The cyber security perimeter has evolved many times over the years, and we’re now at a point in time where it is shifted once again. We have reached an era where defence is no longer just about protecting our networks, endpoints, cloud systems or SaaS applications, but about protecting our people. Attackers now target employees directly, relying on their ability to exploit human behaviour to gain access, rather than technical vulnerabilities.

To help organisations understand and contextualise how human behaviours create risks and enable threats, we have released our Human Threat Map to the public. This tool will serve as a reliable resource to help security teams build effective detections, mitigations, and interventions that defend or human perimeter. 

It’s 2025 and despite the many years of continued investment in security awareness training, human error remains a dominating weakness in cyber security. The 

 revealed that 68% of breaches still involve human mistakes. While training efforts over the years have improved general user awareness, cyber-attacks 

like phishing, social engineering, and AI-powered deception 

 continue to evolve much faster than our users can adapt.

 found that 79% of detected attacks in 2024 were malware-free, indicating an increasing reliance on user manipulation, credential theft, and direct system manipulation over traditional malware attacks.

To understand why traditional defences are struggling and how we should adapt, we need to examine how both attack and defence strategies have evolved over time:

A Castle-and-Moat model was adopted where we focused on protecting our network and trusting everything inside. However, attackers adapted and started to focus on phishing, vulnerability exploitation, and exposed resources to get through the perimeter.

~2000s – Secure the Perimeter and Endpoints

As attackers started to shift their focus to our endpoints. We started to adopt endpoint protection solutions such as Antivirus (AV), Intrusion Detection Systems (IDS), and early endpoint security tools. Phishing was a primary attack vector which lead to an increased need for security awareness training.

~2010s – Secure the Endpoints and User Identity

As Endpoint Detection and Response (EDR) improved and attackers pivoted from malware execution to credential theft and identity compromise. In response, defence shifted toward identity protection, Privileged Access Management (PAM), and Multi-Factor Authentication (MFA). The concept of Zero Trust gained traction and awareness training reached its peak, attempting to equip users with the knowledge to recognise and respond to evolving threats.

The post-COVID remote work shift and AI boom introduced new risks. Employees, now working from home on personal devices in less-secure environments, gained a false sense of security and became the prime target for behavioural exploitation and AI-driven deception. Deepfake phishing, automated social engineering, and AI-powered attacks became even more sophisticated. This rendered traditional security awareness training ineffective, as users simply could not – and cannot - detect or defend against every new threat variation that emerges.

Threat actors have continued to adapt to the various security perimeters we’ve defined and spent years reinforcing. Now, attackers will increasingly attempt to bypass network defences, endpoint protections, and even identity safeguards by going directly after the human element at the forefront of it all.

AI-powered phishing, deepfake social engineering, and behavioural manipulation tactics will make it nearly impossible for users to recognise or stop every attack. In response, security must evolve once more, moving beyond training and toward proactive Human Risk Management (HRM).

HRM is not about increasing training or phishing simulations. Instead, it is about building an intelligent, adaptive shield around employees that automatically detects risks and intervenes in real-time, preventing attacks before they succeed. Because, at the end of the day, we cannot expect employees to recognise all the Tactics, Techniques, and Procedures (TTPs) that threat actors may use against them. And if they could, well, they should probably get a job in cyber security!

Security cannot be the employee’s responsibility. The responsibility to protect our employees is ours, our security teams, our security partners, and our security solutions. This is where the Human Threat Map comes in. It provides organisations with a clear view of human-centric cyber threats, helping understand the risks and build effective real-time defences and interventions to protect our employees from attacks they can’t see coming.

The Human Threat Map (HTM) is a resource we are releasing to help organisations understand and mitigate human-centric cyber security risks enabled by human behaviours. The intention behind this framework is to help security teams:

The map currently documents over 80+ types of threats and 100+ types of user behaviours. Each providing a specific opportunity to consider and deploy interventions.

The Human Threat Map can be accessed at: 

When accessed for the first time, the map will organise threats into a MITRE-esque layout. This is broken into nine categories that the industry is already familiar with: Recon, Initial Access, Persistence, Defence Evasion, Credential Access, Discovery, Collection, and Impact.

When navigating them, each of these categories can be expanded to show their respective threats:

The map layout can also be changed to organise threats into multiple specific security domains: Identity, MFA, Phishing, Data Security, Endpoint Security, SaaS, MDM, Hardware Management, Artificial Intelligence, Encryption, and Instant Messaging.

This view will help teams focus on the threats that are relevant to their responsibilities, while also illustrating the complexity of human risk management

 highlighting why training alone cannot be relied on to protect our employees, systems, and resources.

Information regarding each threat can be found by selecting the threat tile, expanding it to display:

“How is this different from existing frameworks like MITRE ATT&CK?” – I hear some of you asking.

The Human Threat Map is not intended to replace or compete with existing frameworks such as MITRE 

. Instead, it is intended to complement them, with each framework serving a distinct purpose and addressing its own specific set of challenges.

MITRE ATT&CK helps you defend against traditional threat actors using well-known technical tradecraft and supports the implementation of conventional detection and response controls. ATLAS is ideal for understanding how attackers target and exploit AI technologies. The Push SaaS Attack Matrix is great if your focus is on identity-based threats and protecting SaaS environments.

The Human Threat Map is designed to focus purely on threats that succeed through human decision-making, enabling the creation and deployment of interventions triggered by these decisions, shifting defensive thinking as close to the user as possible.

This is intended to support teams adopting proactive Human Risk Management (HRM) strategies and looking to build defences at the human-layer. This is where behaviour-based interventions can trigger and prevent risky employee behaviours from escalating active threats into active breaches - where more traditional detections, controls, and services need to step in.

Let’s consider how the Human Threat Map (HTM) could be used in practice, using a hypothetical breach scenario. This will illustrate how Human Threat Mapping enables security teams to identify, analyse, and mitigate human-centric cyber threats.

An organisation suffers a security compromise in which attackers carry out the following key actions:

Using the Human Threat Map to Mitigate Attacks:

With an example breach in mind, we can examine how the HTM can be used to understand and defend against such attacks. For each threat, as a security team we want to understand how the attack was executed, what vulnerabilities it exploited, and analyse relevant behaviours to identify user actions that contributed to its success.

To then mitigate these threats and risks, Human Risk Management (HRM) requires proactive interventions rather than reactive measures. This can take many forms, including:

The first step in Human Threat Mapping is to identify and analyse the threats that were exploited or that may be involved in a future attack. Using the Human Threat Map, we can systematically trace each phase of the incident back to its corresponding threat category. This allows security teams to:

This structured approach ensures that threats are not only recognised but fully understood in the context of how attackers operate and what human-behaviours they exploit.

Step 2:  Understand Risky Human Behaviours

Once the threat itself is understood, next we can analyse the behaviours that enabled it. The HTM facilitates this as every threat is linked to multiple behaviours / risks 

each representing an opportunity to intervene before an attack succeeds.

When considering the Tenant Poisoning aspect of the attack scenario, the HTM shows that one of the enabling human risks for this threat is 

. This is a common action, particularly for new employees who are in the middle of their onboarding process within an organisation.

By recognising this as a high-risk behaviour, security teams can target it with proactive interventions rather than relying solely on post-incident responses or traditional phishing defences.

Once a relevant risk behaviour is identified, 

 can be deployed via a Human Risk Management platform, like CultureAI. These interventions can be tailored based on audience, triggers, and specific risk scenarios.

In terms of interventions related to the joining of new SaaS tenants, there are multiple approaches that can be taken:

To maximise effectiveness, these interventions should not be deployed in isolation but rather combined into playbooks that automatically trigger in response to specific behaviours and scenarios. For example, interventions can be customised for different teams or employee risk profiles, activated by specific events such as users receiving or clicking on SaaS tenant invitations, and dynamically updated based on risk appetite, user behaviour patterns, and the frequency of occurrences.

The cyber security landscape has evolved, and so must our approach to defence. Attackers are no longer just exploiting systems; they are exploiting people 

Relying on awareness training alone is no longer enough to tick the HRM box. Users cannot be expected to detect and counter every emerging cyber threat. We must continue to evolve from reactive education and controls to proactive defence and intervention.

Human Risk Management (HRM) is the place for this! By adopting HRM solutions and using the Human Threat Map (HTM), organisations can:

Security is not the employee’s responsibility

it is ours. It is our job, as security professionals, to build the defences that protect people, not to just train them to protect themselves.

The Human Threat Map is there for us all to use!  

Learn more about automated interventions 

HumanThreatMap.com - CultureAI's Human Threat Map

CultureAI - Mitigate Risks Using Automated Interventions

https://www.culture.ai/platform/automated-interventions

Verizon - 2024 Data Breach Investigation Report

https://www.verizon.com/business/resources/Te3/reports/2024-dbir-data-breach-investigations-report.pdf

https://go.crowdstrike.com/rs/281-OBQ-266/images/CrowdStrikeGlobalThreatReport2025.pdf

Pushsecurity - SAMLjacking a Poisoned Tenant

https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/

https://github.com/pushsecurity/saas-attacks

To help organisations understand and contextualise how human behaviours create risks and enable threats we have released our Human Threat Map to the public. This tool will serve as a reliable resource to help security teams build effective detections, mitigations, and interventions that defend or human perimeter. 

Mapping and Defending the Human Perimeter 

, Lead Cyber Security Researcher at CultureAI

By Oliver Simonnet, Lead Cyber Security Researcher at CultureAI

Recommended for you

You're Not My Supervisor! Researching My Own New Starter Scam

Trouble Brewing - Dissecting a fake homebrew update that stole user data

The Offensive Potential of Computer-Using Agents