Blog
/
Network
/
April 8, 2024

Balada Injector: Darktrace’s Investigation into the Malware Exploiting WordPress Vulnerabilities

This blog explores Darktrace’s detection of Balada Injector, a malware known to exploit vulnerabilities in WordPress to gain unauthorized access to networks. Darktrace was able to define numerous use-cases within customer environments which followed previously identified patterns of activity spikes across multiple weeks.
Written by
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
08
Apr 2024

Introduction

With millions of users relying on digital platforms in their day-to-day lives, and organizations across the world depending on them for their business operations, they have inevitably also become a prime target for threat actors. The widespread exploitation of popular services, websites and platforms in cyber-attacks highlights the pervasive nature of malicious actors in today’s threat landscape.

A prime illustration can be seen within the content management system WordPress. Its widespread use and extensive plug-in ecosystem make it an attractive target for attackers aiming to breach networks and access sensitive data, thus leading to routine exploitation attempts. In the End of Year Threat Report for 2023, for example, Darktrace reported that a vulnerability in one WordPress plug-in, namely an authentication bypass vulnerability in miniOrange's Social Login and Register. Darktrace observed it as one of the most exploited vulnerabilities observed across its customer base in the latter half of 2023.

Between September and October 2023, Darktrace observed a string of campaign-like activity associated with Balada Injector, a malware strain known to exploit vulnerabilities in popular plug-ins and themes on the WordPress platform in order to inject a backdoor to provide further access to affected devices and networks. Thanks to its anomaly-based detection, Darktrace DETECT™ was able to promptly identify suspicious connections associated with the Balada Injector, ensuring that security teams had full visibility over potential post-compromise activity and allowing them to act against offending devices.

What is Balada Injector?

The earliest signs of the Balada Injector campaign date back to 2017; however, it was not designated the name Balada Injector until December 2022 [1]. The malware utilizes plug-ins and themes in WordPress to inject a backdoor that redirects end users to malicious and fake sites. It then exfiltrates sensitive information, such as database credentials, archive files, access logs and other valuable information which may not be properly secured [1]. Balada Injector compromise activity is also reported to arise in spikes of activity that emerge every couple of weeks [4].

In its most recent attack activity patterns, specifically in September 2023, Balada Injector exploited a cross-site scripting (XSS) vulnerability in CVE-2023-3169 associated with the tagDiv composer plug-in. Some of the injection methods observed included HTML injections, database injections, and arbitrary file injections. In late September 2023, a similar pattern of behavior was observed, with the ability to plant a backdoor that could execute PHP code and install a malicious WordPress plug-in, namely ‘wp-zexit’.

According to external security researchers [2], the most recent infection activity spikes for Balada Injector include the following:

Pattern 1: ‘stay.decentralappps[.]com’ injections

Pattern 2: Autogenerated malicious WordPress users

Pattern 3: Backdoors in the Newspaper theme’s 404.php file

Pattern 4: Malicious ‘wp-zexit’ plug-in installation

Pattern 5: Three new Balada Injector domains (statisticscripts[.]com, dataofpages[.]com, and listwithstats[.]com)

Pattern 6: Promsmotion[.]com domain

Darktrace’s Coverage of Balada Injector

Darktrace detected devices across multiple customer environments making external connections to the malicious Balada Injector domains, including those associated with aforementioned six infection activity patterns. Across the incidents investigated by Darktrace, much of the activity appeared to be associated with TLS/SSL connectivity, related to Balada Injector endpoints, which correlated with the reported infection patterns of this malware. The observed hostnames were all recently registered and, in most cases, had IP geolocations in either the Netherlands or Ukraine.

In the observed cases of Balada Injector across the Darktrace fleet, Darktrace RESPOND™ was not active on the affected customer environments. If RESPOND had been active and enabled in autonomous response mode at the time of these attacks, it would have been able to quickly block connections to malicious Balada Injector endpoints as soon as they were identified by DETECT, thereby containing the threat.

Looking within the aforementioned activity patterns, Darktrace identified a Balada Injector activity within a customer’s environment on October 16, 2023, when a device was observed making a total of 9 connection attempts to ‘sleep[.]stratosbody[.]com’, a domain that had previously been associated with the malware [2]. Darktrace recognized that the endpoint had never been seen on the network, with no other devices having connected to it previously, thus treated it as suspicious.

Figure 1: The connection details above demonstrate 100% rare external connections were made from the internal device to the ‘sleep[.]stratosbody[.]com’ endpoint.

Similarly, on September 21, 2023, Darktrace observed a device on another customer network connecting to an external IP that had never previously been observed on the environment, 111.90.141[.]193. The associated server name was a known malicious endpoint, ‘stay.decentralappps[.]com’, known to be utilized by Balada Injector to host malicious scripts used to compromise WordPress sites. Although the ‘stay.decentralappps[.]com’ domain was only registered in September 2023, it was reportedly used in the redirect chain of the aforementioned stratosbody[.com] domain [2]. Such scripts can be used to upload backdoors, including malicious plug-ins, and create blog administrators who can perform administrative tasks without having to authenticate [2].

Figure 2: Advance Search results displaying the metadata logs surrounding the unusual connections to ‘stay.decentralappps[.]com’. A total of nine HTTP CONNECT requests were observed, with status messages “Proxy Authorization Required” and “Connection established”.

Darktrace observed additional connections within the same customer’s environment on October 10 and October 18, specifically SSL connections from two distinct source devices to the ‘stay.decentralappps[.]com’ endpoint. Within these connections, Darktrace observed the normalized JA3 fingerprints, “473f0e7c0b6a0f7b049072f4e683068b” and “aa56c057ad164ec4fdcb7a5a283be9fc”, the latter of which corresponds to GitHub results mentioning a Python client (curl_cffi) that is able to impersonate the TLS signatures of browsers or JA3 fingerprints [8].

Figure 3: Advanced Search query results showcasing Darktrace’s detection of SSL connections to ‘stay.decentralappps[.]com over port 443.

On September 29, 2023, a device on a separate customer’s network was observed connecting to the hostname ‘cdn[.]dataofpages[.]com’, one of the three new Balada Injector domains identified as part of the fifth pattern of activity outlined above, using a new SSL certificate via port 443. Multiple open-source intelligence (OSINT) vendors flagged this domain as malicious and associated with Balada Injector malware [9].

Figure 4: The Model Breach Event Log detailing the Balada Injector-related connections observed causing the ‘Anomalous External Activity from Critical Network Device’ DETECT model to breach.

On October 2, 2023, Darktrace observed the device of another customer connecting to the rare hostname, ‘js.statisticscripts[.]com’ with the IP address 185.39.206[.]161, both of which had only been registered in late September and are known to be associated with the Balada Injector.

Figure 5: Model Breach Event Log detailing connections to the hostname ‘js.statisticscripts[.]com’ over port 137.

On September 13, 2023, Darktrace identified a device on another customer’s network connecting to the Balada Injector endpoint ‘stay.decentralappps[.]com’ endpoint, with the destination IP 1.1.1[.]1, using the SSL protocol. This time, however, Darktrace also observed the device making subsequent connections to ‘get.promsmotion[.]com’ a subdomain of the ‘promsmotion[.]com’ domain. This domain is known to be used by Balada Injector actors to host malicious scripts that can be injected into the WordPress Newspaper theme as potential backdoors to be leveraged by attackers.

In a separate case observed on September 14, Darktrace identified a device on another environment connecting to the domain ‘collect[.]getmygateway[.]com’ with the IP 88.151.192[.]254. No other device on the customer’s network had visited this endpoint previously, and the device in question was observed repeatedly connecting to it via port 443 over the course of four days. While this specific hostname had not been linked with a specific activity pattern of Balada Injector, it was reported as previously associated with the malware in September 2023 [2].

Figure 6: Model Breach Event Log displaying a customer device making repeated connections to the endpoint ‘collect[.]getmygateway[.]com’, breaching the DETECT model ‘Repeating Connections Over 4 Days’.

In addition to DETECT’s identification of this suspicious activity, Darktrace’s Cyber AI Analyst™ also launched its own autonomous investigation into the connections. AI Analyst was able to recognize that these separate connections that took place over several days were, in fact, connected and likely represented command-and-control (C2) beaconing activity that had been taking place on the customer networks.

By analyzing the large number of external connections taking place on a customer’s network at any one time, AI Analyst is able to view seemingly isolated events as components of a wider incident, ensuring that customers maintain full visibility over their environments and any emerging malicious activity.

Figure 7: Cyber AI Analyst investigation detailing the SSL connectivity observed, including endpoint details and overall summary of the beaconing activity.

Conclusion

While Balada Injector’s tendency to interchange C2 infrastructure and utilize newly registered domains may have been able to bypass signature-based security measures, Darktrace’s anomaly-based approach enabled it to swiftly identify affected devices across multiple customer environments, without needing to update or retrain its models to keep pace with the evolving iterations of WordPress vulnerabilities.

Unlike traditional measures, Darktrace DETECT’s Self-Learning AI focusses on behavioral analysis, crucial for identifying emerging threats like those exploiting commonly used platforms such as WordPress. Rather than relying on historical threat intelligence or static indicators of compromise (IoC) lists, Darktrace identifies the subtle deviations in device behavior, such as unusual connections to newly registered domains, that are indicative of network compromise.

Darktrace’s suite of products, including DETECT+RESPOND, is uniquely positioned to proactively identify and contain network compromises from the onset, offering vital protection against disruptive cyber-attacks.

Credit to: Justin Torres, Cyber Analyst, Nahisha Nobregas, Senior Cyber Analyst

Appendices

Darktrace DETECT Model Coverage

  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device
  • Anomalous Connection / Anomalous SSL without SNI to New External
  • Anomalous Connection / Rare External SSL Self-Signed
  • Compliance / Possible DNS Over HTTPS/TLS
  • Compliance / External Windows Communications
  • Compromise / Repeating Connections Over 4 Days
  • Compromise / Beaconing Activity To External Rare
  • Compromise / SSL Beaconing to Rare Destination
  • Compromise / HTTP Beaconing to Rare Destination
  • Compromise / Suspicious TLS Beaconing To Rare External
  • Compromise / Large DNS Volume for Suspicious Domain
  • Anomalous Server Activity / Outgoing from Server
  • Anomalous Server Activity / Rare External from Server
  • Device / Suspicious Domain

List of IoCs

IoC - Type - Description + Confidence

collect[.]getmygateway[.]com - Hostname - Balada C2 Endpoint

cdn[.]dataofpages[.]com - Hostname - Balada C2 Endpoint

stay[.]decentralappps[.]com - Hostname - Balada C2 Endpoint

get[.]promsmotion[.]com - Hostname - Balada C2 Endpoint

js[.]statisticscripts[.]com - Hostname - Balada C2 Endpoint

sleep[.]stratosbody[.]com - Hostname - Balada C2 Endpoint

trend[.]stablelightway[.]com - Hostname - Balada C2 Endpoint

cdn[.]specialtaskevents[.]com - Hostname - Balada C2 Endpoint

88.151.192[.]254 - IP Address - Balada C2 Endpoint

185.39.206[.]160 - IP Address - Balada C2 Endpoint

111.90.141[.]193 - IP Address - Balada C2 Endpoint

185.39.206[.]161 - IP Address - Balada C2 Endpoint

2.59.222[.]121 - IP Address - Balada C2 Endpoint

80.66.79[.]253 - IP Address - Balada C2 Endpoint

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) - User Agent - Observed User Agent in Balada C2 Connections

Gecko/20100101 Firefox/68.0 - User Agent - Observed User Agent in Balada C2 Connections

Mozilla/5.0 (Windows NT 10.0; Win64; x64) - User Agent - Observed User Agent in Balada C2 Connections

AppleWebKit/537.36 (KHTML, like Gecko) - User Agent - Observed User Agent in Balada C2 Connections

Chrome/117.0.0.0 - User Agent - Observed User Agent in Balada C2 Connections

Safari/537.36 - User Agent - Observed User Agent in Balada C2 Connections

Edge/117.0.2045.36 - User Agent - Observed User Agent in Balada C2 Connections

MITRE ATT&CK Mapping

Technique - Tactic - ID - Sub Technique

Exploit Public-Facing Application

INITIAL ACCESS

T1190

Web Protocols

COMMAND AND CONTROL

T1071.001

T1071

Protocol Tunneling

COMMAND AND CONTROL

T1572


Default Accounts

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.001

T1078

Domain Accounts

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.002

T1078

External Remote Services

PERSISTENCE, INITIAL ACCESS

T1133

NA

Local Accounts

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.003

T1078

Application Layer Protocol

COMMAND AND CONTROL

T1071

NA

Browser Extensions

PERSISTENCE

T1176

NA

Encrypted Channel

COMMAND AND CONTROL

T1573

Fallback Channels

COMMAND AND CONTROL

T1008

Multi-Stage Channels

COMMAND AND CONTROL

T1104

Non-Standard Port

COMMAND AND CONTROL

T1571

Supply Chain Compromise

INITIAL ACCESS ICS

T0862

Commonly Used Port

COMMAND AND CONTROL ICS

T0885

References

[1] https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html

[2] https://blog.sucuri.net/2023/10/balada-injector-targets-unpatched-tagdiv-plugin-newspaper-theme-wordpress-admins.html

[3] https://securityboulevard.com/2021/05/wordpress-websites-redirecting-to-outlook-phishing-pages-travelinskydream-ga-track-lowerskyactive/

[4] https://thehackernews.com/2023/10/over-17000-wordpress-sites-compromised.html

[5] https://www.bleepingcomputer.com/news/security/over-17-000-wordpress-sites-hacked-in-balada-injector-attacks-last-month/

[6]https://nvd.nist.gov/vuln/detail/CVE-2023-3169

[7] https://www.geoedge.com/balda-injectors-2-0-evading-detection-gaining-persistence/

[8] https[:]//github[.]com/yifeikong/curl_cffi/blob/master/README.md

[9] https://www.virustotal.com/gui/domain/cdn.dataofpages.com

Written by
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

Network
April 21, 2026
Joanna Ng
Associate Principal Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
State of AI Cybersecurity 2026: 92% of security professionals concerned about the impact of AI agents
Mar 26, 2026
4
Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace
Dec 15, 2025
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
Network
April 21, 2026

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

A malicious eScan software update triggered a supply chain compromise that deployed multi‑stage malware and used blockchain‑based domains for resilient C2 communications. Darktrace identified rare, anomalous network activity across customer environments, helping organizations uncover the attack chain and strengthen defenses against increasingly sophisticated supply chain threats.
Joanna Ng
Associate Principal Analyst
Read more
Network
April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Darktrace's latest threat research reveals how Chinese-nexus cyber operations have evolved from isolated intrusions into long-term strategic positioning, with attackers prioritizing persistent access to critical infrastructure and digital ecosystems to gain lasting operational and economic advantage.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Network
March 26, 2026

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat turning compromised devices into residential proxy nodes to help attackers evade detection. Darktrace identifies its growing use alongside Lumma Stealer, highlighting the malware’s stealth, payload delivery, and persistence. AI-driven detection and Autonomous Response reveal the full attack lifecycle and underscore the need for proactive defense.
Isabel Evans
Cyber Analyst
Read more

Blog

/

AI

/

April 28, 2026

State of AI Cybersecurity 2026: 87% of security professionals are seeing more AI-driven threats, but few feel ready to stop them

Default blog imageDefault blog image

The findings in this blog are taken from Darktrace’s annual State of AI Cybersecurity Report 2026.

In part 1 of this blog series, we explored how AI is remaking the attack surface, with new tools, models, agents — and vulnerabilities — popping up just about everywhere. Now embedded in workflows across the enterprise, and often with far-reaching access to sensitive data, AI systems are quickly becoming a favorite target of cyber threat actors.

Among bad actors, though, AI is more often used as a tool than a target. Nearly 62% of organizations  experienced a social engineering attack involving a deepfake, or an incident in which bad actors used AI-generated video or audio to try to trick a biometric authentication system, compared to 32% that reported an AI prompt injection attack.

In the hands of attackers, AI can do many things. It’s being used across the entire kill chain: to supercharge reconnaissance, personalize phishing, accelerate lateral movement, and automate data exfiltration. Evidence from Anthropic demonstrates that threat actors have harnessed AI to orchestrate an entire cyber espionage campaign from end to end, allegedly running it with minimal human involvement.

CISOs inhabit a world where these increasingly sophisticated attacks are ubiquitous. Naturally, combatting AI-powered threats is top of mind among security professionals, but many worry about whether their capabilities are up to the challenge.

AI-powered threats at scale: no longer hypothetical

AI-driven threats share signature characteristics. They operate at speed and scale. Automated tools can probe multiple attack paths, search for multiple vulnerabilities and send out a barrage of phishing emails, all within seconds. The ability to attack everywhere at once, at a pace that no human operator could sustain, is the hallmark of an AI-powered threat. AI-powered threats are also dynamic. They can adapt their behavior to spread across a network more efficiently or rewrite their own code to evade detection.

Security teams are seeing the signs that they’re fighting AI-powered threats at every stage of the kill chain, and the sophistication of these threats is testing their resolve and their resources.

  • 73% say that AI-powered cyber threats are having a significant impact on their organization
  • 92% agree that these threats are forcing them to upgrade their defenses
  • 87% agree that AI is significantly increasing the sophistication and success rate of malware
  • 87% say AI is significantly increasing the workload of their security operations team

These teams now confront a challenge unlike anything they’ve seen before in their careers, and the risks are compounding across workflows, tools, data, and identities. It’s no surprise that 66% of security professionals say their role is more stressful today than it was five years ago, or that 47% report feeling overwhelmed at work.

Up all night: Security professionals’ worry list is long

Traditional security methods were never built to handle the complexity and subtlety of AI-driven behavior. Working in the trenches, defenders have deep firsthand experience of how difficult it can be to detect and stop AI-assisted threats.

Increasingly effective social engineering attacks are among their top concerns. 50% of security leaders mentioned hyper-personalized phishing campaigns as one of their biggest worries, while 40% voiced apprehension about deepfake voice fraud. These concerns are legitimate: AI-generated phishing emails are increasingly tailored to individual organizations, business activities, or individuals. Gone are the telltale signs – like grammar or spelling mistakes – that once distinguished malicious communications. Notably, 33% of the malicious emails Darktrace observed in 2025 contained over 1,000 characters, indicating probable LLM usage.

Security leaders also worry about how bad actors can leverage AI to make attacks even faster and more dynamic. 45% listed automated vulnerability scanning and exploit chaining among their biggest concerns, while 40% mentioned adaptive malware.

Confidence is lacking

Protecting against AI demands capabilities that many organizations have not yet built. It requires interpreting new indicators, uncovering the subtle intent within interactions, and recognizing when AI behavior – human or machine – could be suspicious. Leaders know that their current tools aren’t prepared for this. Nearly half don’t feel confident in their ability to defend against AI-powered attacks.

We’ve asked participants in our survey about their confidence for the last three years now. In 2024, 60% said their organizations were not adequately prepared to defend against AI-driven threats. Last year, that percentage shrunk to 45%, a possible indicator that security programs were making progress. Since then, however, the progress has apparently stalled. 46% of security leaders now feel inadequately prepared to protect their organizations amidst the current threat landscape.

Some of these differences are accentuated across different cultures. Respondents in Japan are far less confident (77% say they are not adequately prepared) than respondents in Brazil (where only 21% don’t feel prepared).

Where security programs are falling short

It’s no longer the case that cybersecurity is overlooked or underfunded by executive leadership. Across industries, management recognizes that AI-powered threats are a growing problem, and insufficient budget is near the bottom of most CISO’s list of reasons that they struggle to defend against AI-powered threats.  

It’s the things that money can’t buy – experience, knowledge, and confidence – that are holding programs back. Near the top of the list of inhibitors that survey participants mention is “insufficient knowledge or use of AI-driven countermeasures.” As bad actors embrace AI technologies en masse, this challenge is coming into clearer focus: attack-centric security tools, which rely on static rules, signatures, and historical attack patterns, were never designed to handle the complexity and subtlety of AI-driven attacks. These challenges feel new to security teams, but they are the core problems Darktrace was built to solve.  

Our Self-Learning AI develops a deep understanding of what “normal” looks like for your organization –including unique traffic patterns, end user habits, application and device profiles – so that it can detect and stop novel, dynamic threats at the first encounter. By focusing on learning the business, rather than the attack, our AI can keep pace with AI-powered threats as they evolve.

Explore the full State of AI Cybersecurity 2026 report for deeper insights into how security leaders are responding to AI-driven risks.

Learn more about securing AI in your enterprise.

[related-resource]

Continue reading
About the author
The Darktrace Community

Blog

/

Email

/

April 24, 2026

Email-Borne Cyber Risk: A Core Challenge for the CISO in the Age of Volume and Sophistication

Default blog imageDefault blog image

The challenge for CISOs

Despite continuous advances in security technologies, humans continue to be exploited by attackers. Credential abuse and social actions like phishing are major factors, accounting for around 60% of all breaches. These attacks rely less on technical vulnerabilities and more on exploiting human behavior and organizational processes. 

From my perspective as a former CISO, protecting humans concentrates three of today’s most pressing challenges: the sheer volume of email-based threats, their increasing sophistication, and the limitations of traditional employee awareness programs in moving the needle on risk. 

My personal experience of security awareness training as a CISO

With over 20 years’ experience as an ICT and Cybersecurity leader across various international organizations, I’ve seen security awareness training (SAT) in many guises. And while the cyber landscape is evolving in every direction, the effectiveness of SAT is reaching a plateau.  

Most programs I’ve seen follow a familiar pattern. Training is delivered through a combination of eLearning modules and internal sessions designed to reinforce IT policies. Employees are typically required to complete a slide deck or video, followed by a multiple-choice quiz. Occasional phishing simulations are distributed throughout the year.

The content is often static and unpersonalized, based on known threats that may already be outdated. Every employee regardless of role or risk exposure receives the same training and the same simulated phishing templates, from front-desk staff to the CEO.

The problem with traditional SAT programs

The issue with the approach to SAT outlined above is that the distribution of power is imbalanced. Humans will always be fallible, particularly when faced with increasingly sophisticated attacks. Providing generic, low-context training risks creating false confidence rather than genuine resilience. Let’s look at some of the problems in detail.

Timing and delivery

Employees today operate under constant cognitive load, making lots of rapid decisions every day to reduce their email volumes. Yet if employees are completing training annually, or on an ad hoc basis, it becomes a standalone occurrence rather than a continuous habit.  

As a result, retention is low. Employees often forget the lessons within weeks, a phenomenon known as the ‘Ebbinghaus Forgetting Curve.’

The graph illustrates that when you first learn something, the information disappears at an exponential rate without retention. In fact, according to the curve, you forget 50% of all new information within a day, and 90% of all new information within a week.  

Simultaneously, most training is conducted within a separate interface. Because it takes place away from the actual moment of decision-making, the "teachable moment" is lost. There is a cognitive disconnect between the action (clicking a link in Outlook) and the education (watching a video in a browser). 

People

In the context of professional risk management, the risks faced by different users are different. Static learning such as everyone receiving the same ‘Password Reset’ email doesn’t help users prepare for the specific threats they are likely to face. It also contributes to user fatigue, driven by repetitive training. And if users receive tests at the same time, news spreads among colleagues, hurting the efficacy of the test.  

Staff turnover introduces further risk. In many organizations, new employees gain access to systems before receiving meaningful training, reducing onboarding to little more than policy acknowledgment.

Measuring success

In my experience, solutions are standalone, without any correlation to other tools in the security stack. In some cases, the programs are delivered by HR rather than the security team, creating a complete silo.  

As a result, SAT is often perceived as a compliance exercise rather than a capability building function. The result is that poor-quality training does little to reduce the likelihood of compromise, regardless of completion rates or quiz performance.

What a modern SAT solution should look like

For today’s CISO, email represents the convergence point of high-volume, high-impact, and human-centric threats. Despite significant security investments, it remains one of the most difficult channels to secure effectively. Given these constraints, CISOs must evolve their approach to SAT.

Success lies in a balanced strategy one that combines advanced technology, attack surface reduction, and pragmatic user enablement, without over-relying on human vigilance as the final line of defense.

This means moving beyond traditional SAT toward continuous, contextual awareness, realistic simulations, and tight integration with security outcomes.

Three requirements for a modern SAT solution

  • Invisible protection: The optimum security solution is one that assists users without impeding their experience. The objective is to enhance human capabilities, rather than simply delivering a lecture. 
  • Real-time feedback: Rather than a monthly quiz, the ideal system would provide a prompt or warning when a user is about to engage with something suspicious. 
  • Positive culture: Shifting the focus away from a "gotcha" culture, which is a contributing factor to a resentment, and instead empowers employees to serve as "sensors" for the company. 

Discover how personalized security coaching can strengthen your human layer and make your email defenses more resilient. Explore Darktrace / Adaptive Human Defense.

Continue reading
About the author
Karim Benslimane
VP, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI