Interviews

Keith Stewart, Founder and CEO of Humanix – Interview Series

mm
Published

Keith Stewart, Founder and CEO of Humanix, is a cybersecurity veteran with more than 25 years of experience spanning product management, engineering, business development, and executive leadership at some of the industry’s most recognized companies, including Cisco, Brocade, Riverbed, and vArmour. Prior to founding Humanix in 2023, he served as Interim CEO and SVP of Product and Engineering at vArmour, where he helped guide the company through its acquisition and transition to a SaaS-based business model. Throughout his career, Stewart has led global teams, driven major cybersecurity product initiatives, participated in fundraising and M&A activities, and played a key role in developing next-generation security technologies. His extensive background in enterprise security and deep understanding of how attackers exploit human behavior led him to establish Humanix with the mission of protecting people from increasingly sophisticated social engineering attacks.

Humanix is a cybersecurity company pioneering what it calls Human Threat Detection and Response (HTDR), a new category focused on protecting the “human layer” of enterprise security. Rather than concentrating solely on endpoints, networks, and infrastructure, Humanix uses conversational AI trained on human psychology and natural language attack patterns to detect manipulation, deception, impersonation, and other social engineering tactics across voice, chat, email, video, and service desk interactions. The platform is designed to identify attacks in real time, helping organizations stop breaches before attackers exploit employees, contractors, or customers. Humanix’s approach reflects a growing recognition that most successful cyberattacks target people rather than systems, and the company aims to provide security teams with the same level of visibility and response capabilities for human-targeted threats that they already have for traditional cyber threats.

You’ve led major transformations across companies like vArmour, including SaaS transitions, scaling engineering teams, and navigating an acquisition. What specific gap or turning point led you to found Humanix, and why focus so heavily on securing humans rather than systems?

The largest challenge in any organization’s security posture is human risk. Humans are both our most powerful defensive asset and our largest area of persistent vulnerability. Yet it’s a problem that has been continuously unaddressed. The industry’s answer has been training — effectively trying to transform the average employee into a cybersecurity expert in a one-hour session. We know it doesn’t work, but we’ve had no better solutions.

Two things have changed recently, one for the worse and one for the better. First, the worse: AI makes attacks that target humans directly much more accessible. You can now be a teenager on the other side of the world, not speak a word of English, know nothing about a particular business, and suddenly an LLM lets you know almost anything and sound like almost anyone. That creates a real and present danger.

Second, a change for the better: we now have the technology to detect these attacks. LLMs are very good at understanding the nuance and complexity of human interactions. With conversational AI, we can identify patterns in those interactions and respond in near real-time.

We no longer need to rely only on antiquated, training-centric strategies. For the first time, we have a way to solve the human vulnerability problem directly. That’s why we built Humanix.

Your work has long centered on large-scale data, behavioral analytics, and graph-based security models. How did those experiences shape Humanix’s approach to detecting attacks that do not look like traditional breaches?

On the surface, detecting interactive social engineering attacks looks daunting. Every person is different. Natural language is extremely high-dimensional. Classic ML-centric behavioral models don’t understand context, and so frequently misfire.

However, when you dive a bit deeper, you can see this attack class has patterns like any other. Instead of buffer overflows or zero days, attackers exploit business process gaps and human trust. Attackers have playbooks they consistently run against organizations, which means we should be able to detect and respond to these attacks just like we do on endpoint, network, cloud, or identity.

That insight allows us to blend classic detection and response patterns we know are effective — including behavior analytics and graph theory — with language models’ semantic reasoning capabilities. Humanix uses that combination to understand entities, relationships, behavior, risk, and the interaction itself. This is how we create a new class of detection and response product: Human Threat Detection and Response.

Emerging groups like BlackFile are using voice phishing and real-time social engineering instead of malware-heavy tactics. What does this shift tell us about how the threat landscape is changing?

BlackFile is part of a broader shift toward attacks that are less about getting malware into an environment and more about using natural language to get a person to open the door.

These groups have figured out that a convincing phone call, a plausible pretext, and the right amount of urgency can be just as effective as a technical exploit, and often harder for security teams to see. The attack surface has not changed as much as the attacker focus has. People have always been part of the attack surface. What has changed is the scale, maturity, and repeatability of the playbook.

Social engineering is being copied, refined, and industrialized because it works. It takes advantage of how businesses actually operate, especially in workflows where people are expected to help quickly, resolve exceptions, and keep things moving.

We are seeing attackers impersonate IT help desks and exploit employees directly to gain access. Why are techniques like vishing and help desk manipulation becoming such effective primary entry points?

Techniques like vishing and help desk manipulation are so effective because they exploit the combination of trust, urgency, and access found in many support and administrative workflows.

If I want to get into your environment, I can spend weeks looking for a technical exploit. Or I can call someone who is trained to help, create a believable story, and get them to do the thing I need done, whether that is resetting a password, registering a new MFA factor, changing a permission, or approving a request.

The person on the other end of the call is often trying to solve a real-seeming problem under time pressure, with incomplete information. That is exactly what makes the help desk such an attractive target. It is one of the few places where a conversation can turn directly into access. Once access is granted, the rest can happen very quickly.

The industry has invested heavily in employee training, yet breaches targeting people continue to rise. Where is traditional security awareness falling short, and what needs to change?

Security awareness training has been treated as the primary defense against social engineering, even though the results clearly show its limits. Organizations continue to invest heavily in training, yet attackers keep succeeding because they are targeting people in live interactions, not testing whether employees remember material from a course.

A social engineering attack is not a quiz. It is a person on the other end of a phone call or chat thread creating urgency, building trust, and trying to get someone to take an action they should not take. The current model breaks down because it expects the employee to recognize and stop the attack while the attacker is actively manipulating the interaction.

When something goes wrong, the response is often to blame the employee and assign more training. But the employee was usually trying to help, which is exactly what the business asks them to do every day. We need to stop treating social engineering as an awareness problem alone. It is an attack class, and we should detect and respond to it while the interaction is happening.

Humanix positions itself around detecting attacks on people in real time. What does observability of human risk look like in practice?

Observability of human risk means giving security teams visibility into the live interactions where attackers try to manipulate people into changing access, bypassing a required procedure, or taking some other unsafe action on the attacker’s behalf.

Today, these interactions are effectively invisible to security. Someone calls the help desk, opens a ticket, or starts a chat. A password gets reset, an MFA factor gets enrolled, a permission gets changed, or an exception gets approved. These are highly sensitive workflows, yet security teams have no visibility and observability.

Humanix changes this. We plug into the enterprise communication systems already in use — Microsoft 365, ServiceNow, Zoom, Slack, and more. Humanix monitors actions and interactions over those channels, and compares them against attack tactics and corporate procedures.

Was the caller properly verified? Did they talk their way around verification? Was there urgency, impersonation, or pressure to skip a required step? Was the agent about to take a high-risk action? How has the risk profile changed as the call progressed? Humanix provides security detection and response as the interaction happens, and lets the security team know if something looks suspicious.

The ultimate goal of this analysis is not to punish the victims after the fact. It is to protect them in the moment. If a conversation becomes an attack, the security team needs to know.

As AI-generated voice and deepfake technologies improve, how close are we to a point where human trust becomes the weakest attack surface?

Human trust has been one of the weakest attack surfaces for a long time. AI makes attacks against trust easier to create, customize, and scale.

However, we need to be careful not to over-rotate on the specific ‘deepfake’ case. Deepfakes are just one medium attackers can use to manipulate someone. In fact, if we look at the vast majority of successful social engineering attacks over the last few years, most were not deepfakes — they’re simply human attackers and scammers picking up the phone. Groups like Scattered Spider, ShinyHunters, and BlackFile have shown that a normal phone call, a credible pretext, and the right amount of urgency are more than enough to get someone to take an action on the attacker’s behalf.

Security teams need to focus on the message, not the medium. Someone being pressured to violate policy or approve an exception in suspicious circumstances — these are the real risky behaviors. The risks lie the interaction itself and the action it is designed to induce.

Trust is not something we can remove from the business. People have to answer calls, solve problems, approve requests, and help each other. The answer cannot be to make everyone less human. It has to be to protect the moments where trust is being exploited.

What role should AI play in defending against AI-driven social engineering, and what are the biggest technical challenges in detecting manipulation in real time?

Conversational AI unlocks the opportunity to transform AI-driven social engineering from a training problem to a detection and response problem. Language models allow us to apply all of our learnings from domains like endpoint or network and apply them to the human layer. We need to detect and respond to these attacks, not continue down the futile path of trying to train them away.

There are many technical challenges in making this vision a reality. Natural language is highly dimensional, meaning there’s countless different ways of conveying the same meaning. Saying “I’m locked out of my system” is a functionally equivalent statement to saying “I need my password reset,” even though the words ‘password’ and ‘reset’ were never used.

Another is the importance of context. Human interactions are contextual and cumulative, and so therefore so is human manipulation. A caller can sound calm, polite, and credible while still steering someone around verification or toward an unsafe action. We need to combine multiple signals and contextual data together to accurately separate benign from malicious.

Finally, each organization is different. It has different procedures and norms, virtually all of which are not machine readable. This is another area where AI can be a huge help — understanding those policies, and comparing them against observed real world behaviors.

Many security tools still focus on endpoints, networks, and identity systems. How should CISOs rethink their architecture if the primary battleground shifts to human behavior?

First, CISOs should formally recognize what we all intuitively know: an organization’s human capital is an asset class (like endpoint, network, or cloud) that needs to be managed. Threats and risks need to be accurately modeled and controlled.

The NIST Cybersecurity Framework already provides guidance on how to do this. The “identification” and “management” of people are a part of the Asset Management (ID.AM) subset of risk identification. Yet many organizations define the human risk problem as a training problem, and only manage it via the security awareness training compliance requirement. This needs to change.

When we treat human capital as its own asset class, this opens up the standard playbooks we run for every other asset class. What are the key risks (ID.RA)? How do I systematically defend against them (Protect)? What are our systems and processes to detect whether an attacker is about to breach those defenses, or worse, already has (Detect)? How does the organization respond to contain the threat and ultimately restore services (Respond and Recover)? By taking the same systematic approach to our human capital as we do any other asset class, we can more clearly identify risks, and more effectively prioritize resources to manage those risks.

Looking ahead, do you expect human-layer attacks to dominate cybercrime, or will we see a hybrid model where AI-driven automation and social engineering converge into something harder to defend against?

It will almost certainly be a blended threat model. We have two things happening simultaneously. First, attackers are learning to scale their attacks with AI, increasing access and lowering the cost of this class of attack. Second, enterprises themselves are going through an agentic AI transformation led by the very business services being attacked by BlackFile and their peers.

Customer service, help desk, service desk, finance operations, and internal support workflows are all being transformed from human-delivered to AI-delivered. That means we will experience an explosion in natural language attack surface while getting rid of human common sense. Large language models are trained to respond to instructions and be helpful. The human suspiciousness or ‘gut feelings’ that have been some of our best defenses against social engineering attacks have been deliberately removed from the model responses. The transition to AI-delivered services will ultimately increase the risk of social engineering attacks, not reduce it.

As a result, enterprise exposure to this class of attack is almost certainly going to continue to grow over the next few years. Humans and agents are both vulnerable to natural language attacks. Security teams need to start planning today for a systematic defense and response plan to this new reality.

Thank you for the great interview, readers who wish to learn more Humanix. 

mm

Antoine is a visionary leader and founding partner of Unite.AI, driven by an unwavering passion for shaping and promoting the future of AI and robotics. A serial entrepreneur, he believes that AI will be as disruptive to society as electricity, and is often caught raving about the potential of disruptive technologies and AGI.

As a futurist, he is dedicated to exploring how these innovations will shape our world. In addition, he is the founder of Securities.io, a platform focused on investing in cutting-edge technologies that are redefining the future and reshaping entire sectors.