Behavioral AI has become a common claim in modern security, widely promoted as the next evolution in detection. But in many cases, the term is used to describe incremental feature improvements on traditional approaches, rather than a fundamental shift in the depth of data being collected, how that data is structured and connected, or how it is analyzed. Without that foundation, even advanced AI techniques are limited in what they can actually detect. As a result, many of these systems still struggle to detect novel attacks that blend into normal activity, as demonstrated in Abnormal’s research on the VENOM phishing kit.

Attackers use legitimate accounts, trusted infrastructure, and familiar workflows. A login succeeds, and normal user activity follows, aligned with how a real employee might operate. Nothing appears obviously malicious, and without context, there is no reason to intervene, which is exactly why these attacks succeed.

Detecting these patterns requires more than evaluating isolated events. See how Abnormal uses behavioral AI to expose coordinated account takeovers that traditional tools miss.

Most security systems evaluate events in isolation:

• Login events are analyzed on their own

• Emails are scanned independently

• Activity is evaluated against predefined rules or threat intelligence

Each action is judged separately and each decision depends on whether that single event crosses a threshold, creating a design tradeoff. If thresholds are set high, subtle attacks pass through undetected. If thresholds are lowered, more events get flagged, but most lack context and turn into false positives. Security teams end up investigating alerts that rarely lead to real incidents. This is not a tuning problem, but a limitation of systems that evaluate events without understanding how they connect.

Identity providers and MFA validate the moment of authentication, but once a session is established, they have no visibility into how it is used. As long as the identity is trusted, the subsequent activity appears legitimate.

Email security tools focus on detecting malicious content, but messages sent from a compromised account blend into normal communication and pass through cleanly. This is because the sender is trusted and the content follows familiar patterns, leaving little that appears suspicious on its own. Rules, indicators of compromise, and threat intelligence rely on known patterns that decay quickly as attackers generate new content and behaviors at scale.

In a recent proof of value, a prospective customer deployed Abnormal alongside their existing stack, which included traditional email security and identity protection. Those tools were working as expected, but they missed over 30 account takeovers in a single week. The following case shows how individually subtle events came together to reveal an account compromise.

Step 1: A suspicious sign-in that still looked plausible

The first signal was a slightly unusual sign-in. There were indicators of risk such as an infrequently used browser and a somewhat rare location, but nothing strong enough to justify blocking access. Users regularly travel, switch networks, and log in from new devices all the time, so this could easily have been legitimate behavior.

Step 2: Additional suspicious sign-ins followed by suspicious email activity

Additional sign-ins occurred on day 2, which is not uncommon as users retry logins, switch devices, or access applications from different locations. By day 4, a few more signals appeared in email behavior. Messages and activity began to shift, but nothing clearly malicious stood out.

For example, receiving invoices or business-related requests is normal for many users. Even slight changes in tone or timing can often be explained by day-to-day work.

Step 3: A stronger signal, but still not enough on its own

A later sign-in introduced a more unusual signal. The session used a browser and access pattern that was not consistent with how this user typically operated. On its own, this kind of activity can still have legitimate explanations, especially in environments with automation or API usage.

At this point, Abnormal had something more important than any individual signal: context. Combined with the earlier sign-ins and behavioral changes, this event provided enough evidence to confirm the account had been compromised, leading to the creation of an account takeover case.

Most systems evaluate events independently and make decisions locally. One tool evaluates a login attempt, another analyzes email activity and finds nothing malicious, and a third observes application usage that falls within expected ranges. Each system reaches a reasonable conclusion based on what it can see, but none of them connect those signals.

This creates a familiar problem for security teams. Subtle attacks pass through because no single event stands out, while isolated anomalies generate alerts that turn out to be benign. Teams end up investigating noise while missing the patterns that matter.

Email security, identity protection, and UEBA tools are typically handled by separate systems, each with its own model of behavior and its own definition of what looks normal. These tools operate side by side, but they do not share context or develop a unified understanding of how users interact across the environment.

As a result, each system sees only a fragment of the overall picture.

Most systems still evaluate events individually to decide whether each crosses a threshold. This process works when a signal clearly stands out, but it starts to fall apart when attackers stay within normal patterns and spread their activity across multiple signals.

Abnormal analyzes the same signals differently. Instead of treating them as separate decisions, it connects them over time and asks a simpler question: does this sequence of behavior make sense for this user?

As shown in the earlier account takeover case, nothing necessarily stood out on its own. The login, browser usage, and subsequent signals were unusual, but could still have a reasonable explanation.

However, when correlated, the sequence showed a clear shift in how the account was being used, followed by behavior that didn’t match the user’s normal workflow. Instead of generating a series of low-confidence alerts, the system identified a single, high-confidence incident based on combined signals.

Security teams can assess behavioral AI using a few key questions:

• Does detection rely on anomalies or sequences?

• Can it detect attacks that appear normal at each step?

• Does it correlate signals across identity, email, and applications?

• Does it model behavior over time?

• Does it do all of the above in combination by continuously fusing cross-product signals, using time-series modeling, and updating behavioral baselines over time?

If the answer to any of these questions is “no,” the system is still evaluating individual events, not connected behavior.

See how Abnormal uses behavioral AI to expose coordinated account takeovers that traditional tools miss. Schedule a personalized demo today.