The Technical Wall and the Human Door: A Shift in Cyberattacks to Trust Exploitation

The Technical Wall and the Human Door: A Shift in Cyberattacks to Trust Exploitation

The cybersecurity industry is entering a new phase.

Frontier AI models are getting dramatically better at finding vulnerabilities in software, reasoning through exploit paths, and helping defenders patch weaknesses before attackers can use them.

Recent work from Anthropic and Project Glasswing shows how quickly this capability is advancing. Anthropic has said Claude Mythos Preview can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.

That is good news for defenders. But it also changes the attacker’s playbook.

As AI closes technical doors by speeding up software patching, attackers are shifting their focus to human doors. This blog will break down how modern threat actors are expanding social engineering to exploit trust rather than code. We’ll examine how they target the workflows and identities your organization depends on, and outline the steps you must take to secure this expanding attack surface.

Perfect Software Would Not Mean Perfect Security

Let’s start with the uncomfortable question: If every software vulnerability disappeared tomorrow, would cyberattacks stop?

No. They would adapt.

A world with perfectly patched software would be safer, but it would not remove the attacker’s ability to manipulate trust. Attackers would continue to impersonate executives, target help desks, phish employees, and spoof brands. They would still hijack vendor workflows and use fake domains, profiles, messages, and voices, combined with manufactured urgency, to deceive individuals into approving transfers, resetting access, installing malicious software, or disclosing sensitive information.

Secure software is not the same thing as a secure organization.

A system can be fully patched and still be manipulated through the people who operate it, an identity platform can be hardened and still be abused through a help desk workflow, and a financial process can be technically sound and still fail when an attacker convincingly impersonates authority.

Social engineering is the attack path that remains when everything else gets harder.

AI Will Compress Both Sides of the Vulnerability Race

The industry is rightly focused on using AI to find and fix vulnerabilities before adversaries can exploit them, and that work matters. Palo Alto Networks warned that organizations may have a narrow three-to-five-month window to outpace adversaries before AI-driven exploits become more normal, and emphasized that vulnerability exploitation is typically only one step in a broader attack lifecycle. That last point matters most.

A vulnerability is not a breach by itself; attackers still need access, context, credentials, and a delivery mechanism to move from a technical weakness to a business impact. Social engineering gives them that bridge.

AI can help attackers identify a vulnerable application, exposed dependency, misconfigured system, or unpatched service. But social engineering helps them reach the person or process that makes the weakness exploitable.

This may look like:

• a vendor impersonation email timed around a real patch cycle,
• a fake help desk message referencing a real outage,
• a spoofed SaaS login page connected to a known exposed application,
• a voice call to an administrator who controls environment access,
• or a fake executive request during an incident when urgency is high, and verification is weak.

The future is not just AI-generated exploits. It is AI-informed manipulation.

Blocking Frontier Models Will Not Stop Scams

There is another misconception we need to challenge.

Even if the latest and most capable AI models were available only to trusted defenders, scams would not stop. Malicious actors do not need the most advanced frontier model to run effective social engineering campaigns.

They already have enough.

They already have enough capability to scrape public information, generate convincing messages, clone websites, create deepfake audio, automate outreach, translate lures, and personalize at scale, allowing them to test messaging across channels until something works.

Restricting the most powerful models may slow some forms of technical exploitation, but it will not eliminate social engineering tactics like phishing, impersonation, brand abuse, account takeover, business email compromise, vendor fraud, executive impersonation, help desk manipulation, or customer scams.

As Technical Attack Paths Close, Social Engineering Gets More Valuable

If AI helps defenders find vulnerabilities faster, patch software faster, harden exposed assets faster, and reduce technical attack surface faster, threat actors will shift more effort toward the parts of the enterprise that remain harder to patch: people, process, identity, and trust.

We see this shift clearly in the data. Across Doppel's platform, social engineering channels (social media, paid ads, email, and telco) generated nearly a million malicious alerts in a single quarter. The growth tells the story even more clearly: telco-based attacks, the channel used for SIM swapping and vishing, more than doubled month over month. Paid ads and social media impersonation grew steadily. Traditional domain spoofing, by comparison, barely moved. Attackers are investing disproportionately in the channels that target human judgment.

The Scattered Spider playbook is a clear example of how modern attackers bypass mature security programs by targeting human workflows. Government reporting describes Scattered Spider using social engineering techniques such as push bombing, SIM swapping, help desk impersonation, phone calls, SMS messages, password reset manipulation, MFA token transfer, and remote access tooling to obtain credentials and gain access. That multi-stage approach maps directly to the full lifecycle of the Social Engineering Attack Chain, moving from initial contact to total compromise.

This is a trust vulnerability, not a software vulnerability. Attackers exploit platforms where trust is highest, like professional networks and private messaging, because security systems still rely on humans to verify identity.

This is the part where too many security strategies are still underweight:

• The attacker does not need to break the firewall if they can convince someone to let them in
• They do not need to defeat MFA if they can trick someone into resetting it
• They do not need to exploit a zero-day if they can steal valid credentials
• They do not need malware if the conversation itself becomes the payload.

The old model of treating social engineering merely as an awareness problem—relying on employees to catch every suspicious activity—is now obsolete. Modern social engineering is a multi-channel, AI-assisted, and campaign-driven ecosystem. It no longer looks like a single email but a coordinated attack campaign spanning domains, social media, ads, messaging, and voice/video impersonation.

In this age of AI-native deception, defense cannot depend on human judgment. The platform must become the technical fail-safe. This shift elevates social engineering from a human risk to a first-class attack surface, fundamentally making it an infrastructure, identity, brand, workflow, and enterprise attack surface problem.

How Threat Actors Will Use AI-Discovered Vulnerabilities

The next evolution in cyber risk is the convergence of technical and social exploitation. Attackers use AI vulnerability discovery to gain technical context, then deploy social engineering to operationalize it.

For example, an attacker might:

• Impersonate the vendor and send a fake urgent patch notification.
• Identify exposed infrastructure tied to a specific business unit and target employees in that unit with tailored messages that reference real tools, real workflows, and real urgency.
• Discover that an organization is rushing to patch a critical issue and exploit the confusion around the patch cycle with fake support instructions, credential harvesting pages, or malicious “fix” packages.
• Identify an administrator, developer, or support contractor connected to a vulnerable environment and attack the person with access.

These pretexts are used to fuel the Setup, Launch, and Engagement stages of the Social Engineering Attack Chain.

Analyzing the Threat Before Trust Is Exploited

The core challenge is a holistic defense against AI-native social engineering, requiring a unified strategy spanning digital risk protection and human risk management. The technical approach focuses on two areas: dismantling attacker infrastructure and building resilience against sophisticated deception.

Effective defense requires the ability to detect, connect, and disrupt threats across the entire digital ecosystem, including domains, social media, ads, messaging apps, email, app stores, and dark web signals.

A critical technical component is a system that can correlate spoofed domains, fake profiles, scam advertisements, and malicious messaging into comprehensive attacker campaigns rather than handling them as isolated alerts.

This capability shifts defensive strategy from reactive artifact management to proactive campaign disruption. An isolated artifact—a fake domain, a malicious ad, a spoofed profile, or a phishing message—is evidence of attacker intent and part of a larger compromise chain. Technical defense must break that chain before the moment of human engagement.

To match the attacker’s machine speed, this architecture must be based on agentic cybersecurity: a defense model capable of autonomous detection and response, cross-stack coordination, and continuous, self-improving learning.

Technical Pillars of Social Engineering Defense

Defending the trust layer requires a structured, multi-pronged approach:

• Attacker Infrastructure Mapping: Technical systems must detect and map adversarial infrastructure across all channels, identifying the domains, profiles, advertisements, messages, and impersonation assets utilized by attackers to establish pre-contact credibility.
• Signal Correlation and Campaign Linking: Raw threat signals must be connected into cohesive campaigns. Instead of treating each artifact as an independent alert, correlation models must show the relationship between infrastructure elements, their reuse patterns, and their support for a broader social engineering operation.
• Infrastructure Dismantlement: Rapid removal of malicious domains, profiles, and messaging assets reduces the operational window available for attackers to manipulate employees, customers, executives, or partners.
• Resilience Validation via Simulations: Human resilience must be strengthened with simulations based on live threat intelligence and real attacker behavior. The training must move beyond generic phishing tests, connecting current threat intelligence directly to simulations to prepare personnel for the multi-channel, AI-assisted tactics currently in use.

This unified view is essential because the external infrastructure, the impersonation attempt, the human interaction, and the internal risk are all components of a single attack chain, requiring a unified defense strategy.

The New Security Question(s)

AI will make software security better. But it will also force attackers to adapt. And as technical exploitation gets harder, social engineering becomes more attractive, not less.

So the question for security leaders is no longer just ”can we find and patch vulnerabilities faster?”

It is also:

• Can we detect the impersonation infrastructure being built around us?
• Can we stop attacker campaigns before they reach our employees or customers?
• Can our help desk withstand AI-assisted manipulation?
• Can our executives be impersonated across voice, video, domains, and social?
• Can our people verify trust when the attacker knows our tools, our vendors, our workflows, and our language?
• Can we defend the human layer at machine speed?

AI will find more vulnerabilities, and defenders will patch more of them, but attackers will respond by using the findings they can get, the context they can infer, and the trust they can manipulate.

The Bottom Line

Securing software is essential, but even perfect software would not eliminate cyber risk.

As AI accelerates vulnerability discovery on both the patching and exploit side, attackers will lean harder into social engineering because it gives them what technical exploits often cannot: a way around the control, through the process, and into the trusted path.

That is why social engineering defense has to become a first-class security discipline. Schedule a demo with Doppel to see why it makes all the difference.