Malik Haidar has spent years on the front lines of digital warfare, navigating the complex security landscapes of multinational corporations where a single slip-up can cost millions. As an expert who bridges the gap between raw technical intelligence and high-level business strategy, he has witnessed the evolution of cyber threats from clunky, recognizable spam to the hyper-personalized, AI-driven campaigns that now dominate the horizon. His focus remains on empowering Security Operations Centers to move beyond reactive firefighting and toward a proactive, evidence-based stance that protects both data and the bottom line. This conversation explores how the surge in AI-generated phishing is straining traditional defenses and what modern teams can do to reclaim their time and security.
The landscape of phishing has shifted from simple, mass-mailed lures to what many now call a “volume machine” fueled by artificial intelligence. From your perspective, how is this transition fundamentally changing the daily lives of Tier 1 analysts who are responsible for that first line of defense?
It has completely upended the traditional rhythm of the SOC. In the past, a Tier 1 analyst could rely on a certain “gut feeling” or obvious red flags like poor grammar and suspicious sender addresses to dismiss a large portion of the queue. Today, AI has stripped away those easy wins; the lures are polished, the tone is perfectly aligned with corporate HR or finance departments, and the context is often pulled from public employee data. This means every single alert now demands a deeper level of manual scrutiny, which creates a massive psychological burden. Analysts are no longer just looking for a needle in a haystack; they are looking for a specific needle in a pile of identical-looking needles, and that leads to a dangerous level of fatigue. When every message sounds like a routine IT request, the time spent checking context balloons, and that is exactly where the backlog begins to suffocate the team’s ability to react to actual breaches.
One of the most persistent hurdles mentioned is the use of short-lived domains and infrastructure that rotates faster than traditional reputation tools can track. How can a security team reach a confident verdict when their primary tools keep returning an “unknown” status for a URL?
The reliance on reputation is becoming a liability because attackers are using highly reputable environments, like AWS CloudFront, to host their malicious content. When a tool sees a link hosted on a major cloud provider or hidden behind a LinkedIn Drive redirect, it often gives it a pass or marks it as “unknown” because there is no history of abuse yet. To overcome this, we have to stop asking “who sent this” and start asking “what does this do?” This is where the shift to behavior-based visibility is critical. For example, using an interactive sandbox allows an analyst to actually see the page load in a safe environment in under 60 seconds. You might find a fake Microsoft 365 login page that only appears after a specific redirect or after filtering out free email domains. By observing the full attack chain—how the page harvests credentials or triggers a download—you get a definitive “malicious” verdict based on evidence, not just a guess based on a domain’s age.
Traditional automation often struggles with modern phishing techniques like CAPTCHAs or multi-stage redirects that require human-like interaction. How does the integration of interactive elements within a sandbox change the efficiency of an investigation?
Automation is a double-edged sword; if it’s too rigid, it misses the clever traps attackers set to weed out bots. We see many phishing pages now that won’t even load unless a CAPTCHA is solved or a specific button is clicked, which effectively blinds standard automated scanners. By using a solution like ANY.RUN that combines automation with interactivity, the sandbox can handle the heavy lifting—navigating pages and solving those challenges—while still allowing a human analyst to step in at any moment. This hybrid approach is a game-changer for capacity. It means the same team can process a much higher volume of alerts during a shift without needing to add more headcount immediately. It effectively absorbs the spikes in volume that AI-driven campaigns create, ensuring that the team isn’t just busy, but is actually moving through the queue with precision.
When a threat is confirmed, the handoff from Tier 1 triage to Tier 2 incident response is often a point of friction where critical time is lost. What are the key elements of a “ready-made” report that can actually accelerate the containment process?
The biggest mistake teams make is passing off raw technical data without context. If a Tier 2 responder has to re-run the entire analysis just to understand what Tier 1 saw, you’ve wasted precious minutes that could have been used for containment. A high-quality report needs to bridge that gap immediately by including a clear verdict, the relevant Indicators of Compromise (IOCs), and a full MITRE ATT&CK mapping. Adding an AI-generated summary that explains the “why” behind the malicious activity, along with specific recommendations for the next steps, transforms the handoff. It ensures that every escalation follows the same structure, regardless of who is on shift. When you have structured reports that provide a clear roadmap, you can see the delay between triage and response start to shrink, which is vital for preventing a credential theft attempt from turning into a full-scale network intrusion.
Looking at the data, some organizations are seeing up to a 20% decrease in Tier 1 workload and a 30% reduction in escalations by changing their analysis workflow. What do these metrics actually look like in terms of the business’s overall risk posture?
Those numbers aren’t just about making the SOC look good on paper; they represent a significant reduction in the window of opportunity for an attacker. If you can achieve an MTTR that is 21 minutes faster per case, you are essentially cutting off the attacker’s ability to move laterally or exfiltrate data before you’ve even noticed they are there. A 30% reduction in escalations means Tier 2 is no longer being bothered by “gray area” cases that could have been resolved earlier, allowing them to focus on high-risk, complex threats. Ultimately, about 94% of users in these environments report clearer decisions, which leads to fewer costly incidents. From a business perspective, this translates to stronger operational continuity and a much lower likelihood of the kind of catastrophic breach that makes headlines and drains resources.
What is your forecast for the evolution of AI-driven social engineering over the next few years?
We are heading toward a period of “deeply contextual” phishing where attackers won’t just mimic a generic HR email, but will use AI to synthesize real internal conversations and project timelines to create lures that are indistinguishable from legitimate business communication. I expect we will see a surge in multi-channel attacks where a phishing email is followed by an AI-generated voice or text message to “verify” the request, creating a false sense of security. As these attacks become more layered, the only way for defenders to stay ahead will be to move entirely away from static defense mechanisms. We will need to rely on real-time, behavioral analysis of every digital interaction. The “human in the loop” will remain essential, but their role will shift toward managing these sophisticated forensic tools rather than manually checking every suspicious link. The speed of the attack will continue to increase, but if we can keep our analysis time under a minute and our reports automated, we can still win the race.
