AI/ML, AI benefits/risks

Behavioral analytics based on AI can stop cyberattacks before they occur

(Adobe Stock)

(Adobe Stock)

COMMENTARY: Most security tools rely on static rules and basic alerts to control user access and identify anomalies. Although the tools form the core security layer, they are not capable of dealing with attacks that mostly target human behavior rather than technical vulnerabilities.

Cyberthieves hijack login credentials to move about without detection. Since traditional security policies detect rule violations rather than behavioral shifts, a malicious user running the credentials of a manager will not trigger alarms if they log in during anticipated working hours. However, their behavior, such as suddenly downloading confidential documents, may suggest a breach.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Threat actors exploit human nature to manipulate users into sidestepping security by employing social engineering tactics, such as making urgent demands, appealing to greed, or assuming positions of authority. Rather than conducting a crippling breach, attackers make minute, seemingly innocuous adjustments periodically to remain undetected. Conventional security devices, which concentrate on static rules, are unable to identify these incremental user threats.

Behavioral analytics, driven by machine learning, addresses such security blind spots by identifying anomalies in user behavior, allowing proactive risk detection.

Behavioral Analytics: The digital “Sixth Sense”

Behavioral analytics work as intelligent surveillance systems for cyber protection, prioritizing risks and ranking threats according to severity. They learn to spot patterns first, creating a baseline of user activity, like login times, frequency of file access, and normal workflows. When something out of the norm occurs, like a salesperson opening R&D blueprints at midnight, these applications take note of the suspicious behavior.

Through ongoing monitoring and learning, behavioral analytics can deliver pre-incident threat detection, enabling organizations to stay one step ahead of attackers before harm is done.

A 2024 IBM report found organizations that applied AI and automation to security prevention saved an average of $2.22 million in breach costs.

The 2025 Verizon data breach report confirms the need for human-first security strategies. The report found that 8% of the workforce is responsible for 80% of incidents, indicating that targeted interventions, such as an emphasis on behavioral insights, tailored training, and dynamic measures that correct risky user behavior, can significantly lower exposure. Here are a few ways in which security teams can do better:

  • Dynamic risk scoring using Explainable AI: User and entity behavior analytics (UEBA) uses dynamic risk scoring to identify anomalies by evaluating past activity and comparing behavior within peer groups. They augment risk assessment with threat intelligence feeds, cross-checking known indicators of compromise to mark possible threats. To improve transparency, Explainable AI methods, such as SHAP values, present tangible reasoning behind security alerts, informing users about why specific actions are flagged. For example: accessing finance/payroll at 3 a.m. is 97% unusual. The method strengthens threat detection while guaranteeing accountability and user awareness.
  • Real-time behavioral interventions: Organizations can enhance security by using zero trust network (ZTNA) access based on policies that dynamically change access levels according to user risk scores. For instance, if a high-risk user tries to exfiltrate data from a private Google Drive, the action is blocked, and a just-in-time training module gets invoked to teach the user how to manage data securely. Additionally, API-powered training integration enhances flexibility by integrating behavior-analytics risk scores into a user training platform to assign courses dynamically. For instance, when a user unpredictably accesses files, they are automatically prompted to undergo targeted training on "Data Handling Best Practices," enforcing security awareness.
  • Simulating advanced adversary TTPs: Red team simulations help organizations test their defenses by replicating actual cyberattacks. For example, a red team will mimic insider attacks, such as Living-off-the-Land techniques (using PsExec or Cobalt Strike), which attackers commonly employ to evade detection. Pairing such simulations with simulated training campaigns equips employees to identify and flag unusual activity, boosting human-powered threat detection. By replicating advanced tactics, techniques, and procedures (TTPs), organizations can pre-emptively evolve their security stance against new cyber threats.

    • How behavioral analytics applies to adaptive training

    • Risk-based training orchestration: SCIM integration involves synchronizing behavior-analytics risk profiles to provide automated, customized security training. Users with high-risk profiles are offered detailed modules on insider threats and privileged access abuse, while users with low-risk profiles receive reminders about multi-factor authentication best practices to improve security hygiene. This dynamic strategy provides focused training, reinforcing an organization's active defense against changing cyber threats.
    • Behavioral data enrichment: Supporting behavior analytics, real-time training data is used to enrich risk profiles. Sending information such as training completion rates, phishing click rates, and quiz scores to behavior-analytics tools provides organizations with a clearer picture of user risk levels. This integration enables the detection of insider threats, enhances security awareness, and provides data-driven risk analysis to support a more responsive cybersecurity defense.
    • Automated incident response playbooks: Security orchestration, automation, and response (SOAR) tools automate security workflows, which prompt automatic training and isolation responses when risk indicators are detected. For example, when behavior analytics identifies suspicious PowerShell activity, SOAR takes immediate action by activating a training module and isolating the affected endpoint through an orchestrated process. This forward-looking strategy reinforces security measures with swift responses to threats while supporting ongoing, risk-conscious employee education.

      • Hackers today employ AI to mimic normal user activity, undermining conventional security measures. In response, defenders counter this with AI-based behavioral analytics that learn to adapt to emerging threats. By continuously analyzing employee patterns and incorporating adaptive training, these tools detect subtle abnormalities, and also educate users on new threats, empowering the workforce to become steadfast defenders.

      Stu Sjouwerman, founder and Executive Chairman, KnowBe4

      SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

      An In-Depth Guide to AI

      Get essential knowledge and practical strategies to use AI to better your security program.

      Related

      Okta warns of AI-powered phishing infrastructure

      Okta has identified a significant shift in phishing tactics, with cybercriminals now using generative AI platforms like v0.dev by Vercel to create convincing phishing websites that mimic trusted brands such as Microsoft 365, Okta, and major cryptocurrency firms, Security Brief Asia reports.

      Get daily email updates

      SC Media's daily must-read of the most current and pressing daily news

      By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

      You can skip this ad in 5 seconds