Blog
/
Network
/
March 22, 2023

Amadey Info Stealer and N-Day Vulnerabilities

Understand the implications of the Amadey info stealer on cybersecurity and how it exploits N-day vulnerabilities for data theft.
Written by
Zoe Tilsiter
Cyber Analyst
Written by
The Darktrace Threat Research Team
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Zoe Tilsiter
Cyber Analyst
Written by
The Darktrace Threat Research Team
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
22
Mar 2023

The continued prevalence of Malware as a Service (MaaS) across the cyber threat landscape means that even the most inexperienced of would-be malicious actors are able to carry out damaging and wide-spread cyber-attacks with relative ease. Among these commonly employed MaaS are information stealers, or info-stealers, a type of malware that infects a device and attempts to gather sensitive information before exfiltrating it to the attacker. Info-stealers typically target confidential information, such as login credentials and bank details, and attempt to lie low on a compromised device, allowing access to sensitive data for longer periods of time. 

It is essential for organizations to have efficient security measures in place to defend their networks from attackers in an increasing versatile and accessible threat landscape, however incident response alone is not enough. Having an autonomous decision maker able to not only detect suspicious activity, but also take action against it in real time, is of the upmost importance to defend against significant network compromise. 

Between August and December 2022, Darktrace detected the Amadey info-stealer on more than 30 customer environments, spanning various regions and industry verticals across the customer base. This shows a continual presence and overlap of info-stealer indicators of compromise (IOCs) across the cyber threat landscape, such as RacoonStealer, which we discussed last November (Part 1 and Part 2).

Background on Amadey

Amadey Bot, a malware that was first discovered in 2018, is capable of stealing sensitive information and installing additional malware by receiving commands from the attacker. Like other malware strains, it is being sold in illegal forums as MaaS starting from $500 USD [1]. 

Researchers at AhnLab found that Amadey is typically distributed via existing SmokeLoader loader malware campaigns. Downloading cracked versions of legitimate software causes SmokeLoader to inject malicious payload into Windows Explorer processes and proceeds to download Amadey.  

The botnet has also been used for distributed denial of service (DDoS) attacks, and as a vector to install malware spam campaigns, such as LockBit 3.0 [2]. Regardless of the delivery techniques, similar patterns of activity were observed across multiple customer environments. 

Amadey’s primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.

Darktrace DETECT/Network™ and its built-in features, such as Wireshark Packet Captures (PCAP), identified Amadey activity on customer networks, whilst Darktrace RESPOND/Network™ autonomously intervened to halt its progress.

Attack Details

Figure 1: Timeline of Amadey info-stealer kill chain.

Initial Access  

User engagement with malicious email attachments or cracked software results in direct execution of the SmokeLoader loader malware on a device. Once the loader has executed its payload, it is then able to download additional malware, including the Amadey info-stealer.

Unusual Outbound Connections 

After initial access by the loader and download of additional malware, the Amadey info-stealer captures screenshots of network information and sends them to Amadey command and control (C2) servers via HTTP POST requests with no GET to a .php URI. An example of this can be seen in Figure 2.  

Figure 2: PCAP from an affected customer showing screenshots being sent out to the Amadey C2 server via a .jpg file. 

C2 Communications  

The infected device continues to make repeated connections out to this Amadey endpoint. Amadey's C2 server will respond with instructions to download additional plugins in the form of dynamic-link libraries (DLLs), such as "/Mb1sDv3/Plugins/cred64.dll", or attempt to download secondary info-stealers such as RedLine or RaccoonStealer. 

Internal Reconnaissance 

The device downloads executable and DLL files, or stealer configuration files to steal additional network information from software including RealVNC and Outlook. Most compromised accounts were observed downloading additional malware following commands received from the attacker.

Data Exfiltration 

The stolen information is then sent out via high volumes of HTTP connection. It makes HTTP POSTs to malicious .php URIs again, this time exfiltrating more data such as the Amadey version, device names, and any anti-malware software installed on the system.

How did the attackers bypass the rest of the security stack?

Existing N-Day vulnerabilities are leveraged to launch new attacks on customer networks and potentially bypass other tools in the security stack. Additionally, exfiltrating data via low and slow HTTP connections, rather than large file transfers to cloud storage platforms, is an effective means of evading the detection of traditional security tools which often look for large data transfers, sometimes to a specific list of identified “bad” endpoints.

Darktrace Coverage 

Amadey activity was autonomously identified by DETECT and the Cyber AI Analyst. A list of DETECT models that were triggered on deployments during this kill chain can be found in the Appendices. 

Various Amadey activities were detected and highlighted in DETECT model breaches and their model breach event logs. Figure 3 shows a compromised device making suspicious HTTP POST requests, causing the ‘Anomalous Connection / Posting HTTP to IP Without Hostname’ model to breach. It also downloaded an executable file (.exe) from the same IP.

Figure 3: Amadey activity on a customer deployment captured by model breaches and event logs. 

DETECT’s built-in features also assisted with detecting the data exfiltration. Using the PCAP integration, the exfiltrated data was captured for analysis. Figure 4 shows a connection made to the Amadey endpoint, in which information about the infected device, such as system ID and computer name, were sent. 

Figure 4: PCAP downloaded from Darktrace event logs highlighting data egress to the Amadey endpoint. 

Further information about the infected system can be seen in the above PCAP. As outlined by researchers at Ahnlab and shown in Figure 5, additional system information sent includes the Amadey version (vs=), the device’s admin privilege status (ar=), and any installed anti-malware or anti-virus software installed on the infected environment (av=) [3]. 

Figure 5: AhnLab’s glossary table explaining the information sent to the Amadey C2 server. 

Darktrace’s AI Analyst was also able to connect commonalities between model breaches on a device and present them as a connected incident made up of separate events. Figure 6 shows the AI Analyst incident log for a device having breached multiple models indicative of the Amadey kill chain. It displays the timeline of these events, the specific IOCs, and the associated attack tactic, in this case ‘Command and Control’. 

Figure 6: A screenshot of multiple IOCs and activity correlated together by AI Analyst. 

When enabled on customer’s deployments, RESPOND was able to take immediate action against Amadey to mitigate its impact on customer networks. RESPOND models that breached include: 

  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Antigena / Network / External Threat / Antigena Suspicious File Block 
  • Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

On one customer’s environment, a device made a POST request with no GET to URI ‘/p84Nls2/index.php’ and unepeureyore[.]xyz. RESPOND autonomously enforced a previously established pattern of life on the device twice for 30 minutes each and blocked all outgoing traffic from the device for 10 minutes. Enforcing a device’s pattern of life restricts it to conduct activity within the device and/or user’s expected pattern of behavior and blocks anything anomalous or unexpected, enabling normal business operations to continue. This response is intended to reduce the potential scale of attacks by disrupting the kill chain, whilst ensuring business disruption is kept to a minimum. 

Figure 7: RESPOND actions taken on a customer deployment to disrupt the Amadey kill chain. 

The Darktrace Threat Research team conducted thorough investigations into Amadey activity observed across the customer base. They were able to identify and contextualize this threat across the fleet, enriching AI insights with collaborative human analysis. Pivoting from AI insights as their primary source of information, the Threat Research team were able to provide layered analysis to confirm this campaign-like activity and assess the threat across multiple unique environments, providing a holistic assessment to customers with contextualized insights.

Conclusion

The presence of the Amadey info-stealer in multiple customer environments highlights the continuing prevalence of MaaS and info-stealers across the threat landscape. The Amadey info-stealer in particular demonstrates that by evading N-day vulnerability patches, threat actors routinely launch new attacks. These malicious actors are then able to evade detection by traditional security tools by employing low and slow data exfiltration techniques, as opposed to large file transfers.

Crucially, Darktrace’s AI insights were coupled with expert human analysis to detect, respond, and provide contextualized insights to notify customers of Amadey activity effectively. DETECT captured Amadey activity taking place on customer deployments, and where enabled, RESPOND’s autonomous technology was able to take immediate action to reduce the scale of such attacks. Finally, the Threat Research team were in place to provide enhanced analysis for affected customers to help security teams future-proof against similar attacks.

Appendices

Darktrace Model Detections 

Anomalous File / EXE from Rare External Location

Device / Initial Breach Chain Compromise

Anomalous Connection / Posting HTTP to IP Without Hostname 

Anomalous Connection / POST to PHP on New External Host

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname 

Compromise / Beaconing Activity To External Rare

Compromise / Slow Beaconing Activity To External Rare

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

List of IOCs

f0ce8614cc2c3ae1fcba93bc4a8b82196e7139f7 - SHA1 - Amadey DLL File Hash

e487edceeef3a41e2a8eea1e684bcbc3b39adb97 - SHA1 - Amadey DLL File Hash

0f9006d8f09e91bbd459b8254dd945e4fbae25d9 - SHA1 - Amadey DLL File Hash

4069fdad04f5e41b36945cc871eb87a309fd3442 - SHA1 - Amadey DLL File Hash

193.106.191[.]201 - IP - Amadey C2 Endpoint

77.73.134[.]66 - IP - Amadey C2 Endpoint

78.153.144[.]60 - IP - Amadey C2 Endpoint

62.204.41[.]252 - IP - Amadey C2 Endpoint

45.153.240[.]94 - IP - Amadey C2 Endpoint

185.215.113[.]204 - IP - Amadey C2 Endpoint

85.209.135[.]11 - IP - Amadey C2 Endpoint

185.215.113[.]205 - IP - Amadey C2 Endpoint

31.41.244[.]146 - IP - Amadey C2 Endpoint

5.154.181[.]119 - IP - Amadey C2 Endpoint

45.130.151[.]191 - IP - Amadey C2 Endpoint

193.106.191[.]184 - IP - Amadey C2 Endpoint

31.41.244[.]15 - IP - Amadey C2 Endpoint

77.73.133[.]72 - IP - Amadey C2 Endpoint

89.163.249[.]231 - IP - Amadey C2 Endpoint

193.56.146[.]243 - IP - Amadey C2 Endpoint

31.41.244[.]158 - IP - Amadey C2 Endpoint

85.209.135[.]109 - IP - Amadey C2 Endpoint

77.73.134[.]45 - IP - Amadey C2 Endpoint

moscow12[.]at - Hostname - Amadey C2 Endpoint

moscow13[.]at - Hostname - Amadey C2 Endpoint

unepeureyore[.]xyz - Hostname - Amadey C2 Endpoint

/fb73jc3/index.php - URI - Amadey C2 Endpoint

/panelis/index.php - URI - Amadey C2 Endpoint

/panelis/index.php?scr=1 - URI - Amadey C2 Endpoint

/panel/index.php - URI - Amadey C2 Endpoint

/panel/index.php?scr=1 - URI - Amadey C2 Endpoint

/panel/Plugins/cred.dll - URI - Amadey C2 Endpoint

/jg94cVd30f/index.php - URI - Amadey C2 Endpoint

/jg94cVd30f/index.php?scr=1 - URI - Amadey C2 Endpoint

/o7Vsjd3a2f/index.php - URI - Amadey C2 Endpoint

/o7Vsjd3a2f/index.php?scr=1 - URI - Amadey C2 Endpoint

/o7Vsjd3a2f/Plugins/cred64.dll - URI - Amadey C2 Endpoint

/gjend7w/index.php - URI - Amadey C2 Endpoint

/hfk3vK9/index.php - URI - Amadey C2 Endpoint

/v3S1dl2/index.php - URI - Amadey C2 Endpoint

/f9v33dkSXm/index.php - URI - Amadey C2 Endpoint

/p84Nls2/index.php - URI - Amadey C2 Endpoint

/p84Nls2/Plugins/cred.dll - URI - Amadey C2 Endpoint

/nB8cWack3/index.php - URI - Amadey C2 Endpoint

/rest/index.php - URI - Amadey C2 Endpoint

/Mb1sDv3/index.php - URI - Amadey C2 Endpoint

/Mb1sDv3/index.php?scr=1 - URI - Amadey C2 Endpoint

/Mb1sDv3/Plugins/cred64.dll  - URI - Amadey C2 Endpoint

/h8V2cQlbd3/index.php - URI - Amadey C2 Endpoint

/f5OknW/index.php - URI - Amadey C2 Endpoint

/rSbFldr23/index.php - URI - Amadey C2 Endpoint

/rSbFldr23/index.php?scr=1 - URI - Amadey C2 Endpoint

/jg94cVd30f/Plugins/cred64.dll - URI - Amadey C2 Endpoint

/mBsjv2swweP/Plugins/cred64.dll - URI - Amadey C2 Endpoint

/rSbFldr23/Plugins/cred64.dll - URI - Amadey C2 Endpoint

/Plugins/cred64.dll - URI - Amadey C2 Endpoint

Mitre Attack and Mapping 

Collection:

T1185 - Man the Browser

Initial Access and Resource Development:

T1189 - Drive-by Compromise

T1588.001 - Malware

Persistence:

T1176 - Browser Extensions

Command and Control:

T1071 - Application Layer Protocol

T1071.001 - Web Protocols

T1090.002 - External Proxy

T1095 - Non-Application Layer Protocol

T1571 - Non-Standard Port

T1105 - Ingress Tool Transfer

References 

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

[2] https://asec.ahnlab.com/en/41450/

[3] https://asec.ahnlab.com/en/36634/

Written by
Zoe Tilsiter
Cyber Analyst
Written by
The Darktrace Threat Research Team
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Zoe Tilsiter
Cyber Analyst
Written by
The Darktrace Threat Research Team

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

Network
April 21, 2026
Joanna Ng
Associate Principal Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
State of AI Cybersecurity 2026: 92% of security professionals concerned about the impact of AI agents
Mar 26, 2026
4
Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace
Dec 15, 2025
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
Network
April 21, 2026

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

A malicious eScan software update triggered a supply chain compromise that deployed multi‑stage malware and used blockchain‑based domains for resilient C2 communications. Darktrace identified rare, anomalous network activity across customer environments, helping organizations uncover the attack chain and strengthen defenses against increasingly sophisticated supply chain threats.
Joanna Ng
Associate Principal Analyst
Read more
Network
April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Darktrace's latest threat research reveals how Chinese-nexus cyber operations have evolved from isolated intrusions into long-term strategic positioning, with attackers prioritizing persistent access to critical infrastructure and digital ecosystems to gain lasting operational and economic advantage.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Network
March 26, 2026

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat turning compromised devices into residential proxy nodes to help attackers evade detection. Darktrace identifies its growing use alongside Lumma Stealer, highlighting the malware’s stealth, payload delivery, and persistence. AI-driven detection and Autonomous Response reveal the full attack lifecycle and underscore the need for proactive defense.
Isabel Evans
Cyber Analyst
Read more

Blog

/

AI

/

April 28, 2026

State of AI Cybersecurity 2026: 87% of security professionals are seeing more AI-driven threats, but few feel ready to stop them

Default blog imageDefault blog image

The findings in this blog are taken from Darktrace’s annual State of AI Cybersecurity Report 2026.

In part 1 of this blog series, we explored how AI is remaking the attack surface, with new tools, models, agents — and vulnerabilities — popping up just about everywhere. Now embedded in workflows across the enterprise, and often with far-reaching access to sensitive data, AI systems are quickly becoming a favorite target of cyber threat actors.

Among bad actors, though, AI is more often used as a tool than a target. Nearly 62% of organizations  experienced a social engineering attack involving a deepfake, or an incident in which bad actors used AI-generated video or audio to try to trick a biometric authentication system, compared to 32% that reported an AI prompt injection attack.

In the hands of attackers, AI can do many things. It’s being used across the entire kill chain: to supercharge reconnaissance, personalize phishing, accelerate lateral movement, and automate data exfiltration. Evidence from Anthropic demonstrates that threat actors have harnessed AI to orchestrate an entire cyber espionage campaign from end to end, allegedly running it with minimal human involvement.

CISOs inhabit a world where these increasingly sophisticated attacks are ubiquitous. Naturally, combatting AI-powered threats is top of mind among security professionals, but many worry about whether their capabilities are up to the challenge.

AI-powered threats at scale: no longer hypothetical

AI-driven threats share signature characteristics. They operate at speed and scale. Automated tools can probe multiple attack paths, search for multiple vulnerabilities and send out a barrage of phishing emails, all within seconds. The ability to attack everywhere at once, at a pace that no human operator could sustain, is the hallmark of an AI-powered threat. AI-powered threats are also dynamic. They can adapt their behavior to spread across a network more efficiently or rewrite their own code to evade detection.

Security teams are seeing the signs that they’re fighting AI-powered threats at every stage of the kill chain, and the sophistication of these threats is testing their resolve and their resources.

  • 73% say that AI-powered cyber threats are having a significant impact on their organization
  • 92% agree that these threats are forcing them to upgrade their defenses
  • 87% agree that AI is significantly increasing the sophistication and success rate of malware
  • 87% say AI is significantly increasing the workload of their security operations team

These teams now confront a challenge unlike anything they’ve seen before in their careers, and the risks are compounding across workflows, tools, data, and identities. It’s no surprise that 66% of security professionals say their role is more stressful today than it was five years ago, or that 47% report feeling overwhelmed at work.

Up all night: Security professionals’ worry list is long

Traditional security methods were never built to handle the complexity and subtlety of AI-driven behavior. Working in the trenches, defenders have deep firsthand experience of how difficult it can be to detect and stop AI-assisted threats.

Increasingly effective social engineering attacks are among their top concerns. 50% of security leaders mentioned hyper-personalized phishing campaigns as one of their biggest worries, while 40% voiced apprehension about deepfake voice fraud. These concerns are legitimate: AI-generated phishing emails are increasingly tailored to individual organizations, business activities, or individuals. Gone are the telltale signs – like grammar or spelling mistakes – that once distinguished malicious communications. Notably, 33% of the malicious emails Darktrace observed in 2025 contained over 1,000 characters, indicating probable LLM usage.

Security leaders also worry about how bad actors can leverage AI to make attacks even faster and more dynamic. 45% listed automated vulnerability scanning and exploit chaining among their biggest concerns, while 40% mentioned adaptive malware.

Confidence is lacking

Protecting against AI demands capabilities that many organizations have not yet built. It requires interpreting new indicators, uncovering the subtle intent within interactions, and recognizing when AI behavior – human or machine – could be suspicious. Leaders know that their current tools aren’t prepared for this. Nearly half don’t feel confident in their ability to defend against AI-powered attacks.

We’ve asked participants in our survey about their confidence for the last three years now. In 2024, 60% said their organizations were not adequately prepared to defend against AI-driven threats. Last year, that percentage shrunk to 45%, a possible indicator that security programs were making progress. Since then, however, the progress has apparently stalled. 46% of security leaders now feel inadequately prepared to protect their organizations amidst the current threat landscape.

Some of these differences are accentuated across different cultures. Respondents in Japan are far less confident (77% say they are not adequately prepared) than respondents in Brazil (where only 21% don’t feel prepared).

Where security programs are falling short

It’s no longer the case that cybersecurity is overlooked or underfunded by executive leadership. Across industries, management recognizes that AI-powered threats are a growing problem, and insufficient budget is near the bottom of most CISO’s list of reasons that they struggle to defend against AI-powered threats.  

It’s the things that money can’t buy – experience, knowledge, and confidence – that are holding programs back. Near the top of the list of inhibitors that survey participants mention is “insufficient knowledge or use of AI-driven countermeasures.” As bad actors embrace AI technologies en masse, this challenge is coming into clearer focus: attack-centric security tools, which rely on static rules, signatures, and historical attack patterns, were never designed to handle the complexity and subtlety of AI-driven attacks. These challenges feel new to security teams, but they are the core problems Darktrace was built to solve.  

Our Self-Learning AI develops a deep understanding of what “normal” looks like for your organization –including unique traffic patterns, end user habits, application and device profiles – so that it can detect and stop novel, dynamic threats at the first encounter. By focusing on learning the business, rather than the attack, our AI can keep pace with AI-powered threats as they evolve.

Explore the full State of AI Cybersecurity 2026 report for deeper insights into how security leaders are responding to AI-driven risks.

Learn more about securing AI in your enterprise.

[related-resource]

Continue reading
About the author
The Darktrace Community

Blog

/

Email

/

April 24, 2026

Email-Borne Cyber Risk: A Core Challenge for the CISO in the Age of Volume and Sophistication

Default blog imageDefault blog image

The challenge for CISOs

Despite continuous advances in security technologies, humans continue to be exploited by attackers. Credential abuse and social actions like phishing are major factors, accounting for around 60% of all breaches. These attacks rely less on technical vulnerabilities and more on exploiting human behavior and organizational processes. 

From my perspective as a former CISO, protecting humans concentrates three of today’s most pressing challenges: the sheer volume of email-based threats, their increasing sophistication, and the limitations of traditional employee awareness programs in moving the needle on risk. 

My personal experience of security awareness training as a CISO

With over 20 years’ experience as an ICT and Cybersecurity leader across various international organizations, I’ve seen security awareness training (SAT) in many guises. And while the cyber landscape is evolving in every direction, the effectiveness of SAT is reaching a plateau.  

Most programs I’ve seen follow a familiar pattern. Training is delivered through a combination of eLearning modules and internal sessions designed to reinforce IT policies. Employees are typically required to complete a slide deck or video, followed by a multiple-choice quiz. Occasional phishing simulations are distributed throughout the year.

The content is often static and unpersonalized, based on known threats that may already be outdated. Every employee regardless of role or risk exposure receives the same training and the same simulated phishing templates, from front-desk staff to the CEO.

The problem with traditional SAT programs

The issue with the approach to SAT outlined above is that the distribution of power is imbalanced. Humans will always be fallible, particularly when faced with increasingly sophisticated attacks. Providing generic, low-context training risks creating false confidence rather than genuine resilience. Let’s look at some of the problems in detail.

Timing and delivery

Employees today operate under constant cognitive load, making lots of rapid decisions every day to reduce their email volumes. Yet if employees are completing training annually, or on an ad hoc basis, it becomes a standalone occurrence rather than a continuous habit.  

As a result, retention is low. Employees often forget the lessons within weeks, a phenomenon known as the ‘Ebbinghaus Forgetting Curve.’

The graph illustrates that when you first learn something, the information disappears at an exponential rate without retention. In fact, according to the curve, you forget 50% of all new information within a day, and 90% of all new information within a week.  

Simultaneously, most training is conducted within a separate interface. Because it takes place away from the actual moment of decision-making, the "teachable moment" is lost. There is a cognitive disconnect between the action (clicking a link in Outlook) and the education (watching a video in a browser). 

People

In the context of professional risk management, the risks faced by different users are different. Static learning such as everyone receiving the same ‘Password Reset’ email doesn’t help users prepare for the specific threats they are likely to face. It also contributes to user fatigue, driven by repetitive training. And if users receive tests at the same time, news spreads among colleagues, hurting the efficacy of the test.  

Staff turnover introduces further risk. In many organizations, new employees gain access to systems before receiving meaningful training, reducing onboarding to little more than policy acknowledgment.

Measuring success

In my experience, solutions are standalone, without any correlation to other tools in the security stack. In some cases, the programs are delivered by HR rather than the security team, creating a complete silo.  

As a result, SAT is often perceived as a compliance exercise rather than a capability building function. The result is that poor-quality training does little to reduce the likelihood of compromise, regardless of completion rates or quiz performance.

What a modern SAT solution should look like

For today’s CISO, email represents the convergence point of high-volume, high-impact, and human-centric threats. Despite significant security investments, it remains one of the most difficult channels to secure effectively. Given these constraints, CISOs must evolve their approach to SAT.

Success lies in a balanced strategy one that combines advanced technology, attack surface reduction, and pragmatic user enablement, without over-relying on human vigilance as the final line of defense.

This means moving beyond traditional SAT toward continuous, contextual awareness, realistic simulations, and tight integration with security outcomes.

Three requirements for a modern SAT solution

  • Invisible protection: The optimum security solution is one that assists users without impeding their experience. The objective is to enhance human capabilities, rather than simply delivering a lecture. 
  • Real-time feedback: Rather than a monthly quiz, the ideal system would provide a prompt or warning when a user is about to engage with something suspicious. 
  • Positive culture: Shifting the focus away from a "gotcha" culture, which is a contributing factor to a resentment, and instead empowers employees to serve as "sensors" for the company. 

Discover how personalized security coaching can strengthen your human layer and make your email defenses more resilient. Explore Darktrace / Adaptive Human Defense.

Continue reading
About the author
Karim Benslimane
VP, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI