RSAC 2026 Innovation Sandbox | Humanix: People-Oriented Social Engineering Attack Detection and Response
Company Profile
Humanix (see Figure 1) is a cybersecurity company focusing on human-centric threat detection and response, dedicated to protecting enterprises from social engineering attacks against “people”, headquartered in the San Francisco Ba
RSAC 2026 Innovation Sandbox | Humanix: People-Oriented Social Engineering Attack Detection and Response
Company Profile
Humanix (see Figure 1) is a cybersecurity company focusing on human-centric threat detection and response, dedicated to protecting enterprises from social engineering attacks against “people”, headquartered in the San Francisco Bay Area of the United States [1]. Its core concept is: Traditional security focuses a lot of energy on systems and boundaries, and most intrusions are achieved precisely from the human entrance; Instead of relying on endless security awareness training or post-event accountability, Humanix provides security teams with continuous detection and response capabilities to interpersonal communication and collaboration channels, identifying manipulation, deception and impersonation in voice, video, email, chat and other channels, thereby protecting the relationship between employees, customers and the supply chain. The company mainly targets CISOs in the financial, hotel and consumer technology industries, focusing on solving pain points such as continuous attacks on help desks and guest safety protection, and practicing the security concept of “protecting people rather than punishing them”.
Figure 1 Humanix official website homepage
In terms of financing, Humanix has received a total of US$18 million in financing: The seed round was led by boldstart ventures, the A round was led by Acrew Capital, and Evolution Equity Partners participated in two rounds of investment; Investors define Humanix as the pioneer of the emerging security category “human threat detection and response”, which aims to solve the structural contradictions in the current security field: Although 76% of successful intrusions come from attacks on people rather than systems, the industry’s investment in personnel protection is extremely low [2].
Keith Stewart, founder and CEO of Humanix (see Figure 2) is an executive with more than 25 years of experience in network security and technology management. He has been responsible for product, engineering and business development at security and network vendors such as Cisco, Brocade, Riverbed, vArmour, etc. He has led the transformation from traditional software to SaaS many times. And the implementation of security solutions for large financial, telecommunications and corporate customers [3]. In his signed article “Stopping Social Engineering Attacks” published in November 2025, he explained the founding motivation of Humanix: Treat social engineering as an attack type equivalent to vulnerability exploitation, and use natural language-level detection and response to deal with attacks on people, rather than simply requiring people to never make mistakes. The above background lays the foundation for Humanix’s product direction and commercialization in the emerging track of “human factors security”.
Figure 2 Founder and CEO of Humanix
Product Background
The essence of social engineering: attack methods that exploit “human loopholes”
Social Engineering means that attackers do not rely on technical vulnerabilities or malicious codes, but use deception, manipulation, inducement and identity impersonation to influence people psychologically and behaviorally, so that victims leak credentials, perform improper operations or violate existing processes without knowing it or being induced, thus opening the way for intrusion. Typical tactics include phishing emails, excuses, technical support scams, commercial email intrusions, and phone or instant messaging impersonations to help/service desks. Unlike exploiting software vulnerabilities, social engineering attacks exploit “human loopholes”, so traditional system and boundary-based protection is often difficult to cover, and relying solely on security awareness training is difficult to detect skilled psychological manipulation behavior in real-time conversations.
The current situation of social engineering: a data perspective on the high incidence of intrusions and huge losses
Multiple authoritative reports show that intrusions and losses through human entrances continue to remain high. According to the Verizon 2024 DBIR, after excluding malicious internal abuse, human factors are still involved in about 68% of breaches; if internal abuse is included, the proportion can reach about 76%, that is, most successful intrusions are directly related to people [4]. Verizon 2025 DBIR continues this trend: human factors are involved in about 60% of leaks, while the proportion of leaks involving third parties has increased from about 15% to about 30%. Supply chain and outsourced services (such as service desk) have become more prominent attack surfaces [5].
FBI IC3, 2024 (the “2024 Internet Crime Report” released by the FBI Internet Crime Complaint Center) gives the magnitude from the perspective of losses: the total losses reported by IC3 in 2024 were approximately US$16.6 billion; Among them, the reported losses of business email intrusion (BEC) were approximately US$2.77 billion, and the reported losses of technical support fraud were approximately US$1.46 billion. Both are closely related to social engineering [6]. CrowdStrike’s “2025 Global Threat Report” further pointed out that voice social engineering attacks increased by 442% year-on-year, indicating that attackers are increasingly using telephone, voice and other channels to bypass email and endpoint protection [7].
The above data together show that social engineering has become one of the most important intrusion paths at present, while manual interaction channels such as help desk/service desk, email and voice still generally lack real-time detection and response capabilities.
The blind spot of social engineering: the attack case that inspired the creation of Humanix
Humanix founder Keith Stewart once mentioned a social engineering attack that caused losses of about $100 million: the attacker called the help desk and successfully manipulated the service staff with confident words and complete information. The operator could not detect this psychological tactic at all during the real-time call, but the company only held the employee accountable afterwards [3]. This is exactly the same as the Clorox hack in 2023: attackers bypassed technical vulnerabilities and directly impersonated employees by calling to trick outsourcing service desks into resetting passwords and MFAs, eventually implanting ransomware and causing losses of approximately US$380 million [8].
These cases deeply reveal the blind spots of traditional defense: social engineering attacks use natural language to occur in communication channels such as voice, traditional products cannot “see” manipulation and impersonation in conversations, and relying solely on training is difficult to work in high-pressure real-time calls. It is this kind of huge risk against “people” that has driven Humanix to establish its product direction-using conversational AI to achieve real-time detection and response to social engineering attacks in channels such as voice, video, and email, changing “post-event accountability” to “active protection.”
Product Architecture and Core Technology Scheme
Core Architecture: Human Interaction Data Pipeline and Processing Mechanism
Humanix is a set of detection and response platforms that takes “human interaction” as the core object and extends security protection from traditional host, network and identity boundaries to “human attack surface (Human Layer)”. The core concept is that attackers often bypass technical protection and manipulate human behavior through social engineering. Therefore, security systems need to directly understand the content and context of interactions between people in order to achieve pre-identification and intervention of aggressive behaviors [9][10].
In terms of overall architecture, Humanix can be abstracted into a layered system for real-time interaction, covering key links such as data access, processing and analysis. The access layer is responsible for collecting multi-channel human-computer interaction data, including voice calls, instant messaging, emails and work order systems (see Figure 3). These data constitute the main carrier of “human behavior”. Unlike traditional security solutions that rely on logs or traffic mirroring, this system is directly oriented to business communication scenarios and obtains the context in which the attack occurs from the source.
Figure 3 Multi-channel interactive data access source
At the data processing layer, the system processes multimodal data in a unified manner. Voice data is converted to text through automatic speech recognition (ASR), and unstructured data such as text, chat records and emails are further cleaned and structured. At the same time, the system introduces context information for semantic enhancement, including user identity, organizational roles, historical behavior and interactive relationships, so as to build a data foundation with contextual understanding capabilities. This “data + context” fusion method enables the system to not only identify the content itself, but also understand the environment and rationality of its occurrence [11].
The overall data processing process presents obvious streaming processing characteristics, that is, real-time collection, analysis and transmission of interactive data to provide low-latency data support for subsequent detection. This Streaming Pipeline architecture can meet the characteristics of “short-term triggering and rapid spread” of social engineering attacks, enabling security systems to have timely response capabilities.
From the perspective of technical characteristics, the key to this architecture lies in multi-channel unified access, multimodal data fusion and data pipelines for real-time analysis. Together, these capabilities form the basis for subsequent AI detection and response mechanisms.
Core Technology: Conversational AI Detection Engine and Behavior Modeling
Humanix’s core capabilities are reflected in its AI detection engine. The engine realizes the identification of complex social engineering attacks by combining semantic understanding with behavioral modeling, and has stronger generalization ability than traditional rule-based or keyword-based detection methods.
Dialogue semantics and attack intention recognition
The system performs context-level analysis of interactive content based on large models, rather than parsing individual messages. The focus is no longer on “what was said” but “why it was said”, that is, identifying potential manipulation intentions. For example, in social engineering attacks, attackers often exert pressure through “authority” and “urgency” to induce targets to perform sensitive actions. Such characteristics are often implicit in tone and context rather than explicit keywords [12]. Humanix uses semantic modeling to identify attack modes such as impersonation, deception, and emergency requests, achieving a shift from surface content detection to deep intent recognition [13].
Behavioral and relational modeling
The system introduces an analysis mechanism similar to “Human Graph” to model users and their interactions. The model not only depicts the role and authority of users, but also pays attention to their interactive networks and behavioral habits in the organization, thereby establishing a behavioral baseline. The system can identify potential risks in case of abnormal interaction modes (such as cross-departmental exception requests and atypical operation paths). Compared with traditional UEBA, this method emphasizes “interpersonal relationships” and interaction context, avoiding the limitations of single account behavior analysis [11].
Multi-model fusion mechanism
Humanix combines different types of model capabilities: large models are responsible for semantic understanding and contextual analysis, classification models are used to identify specific attack types, behavioral models are used to detect abnormal patterns, and policy rule engines provide auxiliary decision-making capabilities. This multi-model collaboration approach can improve detection accuracy in complex scenarios and enhance the interpretability of results. For example, when identifying “disguised requests” or “pre-reconnaissance behaviors”, the system needs to consider semantic features, historical behaviors and cross-channel correlation information at the same time [14].
Overall, the core advantage of this detection engine is that it can identify complex social engineering attacks through multimodal semantic analysis, behavior modeling and model fusion. This capability enables the system to identify potential risks before an attack has a real impact.
Practice and platform capabilities: real-time response closed loop and integration solutions
Humanix has built a security closed-loop mechanism with real-time response as the core, converting risk identification results into executable security control measures.
Real-time detection and response mechanism
The system realizes low-latency risk identification based on streaming data processing, and performs correlation analysis in combination with multi-source signals. These signals include not only the results of dialogue semantic analysis, but also cross-channel interaction behaviors and system events such as authentication and access, thus forming a more comprehensive basis for risk judgment [11]. On this basis, the system can intervene in the process, such as prompting users before sensitive operations are performed, triggering secondary verification or upgrading verification processes, thereby blocking potential attack paths.
Closed-loop system design
Humanix summarizes security capabilities into three stages: “Detection → Response → Assure”. The detection stage is responsible for identifying social engineering attacks; the response stage reduces risks through real-time intervention and process orchestration; the audit stage records and analyzes events to provide a basis for compliance and security operations. This closed-loop design enables the system to not only have detection capabilities, but also provide verifiable safety guarantees [9].
Platform integration capability
Humanix adopts API-first architecture and supports deep integration with the enterprise’s existing security system, including SIEM, SOAR, IAM and work order systems. Through cross-system data association, the platform can unify the analysis of risks at the dialogue level with account behavior, access control and business operations to identify more complex attack chains. For example, by correlating reconnaissance behavior with subsequent authentication events, the attack preparation stage can be discovered in advance and pre-processed [14].
Observability and governance capacity
The system provides risk situation display, behavior analysis and audit report functions to support the security team’s continuous operation. At the same time, through contextual analysis of policy violations, the system can distinguish between “normal business flexibility” and “potential attack behavior”, reduce interference caused by false alarms, and improve security operation efficiency [13].
In summary, the core advantages of Humanix are: embedding security capabilities directly into business processes to achieve real-time intervention rather than post-event alarms; building a unified security view through cross-system integration; and providing an auditable and operational security closed loop, enabling it to more effectively respond to human-targeted attack threats in complex enterprise environments.
Summary
The traditional network security system is usually built on the technical architecture of boundary protection and feature matching, and its core logic focuses on identifying known system vulnerabilities and malicious code features. However, this defense paradigm of “focusing on technology and neglecting human factors” shows significant limitations in the face of social engineering attacks. Traditional solutions mainly focus on traffic auditing and access control at the infrastructure level, which makes it difficult to effectively understand semantic traps and psychological induction mechanisms in complex interpersonal interactions. Attackers take advantage of this defense blind spot to shift the focus of attack from the technical dimension to the cognitive dimension, resulting in serious perception loss and response lag when facing attack vectors against “people”, and failing to cover the most vulnerable risk exposures in the enterprise security architecture.
In response to the above structural defects, Humanix proposed and built a data-driven security system with “human interaction” as the core, achieving an important innovation in the cybersecurity defense paradigm. This solution breaks through the limitation of traditional security products that only focus on the system level, extends the protection boundary to the human behavior level, and fills the theoretical and practical gap in cognitive domain security protection. In terms of technical implementation, Humanix uses multimodal data processing technology to integrate multi-source heterogeneous data such as voice, text and behavior logs, and relies on advanced AI detection engines for cross-channel data correlation analysis and deep semantic understanding. This analysis mechanism based on multi-model fusion gives the system the ability to identify covert social engineering attacks, thus realizing the transformation from “passive response” to “pre-identification and real-time intervention”. Its pioneering nature lies in refining the granularity of security defense to the interactive process, effectively making up for the shortcomings of enterprises in personnel safety protection and building a more three-dimensional and proactive defense-in-depth system.
With the popularization of generative AI technology, social engineering attacks are showing a highly automated, personalized and difficult to identify evolutionary trend, and traditional rule-based defense will face the risk of failure. The “people-centered” intelligent defense concept advocated by Humanix represents a key direction for the evolution of future security systems.
References
[1] https://www.humanix.ai/[2] https://www.businesswire.com/news/home/20251112119985/en/Humanix-Raises-%2418M-to-Protect-the-Human-Layer-and-Stop-Social-Engineering-Attacks[3] https://www.linkedin.com/in/keithrstewart/[4] https://www.verizon.com/business/resources/T307/reports/2024-dbir-data-breach-investigations-report.pdf[5] https://www.verizon.com/business/resources/Tef2/reports/2025-dbir-data-breach-investigations-report.pdf[6] https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf[7] https://go.crowdstrike.com/rs/281-OBQ-266/images/CrowdStrikeGlobalThreatReport2025.pdf[8] https://arstechnica.com/security/2025/07/how-do-hackers-get-passwords-sometimes-they-just-ask/[9] https://www.humanix.ai/product[10] https://www.humanix.ai/learn/how-your-employees-good-instincts-can-become-security-vulnerabilities[11] https://www.humanix.ai/learn/implementing-cross-channel-correlation-for-social-engineering-detection[12] https://www.humanix.ai/learn/authority-and-urgency-in-social-engineering-attacks[13] https://www.humanix.ai/learn/identifying-malicious-intent-in-security-policy-violations[14] https://www.humanix.ai/learn/detecting-reconnaissance-and-deceptive-pretexting-before-attacks-begin
The post RSAC 2026 Innovation Sandbox | Humanix: People-Oriented Social Engineering Attack Detection and Response appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..
*** This is a Security Bloggers Network syndicated blog from NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. authored by NSFOCUS. Read the original post at: https://nsfocusglobal.com/rsac-2026-innovation-sandbox-humanix-people-oriented-social-engineering-attack-detection-and-response/
About Author
