90% of Security Breaches Have the Same Cause – and It's Not Hackers

01 /The Concept

CultureAI's job is to track, reduce, and prevent the cybersecurity threats caused by human behavior inside organizations.

The platform started with one tool: automated phishing simulations. Phishing – sending fraudulent emails or messages that impersonate trusted brands or colleagues to steal login credentials – remains one of the most effective attack vectors. CultureAI periodically sends simulated phishing messages to employees, tailoring each one to the individual: either testing a new lure or re-running a scenario the employee has fallen for before.

Once integrated with a company's cloud services and messaging tools, CultureAI begins monitoring more than 35 patterns of risky behavior: downloading data from unknown sources, reusing passwords across corporate systems, skipping two-factor authentication, sharing links to internal files without password protection, uploading confidential documents to public cloud services or chat apps, and more.

After running phishing simulations and monitoring behavioral patterns, the platform generates risk scores for individual employees, teams, and departments. High-risk behavior in individuals can be addressed directly; team-level patterns call for clearer policy guidance. The platform also maintains a catalog of ready-made security training modules that can be assigned to employees who've triggered risk flags – including all new hires.

Training modules are self-paced, but completion data flows back to management and security teams. More importantly, the platform doesn't wait for the next training cycle: it sends real-time messages the moment it detects risky behavior, explaining the specific problem and recommending remediation steps. Companies can customize these messages to reflect their own security policies. This is the platform's "nudge" engine – a constant, low-friction stream of prompts that push employees toward safer habits.

Beyond nudging, CultureAI can act automatically when a risk event is detected: deleting a message containing sensitive data from a Slack channel, locking account access until a reused password is changed, alerting email administrators about a suspicious sender. Pre-built rule templates make these automations quick to configure.

The platform also publishes a positive leaderboard of employees with the best security track records – visible to the whole company. Managers can connect the leaderboard to an automated rewards system for sustained safe behavior.

Three pricing tiers are available: the entry tier covers phishing simulations and training modules; the second tier adds behavioral monitoring; the third unlocks automated response capabilities. Pricing is per employee and requires direct contact with the company.

CultureAI has paying customers and just raised $10M in new funding, bringing total investment to $23.5M.

02 /Why It Matters

Research firm Forrester estimates that 90% of corporate security breaches and data leaks in 2024 will be caused by human error.

In other words: it's not that attackers are especially sophisticated – it's that employees are undertrained in security hygiene. If human behavior drives 90% of breaches, improving that behavior is the only "silver bullet" available.

This has given rise to a distinct market category: Security Awareness and Training (SA&T). Some analysts project this market will reach $10 billion by 2027 – large enough to support a generation of focused startups.

CultureAI's founder puts the day-to-day risk starkly: "Every day, 1 in 4 employees exposes their company to a security threat – ranging from reusing cloud service passwords to uploading confidential data into AI tools." Both of these problems are getting worse.

The average company now uses 230 cloud services. At enterprises with more than 10,000 employees, that number climbs to 447. More services means more credentials, more access points, and more opportunities for bad habits to create real exposure.

AI tools represent an entirely new threat vector – one that barely existed before late 2022. Employees routinely upload internal documents to AI assistants to get help with their work. It's a natural workflow. It's also a potential data leak. CultureAI's next logical product expansion is a dedicated module for AI tool usage policies – and the market timing for that is clearly right.

Threat volume is growing (more cloud services) and threat types are multiplying (new AI-related risks). That makes platforms like CultureAI more relevant with each passing quarter, not less.

CultureAI's founder makes one more point worth noting: "We're all human, and we all make mistakes. Running more security training won't solve the problem, because knowledge from a classroom doesn't prevent the occasional lapse."

The US Marine Corps manual captures the same idea: "In a crisis, you don't rise to the level of your expectations – you fall to the level of your training." CultureAI's goal is to wire safe behavior into muscle memory through continuous monitoring, instant feedback, and automated cleanup – so that even when employees slip, the blast radius is contained.

03 /Opportunities

One major trend reshaping corporate learning is the shift from periodic training sessions to continuous nudging. This approach – sometimes called "micro-coaching" – is gaining ground across multiple domains.

Platforms operating in this space include Enboarder (raised $49.4M – [related review](/review/teorija-malenkih-pinkov)), Stride (raised $1.5M), Whistle (raised $3.2M), and Cloverleaf (raised $18.1M). The shared bet across all of them is that timely, automated prompts embedded in real work moments are more effective than front-loaded training events.

The key advantage: nudges only work at scale when delivered automatically, in real time, triggered by actual behavior. That means deep integration with the tools employees use every day – which in turn creates strong lock-in once installed.

So one direction worth exploring: identify a corporate learning domain where training already happens, then rebuild that experience as a system of automated behavioral nudges instead of traditional courses. The design questions – what the nudges should say, what behaviors should trigger them, and which enterprise systems can feed the signals – are the real product brief.

A more specific opportunity: build a CultureAI-style security behavior platform – but start with AI tool governance. It's a fresh enough problem that companies are only now recognizing it, which means the competitive field is still thin. The fastest MVP is a monitoring layer for a single AI tool – ChatGPT or Copilot – that flags when employees upload sensitive data, tracks prompt patterns, and surfaces anomalies to the security team. One enterprise pilot is enough to start building the behavioral dataset that makes the product defensible.