For years, cybersecurity awareness training has felt like a compliance checkbox. During my time in the Army, you were either ahead of the necessary training or you were locked out on a random Tuesday morning.
Log in, click through a slideshow, watch a dated video. Answer a few obvious quiz questions. Download a certificate. Email it to your IT department. Wash, rinse, and repeat next year.
For many military members, government employees, and cleared professionals, that cycle is painfully familiar. After nearly 20 years in uniform, I can personally say most annual cyber training eventually becomes background noise. Just something to survive rather than absorb.
But cybercriminals are no longer operating with outdated playbooks. They are adapting faster than traditional training programs can respond. Thanks, AI.
That is where Zepo comes in. Zepo believes the real battle has shifted away from firewalls alone and directly into human behavior.
“We want to protect what matters most, which is people,” said Andrea Taboada, Head of Innovation at Zepo. “We want to turn human cyber behavior into measurable defensive risk intelligence.” Instead of treating cybersecurity awareness as a once-a-year obligation, Zepo’s platform continuously measures how people actually respond to social engineering threats in real time.
And the results can be uncomfortable.
The Weakest Link Isn’t the Network
According to Taboada, roughly 95% of successful cyberattacks begin with a “human risk moment.” Not an advanced exploit. Not a hacker sitting in a dark room attacking a firewall.
A person clicking a link, answering a text, or trusting the wrong voice. Reacting emotionally.
“Cyber criminals understand that our training is not necessarily drilling into us,” Taboada explained. “They understand social engineering behaviors.”
That reality becomes especially dangerous in the cleared community, where trust, authority, and urgency are deeply embedded in workplace culture. Security clearance holders are often specifically targeted because of the information they can access and the networks they operate within. But unlike the Hollywood image of brute-force hacking, many attacks today are surprisingly simple.
“They just need the right message, in the right channel, to the right person, at the right time,” Taboada said.
Why Traditional Training Is Failing
One of Zepo’s core criticisms of current cybersecurity awareness programs is that they are static while cyber threats evolve daily.
Traditional training often assumes employees can absorb information through annual compliance modules and somehow retain that knowledge during moments of stress months later.
Real-world behavior says otherwise.
Taboada pointed to examples many people now encounter regularly:
- Text messages pretending to be family members in distress
- AI-generated phone calls using cloned executive voices
- Fraudulent emails spoofing legitimate business services
- Deepfake impersonations during financial approvals
“These attacks work because they trigger emotion,” she said.
Zepo describes successful social engineering attacks as a combination of three essential elements:
- Authority
- Emotion
- Consequence or reward
If an attacker can create a sense of urgency by using someone you trust, such as a supervisor, coworker, bank representative, or even a family member, people often react before thinking critically. Imagine a phone call from a police officer stating that a loved one has been in arrested, or in an accident.
And that reaction window is exactly what attackers exploit.
Behavioral Intelligence Instead of Compliance
Rather than simply testing whether someone passes or fails a phishing exercise, Zepo focuses on what it calls “behavioral intelligence.”
The platform tracks how users behave during realistic attack simulations across multiple communication channels, including:
- Phishing emails
- Voice phishing (vishing)
- SMS phishing (smishing)
- Deepfake interactions
- Multi-vector attacks combining several methods simultaneously
The company then analyzes why users responded the way they did. Did urgency trigger the reaction? Was it the authority figure? Was the reward too tempting? Did the employee hesitate before responding? This data becomes part of an evolving “risk score” tied to individual behavior patterns.
“We need numbers on behaviors,” Taboada said. “That’s the only way the message is going to come through.”
AI Is Accelerating Both Sides of the Fight
The rise of generative AI has dramatically changed the threat landscape over the past few years. Attacks including voice cloning, facial deepfakes, and AI-generated phishing campaigns are no longer futuristic concepts. They are accessible tools.
During the interview, Taboada demonstrated one of Zepo’s AI-powered voice simulations live.
The system placed a realistic HR phone call requesting personal information under the guise of routine verification. Even knowing it was a simulation, the interaction felt unsettlingly authentic.
The AI voice sounded calm, corporate, persistent, and believable. But what stood out most was not the sophistication of the technology itself, but how naturally the system attempted to pressure compliance without sounding overtly aggressive.
That is the real danger.
“The boundaries of volume and speed have been extended,” Taboada said. “Unfortunately, cyber criminals use AI to cause harm and gain financial reward as quickly as possible.”
But Zepo is also using AI defensively. Its platform generates personalized “AI Pills”; short, behavior-specific training moments delivered immediately after a user interacts with a simulation.
Instead of generic lessons, users receive feedback tailored to exactly what they did. Clicked the link but stopped before submitting credentials? The training reflects that. Reported the message correctly? The system adjusts future simulations to become more advanced. Failed repeatedly? The system lowers the complexity in order to rebuild awareness habits gradually.
“It’s not about pass or fail,” Taboada explained. “It’s about changing behaviors.”
Cleared Professionals Face Unique Risks
For security clearance holders, the risks become even more personal.
Many attacks are no longer random, ‘simple’ mass phishing attempts. They are highly targeted operations built around observable behaviors. Attackers often spend significant time studying their targets before ever launching an attack. They analyze job titles to understand a person’s level of access and authority within an organization, while reviewing calendars and public schedules to identify moments of vulnerability, travel, or high-pressure situations.
Social media platforms provide a lot of information about organizational structures, coworkers, projects, and professional relationships that can be exploited to create believable impersonation attempts. Cybercriminals also pay close attention to communication styles, learning how individuals write, speak, and interact so they can mimic those behaviors convincingly.
All of that information, combined with travel schedules and knowledge of trusted professional connections, this information allows attackers to craft highly targeted social engineering campaigns that feel legitimate and difficult to detect.
Once one trusted identity is compromised, attackers can move laterally through networks by impersonating legitimate personnel. And within military and government culture, that trust can become a vulnerability.
Veterans and cleared professionals often instinctively trust people who speak the same language, understand the same acronyms, or communicate with familiar authority and cadence.
Attackers know that.
“We don’t necessarily need the CEO,” Taboada said. “We just need somebody you trust.”
The Biggest Mistake Organizations Make
According to Taboada, one of the largest failures in both government and private-sector cybersecurity programs is separating behavioral risk from technical security.
Many organizations treat social engineering awareness as an HR responsibility, while IT departments focus separately on threat detection. Zepo argues that those two worlds must merge. “We can no longer afford that separation,” she said.
Instead of isolated compliance drills, organizations need continuous, realistic exercises that mirror how modern attacks actually occur. Taboada compared it to military-style readiness training. A fire drill is useful, but what happens if someone collapses during evacuation? What happens if an exit is blocked? What happens if communication fails?
Cybersecurity exercises, Taboado argues, need that same level of adaptive realism.
The Most Important Rule: Don’t React
Throughout the interview, one message surfaced repeatedly: Don’t react emotionally.
That pause, even for a few seconds, may be the single most effective defense against modern social engineering. “If it creates urgency, stop,” Taboada said. “Open a different channel of communication. Verify the information.”
- Instead of clicking a link:
- Go directly to the official website
- Call the organization independently
- Contact supervisors directly
- Verify identities through alternate channels
- Question emotional pressure tactics
That mindset matters more now than ever because cybersecurity is no longer just about protecting systems. It is about understanding ourselves.
And increasingly, that may be the hardest vulnerability to defend.
