Abnormal AI

97% of security and IT pros surveyed believe behavioral AI can help prevent accidental data loss before it occurs.

95% of organizations surveyed reported measurable business impact due to misdirected email, including remediation costs, compliance violations, or damage to customer trust.

98% of security leaders consider misdirected email a significant risk.

The average enterprise spends over 400 hours per year managing false positive alerts from data loss prevention (DLP) or email security tools.

Misdirected emails contributed to over $1.2 billion in fines worldwide last year.

47% of security and IT professionals learn of misdirected emails from recipients rather than from security tools.

Misdirected emails accounted for 27% of all data protection incidents under the GDPR last year.

96% of organizations surveyed experienced data loss or exposure from misdirected email in the past year.

75% of analysts indicate that AI tools are already improving their job satisfaction by reducing alert fatigue and automating repetitive triage tasks.

100% of security professionals—including both leaders and analysts—state that implementing AI in the Security Operations Centre (SOC) is their top business objective.

96% of leaders report they have no plans to reduce headcount as AI adoption accelerates.

Over the next 3–5 years, both leaders and analysts expect autonomous SOC operations to become the norm

63% of analysts state that AI is improving the accuracy of investigations. This figure rises to 69% among daily AI users regarding improved investigation accuracy.

Conversely, EMEA organisations show the highest reporting rate for BEC, at 4.22%

Telecommunications saw the highest VEC engagement rate at 71.3%.

In EMEA, the VEC engagement rate exceeds Business Email Compromise (BEC) by 90%.

Junior sales staff were among the most vulnerable roles, engaging with read VEC attacks at a rate of 86%.

The overall reporting rate for advanced text-based email threats was just 1.46%.

7% of VEC engagements came from employees who had engaged with a previous attack.

Employees in large enterprises engaged with malicious vendor messages 72% of the time after reading them, taking follow-up actions such as replying or forwarding.

Repeat engagement with VEC in EMEA is the highest of any region, over twice that of BEC.

The second-ranked industry for VEC engagement rate was the energy/utilities sector (56%).

EMEA organisations demonstrate the lowest reporting rate for VEC, at 0.27%.

In just 12 months, attackers attempted to steal more than $300 million via VEC.

Employees in large enterprises engaged with malicious vendor messages 72% of the time after reading them, taking follow-up actions such as replying or forwarding.

The overall reporting rate for advanced text-based email threats was just 1.46%.

99% of organizations see value in using AI to support automatically generating training campaigns and workflows.

More than half (53%) of respondents agreed that the effort required to run their current SAT tools outweighs their impact.

While 99% of organizations experienced incidents tied to human error, the vast majority stated they struggle to implement effective, scalable SAT programs.

Nearly all of the organizations surveyed (99%) are in favour of including AI in future SAT tools and workflows.

95% of organizations see value in using AI to Automatically create individualized attack simulations based on individual user profiles.

83% of respondents agreed that their current SAT tools require substantial effort to operate and maintain.

95% of organizations see value in using AI to Automate the creation of training videos.

99% of organizations experienced security incidents linked to avoidable human error.

Many SAT programmes exist primarily to satisfy regulatory or insurance requirements.

95% of organizations see value in using AI to Conduct conversational coaching by leveraging LLMs.

96% of organizations see value in using AI to Create dynamic risk scores based on past user behaviour and the types of attacks targeting certain types of users.

75% of organizations require employees to complete security awareness training at least quarterly.