David DellaPelle: Welcome, everyone. Thank you so much for joining us today. My name is David DellaPelle. I am the co-founder and CEO of Dune Security, joined here by Michael Waite, co-founder and CTO of Dune Security.
We are here today for a very important reason. User behavior is still accounting for roughly 90 percent of breach origination within large companies. Enterprises today spend billions on legacy security awareness training and it fails to reduce user risk. High-risk users are not held accountable. Low-risk users have their time wasted. And it even creates an adversarial relationship between security teams, CISOs, and end users within the company.
It seems like lately we see more and more headlines of high-profile breaches happening against large enterprises. Especially with the advent and widespread adoption of generative AI and LLMs, a lot of the barriers to entry that historically made sophisticated attacks difficult are gone. It is a lot easier now for attackers with very little technical knowledge or background. Hackers are able to run widespread open-source intelligence on employees. They are able to gather essential details that allow them to build trust and rapport with those individuals.
[Music]
They are still hitting employees on corporate email, but more and more we see a lot of these attacks happening off-channel through encrypted messaging apps that the enterprise has no visibility into — SMS, WhatsApp, Telegram, Signal. The entire paradigm within the last two to three years has evolved dramatically.
We saw something quite interesting just a couple of weeks ago. The Wall Street Journal reported on a study of 20,000 UC San Diego healthcare employees that found no correlation between standardized security awareness training and whether those employees failed a phishing test. Seventy-five percent of users spent under one minute on a training page or clicked through as quickly as possible, and over 50 percent closed training content immediately.
The AI capabilities to run OSINT at scale mean that hackers are looking at information about your employees exposed in data breaches. They typically know their full name, address, and social security number — enough to directly call your IT help desk and get credentials reset. They are able to do this at scale for entire organizations just by knowing your domain name. The quality and overall fidelity of these attacks has increased dramatically, and I think we are just seeing the beginning of that.
[Music]
Michael Waite: I think you encapsulated those high-fidelity attacks well. The problem with legacy security awareness training is that it treated every single employee as if they were the same. Whereas we are not limited to a poor set of risk factors — we are adding more and more over time. Think about things like dark web monitoring and exposed credentials. If you are able to apply that data to an individual and tell them specifically: you are creating this type of risk to this company for these exact reasons, and the content is specifically targeted at that person, it can actually be very effective.
Our user risk scoring model empowers teams to prioritize response where it matters most, finding high-risk employees and locking down that risk. With Dune Security, organizations are able to gain real risk reduction, productivity gains, and remove the adversarial relationship that can often form between security teams and end users.
David DellaPelle: There has been a real paradigm shift in the approach that hackers are taking to infiltrate large enterprises. The industry needs an equivalent paradigm shift in how we address that. And that is exactly what we are doing at Dune Security.
Michael Waite: We take a data-driven approach to holistically understand every individual in the organization — the role they are in, the nature of the risks associated with that role, and the systems they are working with. With all of this information, we are able to put together a clear picture of the risk that each individual brings into an organization. And just like you said, it really reduces the adversarial relationship between the security team and the end user. Low-risk users — we are not wasting their time. We can empower them to do their jobs. But those people who are essential to the organization yet introduce a lot of risk due to the actions they are taking or the nature of their role — we have mechanisms to directly protect those people. The security team and the end user work together in concert, and I think that is what is necessary to meaningfully move the needle on the cybersecurity posture of our organizations.
David DellaPelle: Today's attackers are fast, operating across every channel employees use to communicate, whether within the corporate network or outside of it. Generic security awareness training is static and disconnected from real tactics. What is really needed is true risk reduction. We are building Dune Security to be the foundational company in user risk.
[Music]
We are able to reduce risk, save time — and time is money for both admins and end users — and we can even improve the security culture within a company and remove the adversarial relationship that can form. So thank you so much for your time today.
Most breaches still start with human behavior, yet enterprises keep spending billions on security awareness training that doesn't work. A study of 20,000 UC San Diego healthcare employees found zero correlation between standardized training and phishing test outcomes. The reason isn't surprising: 75% of users spend under a minute on training pages, and up to 51% close the content immediately. In this session, Dune Security co-founders David DellaPelle (CEO) and Michael Waite (CTO) break down why one-size-fits-all training has failed to move the needle, and how AI and out-of-bound attacks have made the problem significantly worse.
The conversation explores how Dune's personalized, risk-based approach drives measurable resilience. By simulating multi-channel attacks, scoring individual user risk, and adapting training and security controls in real time, security leaders can move beyond checkbox compliance and measurably reduce the user attack surface.
Key Takeaways
- Legacy SAT does not move user risk. A study of 20,000 UC San Diego healthcare employees found no correlation between standardized training and phishing test outcomes. 75% of users spent under a minute on training pages.
- Generative AI has collapsed the barrier to sophisticated attacks. OSINT, voice cloning, and persona research that once required skilled operators can now be executed at scale by attackers with minimal technical background.
- The attack surface has moved off corporate email. Threat actors are increasingly engaging employees on platforms like SMS, WhatsApp, Telegram, and Signal. Enterprises have little to no visibility into these out-of-bound channels.
- Not every user creates the same risk. Behavior-based risk scoring lets security teams focus remediation on the small population of high-risk users while keeping low-risk users productive.
- Effective risk reduction means treating employees as individuals, not a uniform population. By combining behavioral risk scoring, multi-channel attack simulations, and dynamic remediation, security teams can measurably shrink the attack surface – protecting high-risk users without wasting the time of low-risk ones.
Stay Updated
Get the latest threat intelligence, research, and product updates from Dune Security.
Photo Gallery
Step into the atmosphere of our past event — watch the recap and relive the moments where cybersecurity, innovation, and community came together.
Our Latest Insights
Stevens Institute of Technology modernizes security awareness and improves individual risk management with Dune Security
Stevens Institute of Technology modernizes security awareness and improves individual risk management with Dune Security
Hitachi Digital future-proofs security training for a global workforce with Dune Security
Hitachi Digital future-proofs security training for a global workforce with Dune Security
Phishing Didn't Leave the Inbox. It Expanded Around It.
Mobile-centric phishing carries a 40% higher success rate than email. Vishing is up 442%. Deepfake fraud is projected to hit $40 billion by 2027. The attack surface didn't shift, it expanded. Here's what that means for enterprise defense.
.jpeg)
Social Engineering Is About to Be the Only Game in Town
AI is finding and patching zero‑days at machine speed. The traditional attack surface is collapsing. The only place attackers can still win consistently is the user. Learn what that means for CISOs trying to defend the enterprise, and why the operating model that worked for networks, endpoints, and identity has to come to the User Layer next.
The Top User-Driven Cyber Threats Targeting Law Firms
Law firms sit on some of the most sensitive and valuable data in the enterprise, and attackers have built an entire playbook around exploiting the users who handle it. Learn how four dominant threat vectors are targeting legal sector workflows in 2026 and what it takes to stop attacks at the User Layer.
Why Legacy Security Awareness Training is Broken
Dune Security CTO Michael Waite joins the Cyber Security Matters podcast to discuss how AI-driven social engineering is evolving, why legacy security awareness training no longer works, and how behavior-based risk quantification can better protect users from emerging threats.
Why Legacy Security Awareness Training is Broken
Dune Security CEO David DellaPelle joins Secure Insights to break down why user risk drives breaches, how AI is accelerating social engineering, and why legacy awareness models are no longer effective.
Why Legacy Security Awareness Training is Broken
Dune Security CEO David DellaPelle joins the Cyber Security America podcast to explain how AI-driven social engineering is outpacing traditional security awareness training and why organizations need a behavior-driven approach to identifying and reducing user risk.
Philadelphia Area Cyber Technology Showcase & Golf Outing
Dune Security sponsored GuidePoint Security's Philadelphia Area Cyber Technology Showcase and Golf Outing, a regional gathering of cybersecurity professionals and technology partners.
.avif)
Controlled Chaos: Enabling Innovation While Ensuring Safety & Security
GRC and security leaders from UiPath, Yugabyte, and CXD Consulting on enabling rapid innovation without losing the controls that keep the business standing.
.avif)