify high-risk roles (finance, HR, executives, IT admins).
Survey employees on reporting-process clarity and security pain points.
Deploy or tune UEBA on the last 30 days of telemetry.
Define what "normal" looks like for the top five at-risk roles.
Tune to anomalies, not noise. Start with a small set of high-confidence signals.
Wire login anomalies into an alert pipeline with automatic step-up auth.
Add synthetic-voice and deepfake detection to high-risk communications (executive calls, finance and AP workflows). [Internal link: Netarx for executive impersonation]
Assign per-user and per-action risk scores; surface them to managers, not just the SOC.
Block obvious malicious logins; require MFA step-up for medium-risk ones.
Force password resets on credential-leak signal.
Quarantine suspect emails and notify the recipient with context, not just "blocked."
Define a runbook for live impersonation-detection events.
Replace annual training with monthly 5–10 minute modules tied to the role's actual threat profile.
Run phishing simulations every 4–6 weeks to deliver coaching at the moment of failure.
Reward reporting, not just non-clicking. Reporting rates are a leading indicator of program health.
Roll out FIDO2 / passkeys to privileged and high-risk users first.
Apply least privilege; use just-in-time elevation for sensitive workflows.
Quarterly access reviews; automated deprovisioning on role change or exit.
Review program metrics monthly; rebalance training and controls toward the riskiest behaviors.
Expand coverage of one channel at a time (email → voice → video → collaboration platforms).
Run an annual tabletop simulating a deepfake CEO incident; close the gaps it exposes.
Stage | Name | What it looks like | Typical exposure |
|---|---|---|---|
Stage 1 | Compliance-driven | Annual SAT to satisfy auditors. No measurement. | High. Most users are untrained against modern tactics. |
Stage 2 | Awareness-driven | Continuous SAT + monthly phishing simulations. Click rates tracked. | Reduced phishing risk, but no answer to deepfakes or live impersonation. |
Stage 3 | Risk-driven (HRM) | Behavior-based risk scoring. Targeted training. UEBA in production. | Improved detection of compromised users; still vulnerable to live AI impersonation. |
Stage 4 | Trust-driven | Real-time multi-channel impersonation detection (voice, video, email) on top of Stage 3. | Lowest. Detection and response run at attacker speed. |
Most organizations cluster at Stage 2 in 2026. Stage 4, what we call Trust Ops, is where Netarx is helping financial-services, legal, and public-sector teams move.
Wire authority plus executive visibility equals primary BEC and deepfake target. Continuous detection on AP and treasury workflows is the highest-ROI human defense investment in this sector. [Internal link: deepfake prevention platforms for financial services]
Confidential matters, partner authority, and tight deadlines make law firms an ideal social-engineering target. Voice-clone calls posing as senior partners requesting urgent transfers are increasingly common. [Internal link: deepfake protection platforms for legal teams]
PHI and HIPAA exposure raise breach costs above the cross-industry average. The IBM 2025 report has put healthcare at the top of the cost-per-record table for 13 consecutive years. Phishing remains the dominant initial vector.
Targeted by nation-state actors with high-quality social-engineering capability. Live impersonation detection is increasingly being scoped into CMMC, FedRAMP, and DoD contractor security plans.
Human defense controls map cleanly to the major frameworks, useful when building a budget case or audit response.
Framework | Where human defense lives |
|---|---|
NIST Cybersecurity Framework 2.0 | Govern (workforce risk), Identify (asset and personnel), Protect (Awareness & Training, Identity Management), Detect (Anomalies & Events). |
ISO/IEC 27001:2022 | A.6 (people controls), A.7 (physical), A.8 (technical). Specifically, A.6.3 awareness, A.8.5 secure authentication, A.8.16 monitoring. |
SOC 2 (TSC 2017) | CC2 communication & information, CC6 logical access, CC7 system operations & monitoring. |
NIS2 (EU) | Article 20 (management body responsibility for training); Article 21(2)(g) (basic cyber-hygiene practices and training). |
DORA (EU financial) | Articles 13 and 14, ICT risk-management training and awareness, especially for management bodies. |
PCI DSS 4.0 | Requirement 5 (malware), 8 (auth), 12.6 (security awareness). |
Does it cover all three modern impersonation channels (voice, video, email), or just one?
Does it run live during the interaction, or only post-hoc on logs?
Does it integrate with your existing meeting (Zoom, Teams, Webex), telephony, and email stack without adding new endpoints?
Does it produce per-user and per-event risk scores you can feed into your SIEM/SOAR?
Does it explain its decisions in plain language for the recipient at the moment of the event?
Is it tested against the latest commercial deepfake tools, with public benchmark data?
Does it support the compliance frameworks you are audited against (NIST CSF 2.0, NIS2, DORA, SOC 2)?
Does the vendor publish an incident-response process for false negatives, and have they had any?
An attacker books a fake video meeting with a junior controller, posing as the CFO, and asks for an urgent vendor wire. Live deepfake detection in the meeting platform flags synthetic-video artefacts within seconds. The controller sees a contextual warning. The wire is held. The SOC opens an incident. No money leaves.
A look-alike domain emails HR with a "new direct deposit form" purportedly from an executive. Behavioral and tone analysis flags the message before HR opens the attachment. The detection rule fires, the message is quarantined, and the employee is notified.
A user logs in from the usual office, then again from a new country eight minutes later. Behavior analytics flags the impossible-travel anomaly. Step-up MFA is triggered. Access is blocked when the second session cannot satisfy it. The compromised credential is reset within the hour.
Turn on phishing-resistant MFA (passkey or hardware key) for your work and high-value personal accounts.
Use a password manager. Stop reusing passwords across services.
Verify any urgent money or credential request through a second channel. Call back on a known number.
Hover before you click. If a link destination does not match the visible text, do not click it.
If a senior leader "calls" with an unusual request, ask a personal-context question only the real person would know.
Treat unexpected meeting invites with caution, especially video calls with senior leaders or finance roles.
Reporting suspicious messages is more valuable than not clicking.
Keep your software and OS up to date. Auto-update is your friend.
Lock your screen when you walk away. On public Wi-Fi for sensitive work, use the company VPN.
When in doubt, slow down. Urgency is the attacker's favourite tool.
BEC (Business Email Compromise): email-based fraud that impersonates an executive, vendor, or partner to redirect money or data.
Deepfake: synthetic audio, video, or imagery generated by AI to impersonate a real person.
FIDO2 / passkey: phishing-resistant authentication using cryptographic keys instead of passwords.
HRM (Human Risk Management): the data-driven discipline of measuring and reducing human cyber risk.
Human firewall: employees acting as a first line of defense by spotting and reporting threats.
MFA fatigue: repeatedly pushing MFA prompts to coerce a user into approving a malicious sign-in.
Phish-prone score: a metric estimating how likely a user is to fall for a phishing simulation.
UEBA: User and Entity Behavior Analytics. Tools that baseline normal behavior and flag anomalies.
Zero Trust: a security model that requires continuous verification of every user, device, and request.
Netarx provides Layer 4, real-time deepfake and impersonation detection across voice, video, and email, designed to plug the gap between awareness training and identity controls. It is built for enterprise teams who already have the basics in place and need protection against modern, AI-driven impersonation attacks that those basics cannot see.
What that looks like in practice:
Live detection during Google Meet, Microsoft Teams, Zoom, and Webex meetings. Synthetic video and voice-clone signal in seconds.
Voice-call protection for high-risk workflows (executive lines, AP/treasury, helpdesk).
Email impersonation detection beyond what SEGs catch. Tone, style, and vendor-history baselines.
Risk scores and event telemetry that plug into your SIEM/SOAR.
Built for financial services, legal, healthcare, and public sector teams. Mapped to NIST CSF 2.0, ISO 27001, NIS2, DORA, and SOC 2 controls.
See it live. Book a 20-minute demo and watch Netarx flag a deep-fake call in real time on your own meeting platform. [Internal link: /demo]
Cybersecurity is no longer about protecting systems alone. It is about protecting the people who use them, and increasingly about defending those people against AI-generated impersonation that is faster and more convincing than any human can reliably catch unaided.
A complete human defense program in 2026 trains, measures, controls, and actively defends. The first three layers most organizations have started. The fourth, real-time deepfake and impersonation detection, is the next investment. Stage-4 maturity is a small club today. It will be the baseline by 2027.
If you are building or upgrading your program, start with a baseline assessment, prioritize the highest-risk roles, and add the layer your stack is missing.
SOURCES & REFERENCES
Verizon. "2025 Data Breach Investigations Report." Verizon Business, 2025.
IBM Security. "Cost of a Data Breach Report 2025." IBM, 2025.
FBI Internet Crime Complaint Center (IC3). "2024 Internet Crime Report." FBI, 2024.
Proofpoint. "2024 State of the Phish." Proofpoint, 2024.
KnowBe4. "2024 Phishing by Industry Benchmarking Report." KnowBe4, 2024.
Stanford University / Tessian. "Psychology of Human Error." Tessian, 2020.
Gartner / Deloitte. Deepfake-incident industry surveys, 2024. See Gartner deepfake research and Deloitte 2024 deepfake fraud survey (verify regional data before publishing).
CNN Business. "Arup revealed as victim of $25 million deepfake scam involving Hong Kong employee." May 2024.
Fortune. "Ferrari exec foils deepfake attempt by asking the scammer a question only CEO Benedetto Vigna could answer." July 2024.
The Guardian. "WPP CEO targeted in deepfake scam attempt." May 2024.
VerifiedChief Executive Officer
CEO/Founder of Netarx LLC, Real-time detection of deepfake and social engineering threats via enterprise video, voice and email. Managing Partner of Koach Capital, a Private Equity firm managing a multitude of commercial real estate (CRE) funds whose focus is retail sale-leasebacks. Sandy's entrepreneurial success began by founding a network integration and services provider that served large enterprises. We focused on advanced technologies including Business Intelligence (BI), Network & Information Security, Virtualization, Storage Area Networks, Unified Communications and Data Center Services. In 2009, Netarx acquired the VAR business of Analysts International (including Sequoia and Entree Systems). In 2011 Netarx was acquired by Logicalis (a division of Datatec - Symbol LSE: DTC) and stayed on as its Chief Technology Officer. He continued to build by founding Verge.io (Formerly Yottabyte) and Service.com. Also, Sandy served as a General Partner of Ludlow Ventures, a venture capital fund focusing on investments in early-stage tech companies. Sandy contributes to the community via lectures, publications and developing new technologies - he currently holds 8 Patents.
Book a NIST-aligned compliance check with the Netarx team. We'll walk through where your current controls land against the 2026 baseline and what's worth fixing first.
Human defense is a security strategy that protects users, not only systems, from social engineering, phishing, AI-driven impersonation, credential theft, and insider risk. It combines security awareness training, identity controls, behavior analytics, and real-time deepfake and impersonation detection.
blog
The 2026 NIST baseline says four things clearly. Voice biometrics can no longer stand alone as a login factor. Presentation Attack Detection has to keep the imposter-accept rate below 0.07. Official media needs verifiable provenance — signed metadata or cryptographic proof of origin. And continuous monitoring plus deepfake-aware drills are now part of normal operations. The publications doing the work are SP 800-63-4, AI 100-4, AI 600-1, and IR 8596.
blog
The ShinyHunters data extortion campaign exemplifies a fundamental evolution in cyberattack methodology, exploiting SaaS platforms through identity compromise, advanced social engineering, and bypass of traditional controls. This blog explains how netarx protects against these type of threats.
blog
Read why single channel solutions like video-only deepfake detection are insufficient defenses
