Dune Security's Revolutionary Approach: AI and Cybersecurity

Voiceover:
Today’s businesses are on vigilant watch for threats in an ongoing cyber war. It is time to get real world solutions to protect and secure your valuable business information anytime, anywhere.

Joshua Nicholson:
We have David DellaPelle as our guest on the podcast today. David is a visionary with extensive experience in the cybersecurity space. He has shared his expertise on platforms such as the Security Architecture Podcast and the Tech Optimist Podcast. Today he is here to discuss Dune Security and the latest trends and challenges in cybersecurity. I will share links to those podcasts in the comments later.

A little bit about Dune Security. Dune Security pioneers an AI powered employee risk management solution. They analyze user behavior, context, and third party data to tailor cybersecurity measures, transforming vulnerabilities into strengths. Their approach significantly reduces enterprise attack surface globally.

David is an expert, and we are going to talk about a number of subjects today. That includes the future of AI and cybersecurity, the human side of cybersecurity, the role of contextualized security training, insights from Dune Security’s journey, emerging cyber threats, and how organizations can stay ahead and prepare.

So welcome to the show, David. It is great to have you here. Did I miss anything in your background?

David DellaPelle:
No, that was great, Josh. I am excited to be here, and thanks for having me on today.

Joshua Nicholson:
That is great. I touched briefly on Dune Security and user awareness training. Can you explain what you really focus on and how organizations should think about Dune when this problem shows up?

David DellaPelle:
Yeah, I think you got it pretty close. I will explain it slightly differently, but what you said was almost spot on.

We know that about 90 percent of breaches start with some form of user behavior. That includes business email compromise, social engineering, and insider threats. What we have seen is that the problem is changing rapidly.

At the same time, we have incredible security solutions across the technical layers. Network security, identity security, email security, endpoint security. I call these the technical castle walls. It is very hard to break through something like Zscaler if you are an attacker, and it is difficult to deploy malware on an endpoint protected by CrowdStrike.

Despite all of that, 90 percent of breaches still start with user behavior.

The problem has gotten much worse over the last few years with the rise of generative AI. Attacks are changing rapidly. Historically, the cybersecurity industry tried to solve this problem with security awareness training. Phishing in the email inbox is the classic example.

The reality is that security awareness training is not a security solution. It is a compliance solution masquerading as a security solution. It is a five billion dollar market that largely acts as a placebo. It makes teams feel better, but it does not meaningfully reduce risk.

To make it even marginally effective, organizations had to invest a massive amount of manual effort. GRC teams and security awareness teams tried to quantify risk across many different data sources and then apply training where they thought it was needed. Even then, the risk reduction was minimal.

Quarterly phishing tests and generic training do not work. Most employees try to spend as little time as possible completing training. High risk employees remain high risk. Low risk employees have their time wasted. Over time, this creates an adversarial relationship between the security organization and end users.

We decided this is one of the biggest unsolved problems in cybersecurity. It has a fake solution that everyone knows does not really work.

What Dune does is fundamentally different. We are a user risk company. Just like network security companies focus on network risk and identity companies focus on identity risk, we focus on user risk.

We ingest a wide range of risk signals and produce a unified, comprehensive, and accurate risk score for every individual user. That score ranges from zero to one hundred and reflects the likelihood that a user could be exploited through social engineering or insider manipulation.

This includes highly sophisticated attacks across any channel. Email, SMS, voice, video, collaboration platforms, and more. We test users using very realistic simulations, including two way conversational attacks where an AI can interact with the user in real time.

Once we understand risk at the individual level, we remediate it at the individual level. For some users, that means targeted education or reminders. For moderate risk users, adaptive training can work.

For users who are complicit, malicious, or repeatedly negligent, training does not work. In those cases, access needs to be restricted. We use workflows to feed risk data into identity systems, ticketing systems, and access controls so organizations can lock down high risk users appropriately.

The most important part is that our risk quantification has to be accurate and defensible. That is what allows real remediation to happen.

One last point is that this approach applies not only to the human workforce. In the near future, organizations will onboard AI agents into HR systems just like employees. Those agents will have identities, roles, and access. They can also be socially engineered. Our infrastructure is built to support both human users and AI agents.

Joshua Nicholson:
That is really interesting. I recently saw an investigation involving a sophisticated social engineering attack. Attackers used public PPP loan data to identify targets and the banks they worked with. They called victims and claimed a fraudulent transaction was about to go out, then asked for the MFA code that was sent to the victim’s phone. That code was actually used to initiate the transaction, and the money was gone almost immediately.

There was no malware involved. No vulnerability exploitation. Just pure social engineering. Are you seeing attacks like this often?

David DellaPelle:
Yes, absolutely. That is a textbook urgency and authority based attack. In our data, those attacks are roughly four times more effective than reward based attacks like gift cards.

What makes these attacks especially dangerous is that they are multi channel and highly coordinated. Attackers email, call, text, and impersonate real people. They spoof caller ID, clone voices, and automate attacks at scale.

This is no longer limited to nation state actors. Anyone with access to unguarded AI models can do this. They can pull open source data from YouTube or social media, clone a CFO’s voice, and launch thousands of attacks simultaneously.

One of the first major deepfake disinformation events people noticed was the fake Putin video during the Ukraine conflict. That was a turning point. Since then, we have seen deepfake video used in hiring fraud, insider access attempts, and BPO related attacks.

Joshua Nicholson:
That aligns with what I am seeing as well. We have also seen help desk attacks where someone calls in and convinces support staff to reset passwords. Authenticating callers is still a major challenge.

David DellaPelle:
Absolutely. We are actively defending against those attacks today. Voice cloning has made phone based impersonation extremely effective. Attackers can automate calls and sound completely legitimate.

This is a major issue for help desks, payroll teams, and call centers. Many organizations still lack strong authentication controls for voice based interactions.

Joshua Nicholson:
It really highlights how broken traditional awareness programs are. Punitive models did not work either.

David DellaPelle:
Exactly. Punitive programs incentivize avoidance, not security. Employees create inbox rules, bypass detection, or disengage entirely. The program loses its value.

Most users are low risk, roughly seventy percent. Those users should not be burdened with constant testing and training. Our approach focuses effort where the risk actually exists and removes friction everywhere else.

Joshua Nicholson:
I also think it is a tough time to be a CISO. Budgets are tight, threats are increasing, and AI is changing everything at once.

David DellaPelle:
It is one of the hardest jobs in technology today. AI changes technology, process, and people simultaneously. There are no clear playbooks. CISOs are being asked to define AI policy, acceptable use, and controls in real time.

Despite that, it is also an exciting role. CISOs are on the front lines defending organizations against increasingly sophisticated adversaries.

Joshua Nicholson:
David, this has been a great conversation. Where can people go to learn more about Dune Security?

David DellaPelle:
You can visit dunesecurity.com. We are growing quickly, working with enterprises globally, and hiring across engineering, product, sales, and marketing.

Joshua Nicholson:
That is great. Thank you again for joining us. And to everyone listening, hit that like and subscribe button, and as always, stay secure.