40,000+ RSAC attendees walked away knowing the tough reality that the human perimeter is being outpaced by an order of magnitude.
At Doppel, we spent the week conducting a massive live experiment in human risk. We gathered raw data on how the modern workforce (and even security professionals) fare against AI-native deception.
The results underscore a hard reality: Legacy Security Awareness Training (SAT) is a compliance tool being asked to do a combat veteran’s job.
To survive the next year, organizations must pivot to Social Engineering Defense (SED).
Here are the five key strategic takeaways from RSAC 2026.
1. 99.9% Failure Rates in the Age of Deepfakes
Gartner found that 99.9% of people can’t distinguish an AI clone from a real person.
We put this to the test with our own “Deepfake Hotline” at RSAC to see if attendees could distinguish between a live colleague and an AI-cloned voice.
Our test proved that this is more than just a vishing problem. The barrier to entry for enterprise-grade impersonation has dropped to zero.
Attackers don’t need to hack your firewall. They just need $5 and a 15-second audio clip of your CFO from a podcast.
This weaponized trust is why we’ve seen an increase in deepfake-based social engineering. If your defense relies on an employee listening for a robotic tone, you have already lost.
2. The Social Engineering Attack Chain
Many of the attacks we tracked leading up to RSAC were multi-channel.
An attacker might start with a LinkedIn connection, pivot to a vibe phishing SMS, and conclude with a voice call to the IT help desk to reset an MFA token.
What makes this worse is that most legacy tools are siloed. Your email gateway doesn't talk to your SMS filter, which doesn't talk to your help desk logs. Security teams need a real-time threat graph that links these disparate signals into a single campaign view.
During our RSAC demos, we showed how Doppel turns noise from Telegram, Slack, and paid ads into a unified disruption workflow.
Without this, your dwell time will continue to hover around the industry average of 260 days—the longest of any threat vector.
3. Machine Speed vs. Manual Triage
The most common complaint we heard from CISOs at RSAC was alert fatigue. The volume of phishing has increased by over 1,000%, while the cost for attackers has dropped by 95%.
This is called a velocity gap. AI agents can exploit an exposure in minutes. However, the traditional SOC model relies on manual queues and human analysts picking up tickets.
Autonomous attack agents operate 24/7 at infinite scale, but human speed can’t keep up. Analysts are drowning in "vanity metrics" and manual takedown requests.
To bridge this gap, defense must become agentic. At our booth, we demonstrated how Doppel’s AI agents execute autonomous, cross-vector takedowns, removing the infrastructure (domains, phone numbers, ad IDs) before the threat ever reaches a human inbox.
4. Click Rates are a Dead Metric
For years, the industry has obsessed over click rates in phishing simulations.
But as we discussed in our Human Risk Management (HRM) sessions, click rates are a vanity metric that hides true risk.
Verizon's data shows that while training improves reporting rates (21% vs 5%), the median user still clicks a link in under 60 seconds.
In a world of privileged access, one click is all it takes to cause $4.4 million in damage.
Legacy SAT | Unified SED (Doppel) |
Focuses on catching employees | Focuses on disrupting the infrastructure |
Email-only simulations | Multi-channel (Voice, SMS, Telegram) |
Static, annual training | Just-in-time micro-coaching |
Compliance-driven | Risk-reduction driven |
The goal shouldn't be a 0% click rate. It’s to build a human sensor network where every report feeds directly into a technical disruption loop.
5. The Need for Continuous Red Teaming
RSAC 2026 proved that the attack surface changes daily. If you only test your human perimeter once a year during a compliance audit, you are blind to the tactics attackers will use next month.
Our Social Engineering Defense Model advocates for continuous validation. This means:
- Using agentic AI to run hyper-realistic vibe phishing simulations based on natural language prompts.
- Taking a live threat detected on Monday and turning it into a simulation by Tuesday.
- Identifying high-risk teams (like finance or IT help desks) and applying tailored, role-specific training.
Go Beyond the Booth
Whether you made it to the Doppel booth or not, now is the right time to confront the hard truth that technical controls will eventually fail.
When they do, the organizations that survive will be those that invested in active social engineering defense.
Good news: You don't have to wait until next year to see how agentic AI is changing the game.
Schedule a demo to see our AI-native defense in action and learn how to turn your workforce into your strongest security layer.
