← Patterns / SP-048 Draft

Offensive AI and Deepfake Defence

For the first three decades of enterprise security, attackers used software to attack systems. The emergence of capable generative AI adds a new attack surface: the humans inside the organisation. An attacker with access to a voice cloning model and thirty seconds of public audio can produce a convincing synthetic call from the CEO authorising a wire transfer. An attacker with access to a large language model and a LinkedIn profile can produce a spear-phishing email indistinguishable from a colleague's writing style — at a cost measured in fractions of a cent, at a volume measured in thousands per hour. This is not a refinement of existing social engineering. It is a phase shift. The traditional mitigations — train employees to spot spelling errors, treat unsolicited requests with scepticism, verify requests that seem unusual — are calibrated to human attackers with human constraints: limited time, imperfect language, detectable patterns. Generative AI removes those constraints. The attacker can now produce perfect grammar, accurate cultural references, plausible business context, and synthetic media (voice, video, image, document) that defeats visual inspection. Detection signals that worked a decade ago are no longer reliable. This pattern addresses AI as an attack vector rather than AI as something you deploy and secure. The scope is distinct from SP-027 (LLM security), SP-047 (agentic framework security), and SP-045 (AI governance) — all of which address risks arising from AI systems you operate. This pattern addresses the offensive use of AI by external adversaries and the controls that remain effective when the attacker has access to capable generative AI. The control set centres on verification rather than detection. Detection-based controls (is this content AI-generated?) face an adversarial arms race that defenders are currently losing — detection accuracy degrades as generation quality improves, and attackers iterate faster than defenders. Verification-based controls (can we confirm this instruction came from who it claims, through a channel we trust?) are more durable because they rely on cryptographic or procedural guarantees that AI generation cannot bypass. The pattern emphasises out-of-band verification, content provenance standards, identity assurance, and threat intelligence as the primary defensive posture.
Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-22
Assess
ATT&CK This pattern addresses 433 techniques across 13 tactics View on ATT&CK Matrix →
SP-048 · OFFENSIVE AI AND DEEPFAKE DEFENCE Defending against AI-weaponised deepfakes, voice cloning, synthetic identity fraud and AI-accelerated attacks AT-02 AT-03 IA-02 SC-23 PM-16 | AU-02 AU-06 CA-07 IA-03 IR-04 IR-06 | PS-06 RA-03 RA-05 SA-04 SA-08 SA-11 SI-03 SI-04 SI-05 SI-10 IDENTITY & VOICE ATTACKS CONTENT & PHISHING ATTACKS ADVERSARIAL INTELLIGENCE Executive Impersonation Deepfake video/audio targeting finance, board approvals & HR authorisations IA-02 SC-23 PS-06 verify Voice Cloning & Vishing Synthetic voice targeting helpdesk, payment authorisation & wire fraud IA-02 AT-02 IR-04 escalate Synthetic Identity Fraud AI-generated IDs defeating remote onboarding, KYC & AML controls Fraudulent credit, insurance & benefits claims at automated scale IA-02 SA-04 SA-11 RA-05 AI-Generated Spear Phishing Personalised, high-quality phishing at scale Email · SMS · Social media · Vishing Context-aware lures from OSINT harvesting AT-02 AT-03 SI-03 SI-04 detect Fraudulent Documents & Claims Fake invoices, evidence, regulatory filings & contracts at industrial scale AI-enhanced document forgery SA-11 AU-02 SA-08 trace Content Provenance Gaps Unverified origin enables injection, deception & downstream trust abuse SC-23 SA-08 AU-02 Adversarial AI Threat Intelligence AI monitors enterprise defences to optimise attack timing & vectors Attackers use LLMs to automate recon and map exploitable attack paths PM-16 RA-03 SI-05 CA-07 inform AI-Accelerated Exploit Development Vulnerability-to-exploit window shrinks from weeks to hours with AI assistance Zero-day synthesis & fuzzing at scale RA-05 SI-05 PM-16 mitigate Deepfake Detection C2PA manifests · hash-chain provenance · liveness SI-10 SC-23 SA-11 SA-08 DETECTION & VERIFICATION LAYER Content Authenticity C2PA manifests · hash-chain SI-10 SC-23 Identity Proofing Liveness + biometric MFA IA-02 IA-03 Behavioural Anomaly ML baseline + deviation alerts AU-02 AU-06 SI-04 AI Threat Intelligence STIX/TAXII feeds · ISACs PM-16 RA-03 KEY ARCHITECTURE PRINCIPLES Assume Synthetic Treat all unverified media as potentially AI-generated Out-of-Band Verify Confirm high-value instructions via an independent channel C2PA Provenance Mandate content credentials for all external media assets Zero-Trust Identity Continuous re-authentication for privileged operations CONTINUOUS MONITORING & INCIDENT RESPONSE AU-02 AU-06 IR-04 IR-06 CA-07 | SI-03 SI-04 SI-05 SI-10 CRITICAL: AT-02 · AT-03 · IA-02 · SC-23 · PM-16 IMPORTANT: AU-02 · AU-06 · CA-07 · IA-03 · IR-04 · IR-06 · PS-06 NIST SP 800-218 · C2PA Content Credentials Specification · OWASP AI Security Top 10 · ENISA AI Threat Landscape Coalition for Content Provenance and Authenticity (C2PA) · NIST AI RMF 1.0 · ISO/IEC 42001:2023 opensecurityarchitecture.org/patterns/sp-048 SP-048 v0.1 2026-02-22

Click any control badge to view its details. Download SVG

Key Control Areas

  • Deepfake Detection and Content Authenticity Verification (SI-10, SC-23, SA-11, SA-08): Deepfake detection technologies (visual artefact analysis, biological signal detection, model-based classifiers) currently achieve detection rates that are insufficient for security-critical decisions — accuracy degrades with model quality improvement, and open-source generation models are now capable enough that enterprise-grade detectors frequently fail on recent outputs. Detection should be used as a risk signal to trigger additional verification, not as a binary gate. SC-23 (Session Authenticity) provides the architectural principle: communications in security-critical contexts should use channels whose authenticity can be cryptographically verified, not content whose authenticity must be inferred. Content authenticity standards are maturing: C2PA (Coalition for Content Provenance and Authenticity) enables cryptographic signing of media at the point of capture or generation, providing a provenance chain that is technically difficult to fake without access to the signing key. SA-11 (Developer Security Testing) requires that applications processing external media include deepfake risk assessment as part of their threat model. SA-08 (Security Engineering Principles) embeds authenticity-by-design: systems that accept externally provided media for high-stakes decisions should require provenance metadata as a condition of acceptance, not offer it as an optional feature.
  • Executive Impersonation and High-Value Instruction Verification (IA-02, IA-03, IR-04, PS-06): The most financially damaging offensive AI use case is executive impersonation for business email compromise (BEC) evolved with synthetic voice and video — an attacker who can produce a convincing call from the CFO requesting an urgent wire transfer has removed the primary friction point that makes BEC detectable. Controls must operate at the process level, not the content level. Define out-of-band verification requirements for all instructions above a defined financial threshold: a wire transfer request received by email, phone, or video must be verified through a second channel (calling back to a pre-registered number, not a number provided in the request). Establish safe-word protocols for executives — a pre-agreed word or phrase that must be included in any voice or video communication authorising high-value actions, which cannot be inferred from publicly available audio. PS-06 (Access Agreements) should document the verification requirements explicitly: no employee should be able to authorise a material financial transaction on the basis of a single communication channel without a callback. IA-02 (User Identification and Authentication) extends to the verification of human identity in communications — for the highest-risk decision categories, strong authentication of the requesting party (not just the receiving system) is required. IR-04 (Incident Handling) must include deepfake impersonation as a specific incident category with a playbook that addresses evidence preservation (the synthetic call or video may be the primary forensic artefact).
  • AI-Generated Phishing Detection and Defence (AT-02, AT-03, SI-03, SI-04): AI-generated phishing removes the quality signals that allowed trained employees to identify phishing: grammatical errors, awkward phrasing, implausible scenarios, inconsistent formatting. The defensive posture must shift from content quality detection to process verification. AT-02 and AT-03 (Awareness and Role-Based Training) must be recalibrated: training that teaches employees to spot obvious phishing characteristics is actively counterproductive if it creates false confidence in AI-generated content that has none of those characteristics. Training should instead emphasise the verification principle — any request that asks for credentials, payments, data, or access should be verified through a known-good channel regardless of how convincing the request appears. Technical controls: SI-03 (Malicious Code Protection) — email gateway controls, link analysis, and attachment sandboxing remain effective because AI generation does not change the infrastructure properties of phishing (domain registration recency, certificate age, redirect chains). SI-04 (System Monitoring) — monitor for AI-generated content patterns at the infrastructure level (sending infrastructure, header anomalies, sending volume patterns) rather than content quality. DMARC, DKIM, and SPF remain the most reliable first-line controls because they verify the sending domain, not the content, and AI generation cannot forge a properly implemented DMARC pass without compromising the sender's domain.
  • Synthetic Identity Fraud Controls (IA-02, SA-04, SA-11, RA-05): AI enables the generation of photorealistic identity documents, convincing synthetic faces that defeat passive liveness checks in remote onboarding flows, and consistent synthetic identities with coherent backstories sufficient to pass manual review. This threat is most acute in customer onboarding, new supplier registration, and contractor engagement — any process that relies on document verification and visual identity confirmation to establish a new identity in the enterprise or customer base. IA-02 (User Identification and Authentication) must apply appropriately scaled identity proofing requirements: for high-risk onboarding flows, verification through authoritative sources (government databases, credit bureaux with real-time queries) rather than document OCR. Liveness detection must use active challenges (instruction following, 3D depth sensing) rather than passive detection (static face analysis), because passive detection is defeated by high-quality deepfake video. SA-04 (Acquisition Process) governs the selection of identity verification vendors: evaluate whether vendor solutions have been adversarially tested against current generation AI models, not just historical benchmarks. RA-05 (Vulnerability Monitoring) applies to the identity verification pipeline itself — track published research on identity verification bypasses and assess impact on your specific verification stack. Establish graduated verification requirements: low-risk account creation can accept lower assurance; actions above a defined risk threshold require re-verification at higher assurance.
  • Voice Cloning and Vishing Defence (IA-02, AT-02, IR-04, SC-23): Voice cloning from thirty seconds of publicly available audio (conference recordings, podcast appearances, public earnings calls) can produce synthetic speech convincing enough to deceive colleagues and subordinates. The primary targets are financial authorisers (CFOs, treasury managers, accounts payable), IT helpdesk staff (who can be manipulated into resetting credentials or creating accounts), and executives whose voices are publicly available. Organisational controls: establish call-back procedures for any telephone request that involves credentials, access changes, or financial authorisation — call back to a number independently retrieved from the directory, not the number provided by the caller. Safe-word systems: pre-agreed challenges between colleagues for sensitive requests, rotated periodically. AT-02 (Awareness Training) should include simulated vishing exercises calibrated to AI voice quality — not obviously robotic synthetic voices but high-quality clones. SC-23 (Session Authenticity): where technically feasible, use end-to-end authenticated communication channels for sensitive calls (Signal, Teams with verified identity, or equivalent) in preference to PSTN calls where caller ID can be spoofed and voice can be intercepted and synthesised. IA-02: the principle that strong authentication of the requesting identity is required for high-risk decisions applies equally to voice channels as to digital channels.
  • Adversarial AI Threat Intelligence (PM-16, RA-03, SI-05, CA-07): The offensive AI capability of threat actors is advancing on a different curve from general AI capability — specialised models for phishing generation, voice cloning services available on criminal marketplaces, and deepfake-as-a-service offerings have emerged in parallel with the commercial generative AI ecosystem. Standard threat intelligence feeds do not yet systematically track adversarial AI capability development. PM-16 (Threat Awareness Program) must explicitly include adversarial AI capability as a tracked dimension: which threat actor groups are using AI-generated content, what capability level have they achieved, and how does this compare to your current detection and verification controls? RA-03 (Risk Assessment) should incorporate adversarial AI capability as a risk factor in annual assessments — the threat from AI-assisted social engineering is different depending on whether your primary threat actors are opportunistic criminals (using commodity AI tools) or sophisticated state-sponsored actors (using custom models). SI-05 (Security Alerts and Advisories) — subscribe to AI security threat intelligence sources that track adversarial ML developments: MITRE ATLAS, academic preprint monitoring for novel attack techniques, sector-specific ISACs that are beginning to track AI-enabled threats. CA-07 (Continuous Monitoring) — implement monitoring for indicators of AI-generated content in external communications to the organisation: volume anomalies in phishing campaigns, infrastructure patterns consistent with AI-assisted attack tooling.
  • AI-Accelerated Vulnerability Research and Exploit Development (RA-05, SI-05, PM-16, RA-03): AI tools dramatically accelerate the vulnerability research cycle — code analysis, fuzzing, and proof-of-concept exploit development that previously required weeks of skilled researcher time can now be compressed to hours. The mean time between vulnerability disclosure and working exploit is shortening, and the attacker population with access to exploit-capable AI tools is growing. This changes the operative window available for patching. RA-05 (Vulnerability Monitoring) must prioritise and accelerate response for vulnerabilities in internet-facing systems and widely deployed software components — the historical 30-60 day patching cycles for critical vulnerabilities are no longer aligned with realistic exploitation timelines for AI-assisted attackers. SI-05 (Security Alerts and Advisories) — monitor vulnerability intelligence with specific attention to whether exploit code or AI-assisted research is already in circulation, which compresses the practical remediation window regardless of the official CVSS score. PM-16 (Threat Awareness Program) should track the publication of AI-assisted vulnerability research tools and frameworks, as these tools are adopted by offensive operators within months of academic publication. RA-03 (Risk Assessment) should treat AI-accelerated vulnerability research as a systemic risk factor that affects the residual risk of all unpatched vulnerabilities, particularly in externally exposed systems.
  • Content Provenance and AI Disclosure Controls (AU-02, SA-08, SC-23): As AI-generated content becomes indistinguishable from human-generated content, enterprises face both offensive risks (attackers using AI to generate fraudulent content submitted to the organisation) and compliance obligations (regulators and counterparties requiring disclosure of AI involvement in content produced by the organisation). C2PA (Coalition for Content Provenance and Authenticity) provides a cryptographic content provenance framework: media signed at point of capture with an identity-linked signing key establishes a provenance chain that subsequent manipulation breaks. SA-08 (Security Engineering Principles) applies at the organisational level: implement content provenance policies for AI-generated content used in regulated workflows (board minutes, legal filings, financial reports, regulatory submissions, audit evidence) — these workflows require clear attribution and should not rely on AI-generated content without human authorship and review attestation. AU-02 (Event Logging) extends to AI content usage: log which documents, communications, and artefacts involved AI assistance, at what stage, and with what human review, to support forensic investigation of content disputes. SC-23 (Session Authenticity) applies to the verification of external content: establish requirements for provenance metadata on externally received media in high-stakes processes (insurance claims, legal evidence, identity documents). EU AI Act Article 50 creates mandatory disclosure obligations for AI-generated content at scale — organisations must implement technical mechanisms to label synthetic content and establish processes to comply with right-to-know requests.

When to Use

Organisation handles high-value financial transactions that could be targeted by AI-enhanced BEC (wire transfers, supplier payments, cryptocurrency). Executives have publicly available voice recordings (earnings calls, conference talks, podcast appearances, public video) that could be used for voice cloning. Customer onboarding or contractor engagement involves remote identity verification that could be targeted by synthetic identity fraud. Organisation processes externally submitted documents (claims, applications, legal filings) where AI-generated forgeries are a risk. Organisation is in a sector that has seen AI-enhanced fraud: financial services, insurance, legal, healthcare. Security awareness programme has not been recalibrated to reflect AI-era phishing and social engineering.

When NOT to Use

Organisation operates in a fully air-gapped environment with no external communications exposure. All financial authorisations occur in person with verified identity — no remote authorisation channels exist. Organisation does not process externally submitted documents or onboard external parties remotely. Note: the contraindications for this pattern are narrow — almost all organisations with external communications exposure face some version of the threats addressed here.

Typical Challenges

The detection arms race is the central challenge: AI deepfake detection accuracy is outpaced by generation quality improvement, and investing heavily in detection technology creates false confidence in controls that will degrade. Verification-based controls are more durable but require process change rather than technology deployment — changing financial authorisation workflows and employee verification habits is slower and harder than deploying a detection tool. Voice cloning attacks are particularly difficult to counter because they exploit trust relationships that are legitimate in non-attack contexts — the same trust that makes a call from the CEO actionable is what makes a synthetic call dangerous. Threat intelligence on adversarial AI capability is immature: most enterprise threat intelligence programmes track malware, TTPs, and infrastructure but not AI capability development by threat actors. The regulatory landscape for AI-generated content disclosure (EU AI Act Art.50, emerging US state laws) is moving faster than enterprise compliance programmes. Small and mid-sized organisations face the same offensive AI threats as large enterprises but have less capacity to implement verification programmes and content provenance infrastructure.

Threat Resistance

Executive impersonation via synthetic voice or video is addressed through out-of-band verification requirements and safe-word protocols that cannot be satisfied by an AI-generated call regardless of quality, combined with IR runbooks specific to deepfake impersonation incidents. AI-generated phishing at scale is addressed through verification-centric awareness training that shifts the employee posture from content quality assessment to channel verification, combined with technical controls on email infrastructure that remain effective regardless of content quality. Synthetic identity fraud is addressed through graduated identity proofing requirements using authoritative data sources, active liveness detection that resists injection attacks, and vendor assessment requirements that include adversarial AI testing. Voice cloning and vishing are mitigated through call-back procedures to independently verified numbers, safe-word systems, and authenticated communication channel requirements for sensitive conversations. Adversarial AI capability development is tracked through a structured threat awareness programme covering AI-specific threat intelligence sources and incorporated into risk assessments. AI-accelerated exploit development is countered through shortened critical-vulnerability patching timelines calibrated to the compressed exploitation window. Content provenance obligations are addressed through C2PA implementation for outbound content in regulated workflows and content logging requirements.

Assumptions

The organisation is exposed to externally generated threats including social engineering, phishing, and fraud — this pattern is relevant to any enterprise that handles financial authorisations, manages customer identities, employs staff reachable by external communications, or processes externally submitted documents. AI-generated offensive capabilities are available to a broad range of threat actors, not solely sophisticated nation-state actors — voice cloning, image synthesis, and phishing-generation tools are accessible through criminal marketplaces and open-source repositories. Detection-based controls (AI content classifiers) are treated as risk indicators to trigger verification rather than as binary security gates, reflecting the current state of the arms race between generation and detection quality. The organisation has or is developing employee awareness programmes that can be recalibrated to AI-era threats.

Developing Areas

  • C2PA ecosystem maturity: the C2PA (Coalition for Content Provenance and Authenticity) standard is being implemented by major camera manufacturers, social platforms, and content management systems, but enterprise adoption is in early stages. The chain of provenance only works if every step signs — a camera-signed original loses its provenance if processed through software that strips or ignores metadata. Enterprise adoption requires both tooling investment and workflow redesign.
  • Deepfake detection arms race: academic research consistently shows that deepfake detectors trained on one generation of synthetic media underperform on the next. Commercial detector vendors claim accuracy rates in controlled conditions that do not reflect adversarial deployment. Security teams should treat deepfake detection scores as probabilistic risk signals rather than binary verdicts, and design their verification protocols to function even when detection fails completely.
  • Voice authentication recalibration: organisations that use voice biometrics for customer authentication (common in contact centres) are exposed to voice cloning attacks that the original voiceprint cannot defend against. The 2023 and 2024 generation of voice cloning tools can replicate a voiceprint from a short sample with quality sufficient to defeat many deployed voice authentication systems. Banks and insurers using voice authentication should conduct adversarial testing and consider migration to knowledge-based or device-based verification for high-risk transactions.
  • EU AI Act Article 50 implementation: the mandatory synthetic content disclosure obligations under EU AI Act Article 50 require organisations deploying AI to generate text, audio, video, or image content at scale to implement technical watermarking or labelling. The harmonised technical standards defining how this must be implemented are not yet finalised by CEN/CENELEC, creating compliance uncertainty. Organisations subject to the regulation should implement best-effort watermarking now (C2PA provenance, invisible watermarking) and prepare for mandatory standard adoption once the technical specifications are published.
AT: 2AU: 2CA: 1IA: 2IR: 2PM: 1PS: 1RA: 2SA: 3SC: 1SI: 4
AT-02 Literacy Training and Awareness
AT-03 Role-Based Training
AU-02 Event Logging
AU-06 Audit Monitoring, Analysis, and Reporting
CA-07 Continuous Monitoring
IA-02 User Identification and Authentication
IA-03 Device Identification and Authentication
IR-04 Incident Handling
IR-06 Incident Reporting
PM-16 Threat Awareness Program
PS-06 Access Agreements
RA-03 Risk Assessment
RA-05 Vulnerability Monitoring and Scanning
SA-04 Acquisition Process
SA-08 Security and Privacy Engineering Principles
SA-11 Developer Security Testing
SC-23 Session Authenticity
SI-03 Malicious Code Protection
SI-04 System Monitoring
SI-05 Security Alerts, Advisories, and Directives
SI-10 Information Input Validation