Agentic Workflow for Simulating Attacks Following Major Public Data Breaches

Manual research, drafting, and deployment of timely phishing lures after a major breach can take a security team 5-10 days. This workflow ingests breach feeds, correlates exposed email patterns with internal directories, and generates personalized credential-stuffing or password-reset lures for deployment within 2-4 hours. The operational upside is the ability to test employee vigilance while the breach is still headline news, when attack attempts are most likely.

Generic, off-the-shelf phishing templates have low engagement and fail to test real-world judgment. Simulations derived from actual breached data (e.g., using real service names, recent dates, and credible pretexts) see click-through rates that are 3-5x more realistic. This provides a truer measure of organizational risk and creates more impactful 'teachable moments' when employees fail, directly improving security behavior.

Eliminate the manual toil of monitoring threat feeds, crafting scenarios, and configuring campaigns. The autonomous workflow handles intelligence ingestion, template selection, personalization, and deployment via API to platforms like KnowBe4 or Cofense. This reallocates 15-20 hours of analyst time per major breach event back to higher-value threat hunting or incident response duties.

By simulating the exact attack vectors that follow a breach, you generate data to model actual risk reduction. If a campaign targeting finance with fake password-reset lures sees click rates drop from 25% to 5% after training, you can attribute a measurable decrease in Business Email Compromise (BEC) susceptibility. This creates a direct line from training investment to lowered financial fraud exposure and stronger cyber insurance posture.

Implementation involves a stateful orchestration layer (e.g., LangGraph) coordinating specialized agents:

1. Ingest Agent: Monitors RSS/API feeds from HaveIBeenPwned, dark web scanners, and industry ISACs for new breach disclosures.
2. Correlation Agent: Sanitizes and hashes exposed email lists, comparing them against internal domains in a privacy-safe manner to identify at-risk employee segments.
3. Scenario Agent: Selects a lure template (credential-stuffing, password reset, account verification) and personalizes it with breached service details, dates, and logos.
4. Deployment Agent: Uses the security awareness platform's API to launch the campaign, applying appropriate tags and scheduling.
5. Governance Layer: Ensures all generated content is logged, reviewed for ethical boundaries, and that simulation data never commingles with real breach data.

Governance is non-negotiable. The workflow must include:

• Pre-campaign Approval Gates: Optional human-in-the-loop review for executive-targeted or highly sensitive lures before sending.
• Strict Data Hygiene: Breached data is used only for pattern matching and personalization context; no real breached credentials are ever stored or transmitted.
• Exception Handling: Failed API calls, template rendering errors, or compliance violations are routed to a security engineer dashboard.
• Phased Rollout: Start with a low-risk pilot group (e.g., security team) to tune agent logic and approval thresholds before enterprise deployment.
• Unsubscribe & Support Integration: All simulation emails must include a clear, functioning mechanism for employees to report or opt-out, integrated with the helpdesk ticketing system.

This specialized agent continuously monitors and parses structured feeds (e.g., Have I Been Pwned, dark web bulletins) and unstructured sources (security advisories, news) for new public data dumps. It extracts exposed email domains, password hashes (for credential-stuffing context), and breach metadata, normalizing this into a consumable event for the orchestration layer. Implementation uses scheduled cloud functions with retry logic and validation to ensure data quality before triggering simulation creation.

Upon a breach event, this component performs a privacy-preserving correlation between the exposed email domains and the organization's internal email namespace (e.g., using hashed domain segments). It identifies which employee segments are most at risk from the specific breach and calculates targeting scope. This is a critical governance control to avoid simulating irrelevant attacks and to focus training where it has the highest operational relevance and credibility.

This agent uses the breach context (e.g., 'LinkedIn credential leak') and targeted employee data (role, department) to generate highly credible phishing email copy and landing pages. It drafts password-reset urgency lures, fake 'security alert' notifications, or credential-stuffing warnings that mirror the breached service's actual communication style. The architecture integrates LLMs for narrative generation, with strict prompt guardrails and template systems to ensure consistency and prevent hallucination.

The central workflow engine (e.g., built on LangGraph or Temporal) that sequences agent actions, manages state, and handles exceptions. It receives the breach event, triggers correlation and generation, schedules the campaign launch to avoid conflict periods, and executes the deployment via API to the organization's security awareness platform (e.g., KnowBe4, Proofpoint Security Awareness) or email gateway. It also manages rollback if any pre-flight checks fail.

This component monitors employee interactions with the simulation in real-time—clicks, data entry, report rates—and synthesizes immediate, personalized feedback. Upon a click, it can trigger a micro-training module explaining the specific lure's indicators. Data is fed back into the orchestration layer to adjust future campaign difficulty (dynamic difficulty adjustment) and to update employee risk profiles. Integration with SIEMs enriches threat detection with user susceptibility context.

A dedicated agent that generates a defensible, immutable audit trail for every simulation, documenting the source breach, targeting rationale, generated content, deployment timestamps, and results. This is critical for regulatory compliance (e.g., demonstrating due diligence) and internal policy. It automatically maps activities to frameworks like NIST CSF and produces evidence packages for auditors, eliminating manual report compilation that typically takes days per quarter.