Citadel Cyber Defense · Social Engineering Defense & Human Risk

Engine Technical
Design Document

Architecture, pipeline design, model specification, and performance validation across eight AI engines for adaptive phishing simulation, deepfake voice defense, OSINT exposure analysis, human risk scoring, multi-channel attack simulation, security culture measurement, insider threat intelligence, and compliance automation.

The human is not the weakest link. The untrained human is.

8
Defense Engines
80%
Breaches Begin Human
73%→4%
Click Rate Reduction
1,265%
AI Phishing Surge
engine_index
Eight engines. The human firewall, engineered.
01
AI Phishing Simulation
OSINT-personalized adaptive training
02
Vishing & Deepfake
AI voice cloning defense training
03
OSINT Exposure
Digital footprint and attack surface analysis
04
Human Risk Scoring
Behavioral analytics and risk quantification
05
Multi-Channel Attack
Email + voice + SMS + video blended simulation
06
Security Culture
Seven-dimension organizational measurement
07
Insider Threat
Behavioral indicators 30+ days before incident
08
Compliance Automation
NIS2, SOX, HIPAA, PCI training orchestration
executive_summary
An eight-engine architecture for the 80% of breaches that begin with a person

Approximately 80% of breaches begin with a person, not a machine — through phishing, vishing, social engineering, credential harvesting, or insider actions. Every other platform in the Citadel ecosystem addresses technical threats: Defense detects, Siege simulates, Wraith investigates, Vanguard hunts. Phantom addresses the dimension they all treat as an external variable: the human. Because no amount of SIEM correlation, endpoint detection, or network segmentation can stop an employee from clicking a link that looks exactly like it came from their CEO — because it was crafted by an AI that scraped their CEO's LinkedIn, conference presentations, and email patterns.

The threat landscape has undergone a qualitative shift. AI-generated phishing attacks surged 1,265% since 2023, now the top enterprise email threat according to cybersecurity researchers — surpassing ransomware, insider risk, and traditional social engineering combined. In February 2024, a finance worker at Arup transferred $25 million to fraudsters after attending what appeared to be a legitimate video conference with the company's CFO and senior leadership — every face on the screen was real, every voice matched perfectly, all generated by AI from publicly available footage. Voice-cloning technologies are no longer reserved for laboratories or state actors. With accessible tools, attackers can replicate a manager's voice from public snippets, recorded presentations, or previous calls.

Phantom transforms the workforce from a vulnerability into an active defense layer. Organizations implementing behavior-based phishing training see a 50% reduction in actual phishing incidents over 12 months. Vishing simulation programs report 65% improvement in verification behavior. Phantom's adaptive simulation engine drives click rates from 73% (untrained workforce) to 4% (after 18 months of progressive training) — using the same OSINT data real attackers exploit: LinkedIn profiles, social media, corporate bios, conference appearances. AI's performance versus human red teams has improved by 55%, making AI-powered simulation essential for preparing employees against AI-powered attacks.

1,265%
AI Phishing Surge Since 2023
$25M
Arup Deepfake Loss (Feb 2024)
73%→4%
Click Rate After Training
50%
Phishing Incident Reduction (12mo)
65%
Vishing Verification Improvement
80%
Breaches Start with a Person
ENG 01
AI Phishing Simulation & Adaptive Training
OSINT-personalized phishing simulations that use the same intelligence real attackers exploit — LinkedIn profiles, social media, corporate bios, conference appearances — with adaptive difficulty that escalates as employees improve.
20%→3.5%
Click Rate
Architecture
LLM + OSINT + Adaptive Engine
LLM generates unique, contextually personalized simulations for every employee, every campaign; OSINT scan identifies personal exposure across six vulnerability categories; adaptive difficulty algorithm escalates based on individual performance
Personalization
Six OSINT Categories
Personal information, data leaks, online services, interests, social connections, and locations — the same intelligence real attackers scrape before crafting a targeted attack
Performance
Click Rate 20% → 3.5%
18 months of adaptive training; employees who consistently detect simulations receive increasingly sophisticated attacks; those who click receive targeted micro-training before escalating complexity
Toolchain
Python / LLM API / OSINT SDK
LLM-generated email content with OSINT context injection; DMARC/SPF spoofing within controlled scope; credential harvesting page detection training; immediate non-punitive feedback on interaction

Traditional phishing simulations use static templates that may or may not reflect threats relevant to your organization. Phantom's AI engine generates unique, contextually personalized simulations for every employee, every time. The system conducts comprehensive digital footprint scans across six categories — personal information, data leaks, online services, interests, social connections, and locations — to calculate individualized vulnerability scores. Simulations reference the employee's actual role, projects, colleagues, and interests. Difficulty adapts automatically: employees who consistently detect simulations receive increasingly sophisticated attacks (multi-step campaigns, business email compromise scenarios, urgent executive impersonation), while those who click receive targeted micro-training and simpler scenarios to build confidence before escalating complexity. AI-generated phishing now surpasses ransomware as the top enterprise email threat, with a 1,265% surge since 2023. The only defense against AI-powered attacks is AI-powered preparation.

performance_validation
Click Rate Reduction (18mo)
20%→3.5%
Phishing Incident Reduction
50%
Reporting Rate Improvement
+340%
AI vs. Human Red Team Performance
+55%
ENG 02
Vishing & Deepfake Voice Defense
AI voice cloning simulations using authorized executive voice samples — training employees to resist the social engineering attacks that bypass MFA and every technical control because they target trust, not technology.
65%
Verification Improvement
Architecture
Voice Cloning + Scenario Engine
GenAI voice models with library of authorized cloned voices; multi-step vishing campaigns combining phone + Teams/Zoom simulation; AI caller attempts to persuade user to share credentials or click links via chat
Performance
65% Verification Behavior Improvement
Employees learn to verify through established channels, recognize urgency manipulation, and resist authority pressure regardless of how convincing the voice sounds
Impact
$1.8M Wire Fraud Prevented
CFO received a call that sounded exactly like the CEO — voice, speech patterns, background noise — generated from a 90-second YouTube conference clip. Recognized the pattern from Phantom's vishing training and verified through callback procedure
Context
46% Faced Deepfake Attacks
46% of organizations have faced deepfake attacks; Arup lost $25M to a deepfake video conference in February 2024; most employees cannot distinguish AI-cloned voices from authentic voices
ENG 03
OSINT Exposure & Digital Footprint Analysis
Comprehensive scanning of employee digital footprints across six vulnerability categories — because the intelligence attackers use to personalize phishing is publicly available, and reducing your exposure reduces their ammunition.
6
Vulnerability Categories
Architecture
OSINT Scanner + Data Broker Removal
Automated scanning across LinkedIn, social media, data broker sites, paste sites, dark web, and corporate web presence; individualized vulnerability scoring per employee; automated data broker removal to reduce attack surface
Performance
Baseline Before Simulation
Comprehensive OSINT assessment establishes baseline risk profile before simulations begin — training that mirrors actual attacker reconnaissance is more effective than generic scenarios
Features
Employee Self-Service Portal
Each employee receives a personal portal to view their digital footprint, manage their risk score, and take action on exposed personal information — empowering individuals to reduce their own attack surface
Impact
Reduce Attacker Ammunition
Proactive exposure reduction removes the intelligence attackers use to craft convincing phishing — combining simulation training with attack surface reduction creates a more complete defense than either alone
ENG 04
Human Risk Scoring & Behavioral Analytics
Quantifies individual and organizational human risk using real user behavior — click rates, report rates, verification behavior, channel adherence — not training completion checkboxes.
Behavioral
Not Compliance
Architecture
Risk Model + Behavioral Signals
Multi-factor risk score per employee: simulation click rate, reporting rate, time-to-report, verification behavior, OSINT exposure score, training completion, role-based risk weighting, department benchmarking
Performance
Board-Ready Risk Quantification
Human risk quantified with the same rigor as technical vulnerabilities; trending over time; department comparison; role-based risk segmentation (executives, finance, IT admins as highest-value targets)
Features
Adaptive Training Trigger
High-risk scores automatically trigger targeted training interventions; repeat clickers receive different training modality (video, interactive scenario, one-on-one coaching); risk scores drive simulation difficulty
Impact
Measured Behavior Change
Metrics beyond click rates: response times, reporting habits, escalation patterns, and repeat-risk signals help CISOs quantify the human security layer's actual resilience
ENG 05
Multi-Channel Attack Simulation
Blended attack campaigns across email, voice, SMS, and video — because real attackers use multiple channels in quick sequence to break through defenses, and single-channel training leaves employees unprepared.
4
Attack Channels
Architecture
Multi-Channel Campaign Engine
Coordinated campaigns combining email phishing + SMS smishing + voice vishing + video deepfake in realistic attack sequences; campaign sequencing mirrors actual multi-vector attack patterns
Performance
Blended Attack Preparedness
Employees trained across all channels expect threats on every vector; channel-specific detection rates measured independently; campaign-level success rates tracked across the full kill chain
Features
QR Code + MFA Fatigue
Includes quishing (QR-code phishing), MFA fatigue attacks, credential harvesting with fake login pages, and callback phishing — reflecting the full spectrum of 2026 social engineering techniques
Impact
No Blind Spots
Organizations training only on email phishing are preparing for 2020’s threats; multi-channel simulation prepares employees for the blended campaigns they actually face
ENG 06
Security Culture Measurement
Seven-dimension assessment of organizational security culture — because culture scores predict phishing susceptibility more accurately than training completion rates, and a strong culture produces 70% fewer social engineering incidents.
7
Dimensions
Architecture
Survey + Behavioral Fusion
Seven dimensions measured: reporting behavior, peer influence, management support, policy knowledge, security sentiment, accountability, and communication effectiveness; fuses survey data with observed behavioral signals
Performance
Culture Predicts Susceptibility
Culture scores correlate more strongly with actual phishing susceptibility than training completion rates; organizations with strong culture scores experience 70% fewer social engineering incidents
Features
Department Benchmarking
Culture scores segmented by department, location, and management level; identifies pockets of weak security culture requiring targeted intervention; longitudinal tracking reveals culture trajectory
Impact
Culture as Defense Layer
A strong security culture creates social pressure for secure behavior — employees who see colleagues reporting suspicious emails are more likely to report them themselves, creating a positive feedback loop
ENG 07
Insider Threat Behavioral Intelligence
Detects behavioral indicators of insider threat — disgruntlement, policy violations, data hoarding, and pre-departure activity — because behavioral indicators precede 74% of insider incidents by 30+ days.
74%
Behavioral Precursors
Architecture
UEBA + DLP Correlation
User and entity behavior analytics monitoring: data download volume, after-hours access patterns, email forwarding to personal accounts, USB usage spikes, access to files outside role scope, pre-departure data aggregation patterns
Performance
30+ Day Advance Warning
Behavioral indicators detected an average of 30+ days before insider threat incidents; graduated alerting to HR and security teams with privacy-preserving design
Features
Privacy-Preserving Design
Monitors behavioral patterns, not content; alerts triggered by statistical anomalies, not keyword surveillance; HR involvement required before any individual investigation; false positive rate managed through multi-signal correlation
Impact
25% of Breaches Are Insider
Insider threats are responsible for 25% of breaches and often the most damaging because insiders already have legitimate access; early detection enables intervention before data loss
ENG 08
Compliance & Regulatory Training Automation
Automated training orchestration for NIS2, SOX, HIPAA, PCI DSS, GDPR, and industry-specific compliance requirements — because compliance training that is not behavior-changing is just a checkbox that protects the organization legally but not operationally.
6+
Frameworks
Architecture
Framework-Aware LMS + Automation
Regulatory framework database mapping training requirements per role; automated enrollment, scheduling, and escalation; SCORM/xAPI integration with enterprise LMS; completion tracking with audit-ready reporting
Frameworks
NIS2 / SOX / HIPAA / PCI / GDPR
NIS2 security awareness requirements for EU critical infrastructure; SOX IT controls training; HIPAA privacy and security training; PCI DSS awareness; GDPR data protection training; industry-specific requirements
Features
Content Curator AI
Netflix-style interface for building training campaigns using natural language queries; acts as an AI-powered cybersecurity awareness training mentor; helps organizations build compliance programs without dedicated L&D resources
Impact
Compliance + Behavior Change
Combines regulatory completion tracking (auditable) with behavioral measurement (effective) — proving to regulators that training exists while proving to the CISO that training works
human_risk_impact
80%
Breaches begin with a person
1,265%
AI phishing surge since 2023
$25M
Arup deepfake conference loss
$1.8M
Wire fraud prevented (vishing training)