How Adaptive Security CEO Brian Long thinks AI-powered attacks will change the SAT industry

Something old, something new, something borrowed, something duped. That’s essentially Adaptive Security’s approach to preparing working professionals to keep themselves and their organizations safe against AI-powered attacks.

The newcomer security training company, founded in 2024, provides users with training content to help users better identify threats like deepfakes, smishing, and vishing. However, instead of traditional learning modules, Adaptive delivers customized simulated attacks to employees, such as a phone call with a real-time deepfake of someone within the organization requesting a favor.

Brian Long, Adaptive co-founder and CEO, told IT Brew that the technology used to execute these types of attacks is constantly evolving, making it easier for threat actors to strike—and more crucial for organizations to up their game against such threats.

“Anyone from an eight-year-old to an 80-year-old can make [deepfakes] now in just a few minutes,” he said.

Adaptive’s entry into the industry comes at a time when security awareness training administrators aren’t entirely satisfied with their training content. A recent Huntress report found that 44% of security awareness training (SAT) professionals feel their content is either often or always outdated or irrelevant. A number of security companies, such as Breacher.ai and Arsen Security, are attempting to fill this gap by providing educational content focused on AI-related threats. IT Brew previously reported that KnowBe4, a longtime player in the security awareness training space, has plans to release deepfake educational content in 2026.

“Organizations need to understand that, unfortunately, there’s a lot of successful attacks today and they’re growing really, really quickly,” Long said. “We just need to make sure that our workforce across every type of vertical is ready for this threat, because they are not.”

IT Brew caught up with Long to hear his thoughts on how the SAT industry will change in the next decade and how Adaptive’s content compares to traditional security training incumbents.

These responses have been edited for length and clarity.

Do you think legacy SAT companies still have place and value in today’s threat landscape?

There’s still value because there’s still traditional attacks happening, but organizations need to adjust for where most attacks are going now, and the attackers unfortunately are moving a lot faster right now than many organizations are. So, organizations need to act with urgency in order to get ready for this threat because unfortunately a lot of successful attacks are not reported in the press today.

If a company gets attacked and loses something, they generally don’t tell anyone. They tend to keep it to themselves. So, unless it’s a public entity that has to do some sort of disclosure…it’s generally not being published anywhere. But what I’ll tell you is that if you asked a CISO…a year ago, if they had had this type of deepfake attack be successful at their organization, you probably would hear one in 10. Today if you ask them, it’s over half.

Have you seen a difference in the way users respond to educational content from Adaptive compared to traditional SAT?

To be effective, it has to be relevant and it has to impact the life of the individual. And what’s different about what we’re doing and what you’re able to do now with AI is that I can really personalize the training to you. I can have it be an interactive voice deepfake that’s tailored to just you. I can have all the materials and the trainings specific to you and your organization. And it’s a radical difference from what was the traditional sort of batch and blast, everyone gets the same training…It’s a pretty radical change and as a result, I think that you’re seeing employees actually learn and become aware of something that is changing very, very quickly, which is AI-powered threats.

What are your thoughts on where the security awareness training training industry is heading in the next five years or so?

I think it’s headed for massive innovation. Because social engineering is still part of 90% of successful attacks, we have not done a grand enough job to protect organizations from these attacks. And unfortunately, that’s only going to increase significantly with these new AI tools. The tools are just going to get cheaper. They’re going to proliferate everywhere…The models themselves that allow these attacks to happen, they’re now available open-source, which means anyone can access it and they can run it on their own computer.

So, there’s no moderation…That’s having a huge, huge impact on the volume of attacks that we’re going to see. So, I think you’re going to see companies that play in the security awareness phase having to innovate really quickly in order to make it relevant for where these attacks are going.