The same five questions anchor our front page. This is where we answer them at depth, with arguments published in the security press and shaped by 5,000 detections of what is landing in inboxes today.
The economics of attack just inverted. Personalization used to cost attackers time. Now it costs them nothing. Every defense built on the assumption that attackers would not bother just became economically obsolete, and the SOC budget is the line item that pays for the mismatch. This pillar is the single largest shift in email security since the category was created.
When AI models autonomously discover and chain vulnerabilities, the exploit supply becomes infinite. The chokepoint is not patching, it is how attackers deliver the payload. That chokepoint is email.
Read in SC Media →The parallels between AI agent architectures and classic MITM exploits are closer than the industry wants to admit. Every trusted intermediary is a potential pivot point, and agents are the most trusted intermediary we have ever deployed.
Read in Security Boulevard →Personalization used to cost attackers time. Now it costs them nothing. Every defense built on "attackers won't bother" is now economically obsolete, and your SOC budget pays for the mismatch.
Read in TechRadar Pro →RAG poisoning is the new supply chain attack. The integrity of every AI-powered defense now depends on the provenance of the corpus it trains on, and most vendors cannot document theirs.
Read in Dark Reading →Researchers uncovered malware scaffolded and operated by a commodity LLM. StrongestLayer research cited on prompt injection, LLM poisoning, and what it means when attack tooling becomes a prompt.
Read in The Hacker News →Extended interview on AI-driven attack economics, the mid-market security gap, and why "good enough" email security becomes catastrophic the moment attackers automate their side of the workflow.
Read in BetaNews →Your stack triages to 2 labels. The attack surface is 44. Phishing and BEC was the useful abstraction of 2015. In 2026 it hides what has actually changed. 35.9% of what lands in inboxes today is structurally impossible for a gateway to block, and whitelists, partner domains, and trusted platforms are the new attack surface nobody budgeted for.
Multi-channel evasion is the new default. A clean email with a phone number routes the payload through a conversation your email security never sees. Based on StrongestLayer analysis of 5,000 detections.
Read in Dark Reading →StrongestLayer research exposed attackers abusing M365 Direct Send to spoof internal users at scale. Every legacy gateway in our test set missed it. The lesson is not the vulnerability, it is the detection assumption.
Read in Dark Reading →Every email allow-list is a standing permission slip for attackers who compromise a trusted sender. Zero trust that stops at the email layer is not zero trust. It is a budget line item.
Read in Security Boulevard →Practical companion to the Zero-Trust Paradox argument. Five pointed questions a CISO can bring to their email team that surface exactly how many attackers are already trusted by default.
Read in SC Media →We don't scan messages. We render them. Signatures tell you what you already know. Reasoning tells you what you are actually looking at. Every email security product will become a reasoning engine or become a legacy entry in a competitive battlecard. There is no middle ground and no five-year glide path.
Signatures tell you what you already know. Context tells you what you are looking at. Next-gen email defense needs both, running against each other, not either one running alone.
Read in SC Media →A system reflects the communication structure of the team that built it. Gateway architectures built on rules and committees produce rules-and-committees products. AI-native detection requires AI-native organizational design, not a feature port.
Read in Computer Weekly →A CISO evaluation framework for AI security vendors that cuts past the marketing layer. What the model sees, what it retains, and what it can actually reason about in production.
Read in SC Media →Evidence ships with every verdict. Security training moved from defense to self-sabotage the moment AI eliminated the cues users were trained to spot. Every minute your analyst spends reproducing the AI's verdict is a minute they are not spending on the next attack. Fast response starts with evidence that arrives with the decision, not evidence the SOC has to reconstruct.
The tells we taught users to spot (typos, pixelated logos, grammatical errors, mismatched URLs) are exactly what LLMs eliminated. When the training data is stale and the attacker has fresh data, the training becomes misdirection, and the SOC absorbs the cost.
Read in Security Boulevard →StrongestLayer research cited on the live rate of trusted-platform abuse. The operational implication: analysts need evidence at the platform-interaction layer, not just the message layer, to triage without reconstructing each incident from scratch.
Read in SC Media →We detect without exposing. AI-native security has an uncomfortable truth at its core: the most powerful detection traditionally demands the most invasive access. That trade-off is a design choice, not a physical law. Zero retention, zero training on customer content, and evidence-based reasoning are architectural, and they can be audited.
The architectural teardown for the CISO and legal reader. Complete documentation of zero-retention detection, architectural audit points, and what happens to your data during analysis and after verdict delivery.
Read on Privacy Architecture page →Longer-form sessions where the arguments above get pressure-tested live. Useful if you want to hear Alan work through these ideas unscripted.
Oct 2025 · GTM-focused founder interview
Listen on Frontlines →Oct 2025 · Deep technical discussion
Sep 2025 · Long-form feature
Read on Unite.AI →Sep 2025 · Full-length interview
Read on Pulse 2.0 →AI-generated phishing and why cognitive shortcuts defeat legacy controls
Sponsor session, full recording available
The arguments above are the thesis. The 44-subtype taxonomy, the kill-chain simulations, and the detection-gap breakdowns are the proof. Sent separately so each reader gets the view that matches their job.
Go to threat research →Request a threat briefing with the team that publishes this research. 30 minutes, no slides, no pitch. We will walk through what we are seeing in live traffic and what it implies for your stack.
Tomorrow's Threats. Stopped Today.
