If someone spent 20 minutes researching you online right now, what would they find? And what could they use to build a successful cyberattack against you?  

In my recent discussion with Rachel Tobac, CEO of Social Proof Security and three-time DEF CON Social Engineering Competition champion, she answered that question live — using me as the target.  

In under 20 minutes, start to finish, she uncovered my contact details, found breach data with a plaintext password, cloned my voice, created a real-time deepfake, and built a spear-phishing email built from my own social media.  

Three years ago, that kind of reconnaissance took close to a hundred hours. But AI has collapsed every stage of the attack chain. When the attack is that fast and that personalized, perimeter defenses and behavioral training aren’t enough on their own.  

Zero Trust was designed for exactly this reality. The architectural decisions that follow from it determine how much damage a twenty-minute dossier can actually do inside your environment.

From 100 hours to 20 minutes: what AI has done to the attack chain

Rachel was precise about what AI has changed and what it has not.  

The tactics are the same ones Robert Cialdini documented decades ago, including authority, urgency, reciprocity, and social proof.  

What AI has done is collapse the time cost. You can clone a voice from a minute of audio. You can generate a real-time deepfake with no specialist equipment. Attacks are faster, more scalable, and far more believable than they were three years ago.

This matters because organizations are expanding their AI footprint under the same “secure it later” assumption. Agents are going into production without identity validation. Sensitive data is flowing in without access controls.  

Every unsecured AI tool hands the adversary more to work with. Zero Trust has to extend to the AI you deploy internally, not just the threats coming from outside.

Why security training can’t keep pace with an automated attack chain

During our discussion, Rachel found on my public social media that I’m a devoted listener of The Grade Cricketer. Using that information, she built a phishing email impersonating two of its hosts inviting me to appear in a listener interview.  

My honest reaction was that I would’ve clicked it immediately. When the attack pretext is hyper-personalized, anyone’s trained instinct to pause can get overwhelmed. Even the best training has limits that grow as AI raises the believability ceiling of attacks.

When the attacker is already inside, Zero Trust stops them

Most security strategies focus on keeping attackers out. Zero Trust focuses on what happens when they get in. When I asked Rachel what frustrates her most as a hacker, she pointed to Zero Trust controls, especially microsegmentation.

Microsegmentation splits the network into isolated zones. A compromised account can't roam freely across systems. An attacker who gets in through a phishing link or a cloned voice call hits a wall fast. The blast radius stays small by design, not by luck, and it works even if no one spotted the attack.

The same logic applies to AI tools. Every agent that assumes trust instead of verifying it is an opening. Zero Trust for internal AI means the same rules apply: verify first, limit access, and contain the damage if something goes wrong.

Get your architecture ready before the next AI-generated attack

Watching Rachel build that attack against me in under twenty minutes was a reminder that the threat has moved faster than most security architectures have. The tools are cheap, the data is public, and the time investment is minimal.  

This is the environment CISOs are operating in today. And it’s exactly the environment Zero Trust was designed for. It’s a practical architecture built around a simple premise. Assume the attacker will get in, make sure they can’t go far, and ensure your organization can recover fast.  

Rachel’s demo showed what the attack looks like when it works. Zero Trust is the answer to what happens next.