Fable announces our board-ready human risk reporting.
Read more
Sign in
Book demo
Sign in
Book a demo

Month: August 2025

Fable Security product release: August 29, 2025

Posted on by Fable Security

The TL;DR

  • Risk drill-down: understand risk more quickly
  • Smooth workflows: AI previews, default templates
  • Polished experience: clean filtering, crisp text, clear “no data” message, etc.

This release is about fast insights, smooth workflows, and polish. The following is now live in your tenant. Here’s what’s new and how to get started.

Risk drill-down

Understand risk factors by drilling down from the treemap on the Fable dashboard to the appropriate cohorts, so you can act on cohorts quickly.

  • How it works: dashboard → treemap chart → click a category → see cohorts with the filter applied.
  • Limitations: Requires cohorts to exist for the selected risk category.

Smooth workflows

Move more smoothly through Fable with video preview and channel template defaults.  

  • How it works
    • Preview videos: command center → create briefing → see preview video building in briefing details
    • Template defaults: command center → create briefing → templates
  • Limitations: preview timing may vary by campaign.

We architected our data lakehouse for insights—and action

Posted on by Patrick Old

The TL;DR

  • Human risk data is messy, siloed, and context-dependent—most platforms constrain it, losing the ability to enable insights and action.
  • Our bronze–silver–gold data lakehouse keeps data complete, connected, and actionable.
  • This architecture enables rich insights: behavioral timelines, trend detection, cross-platform correlation, and contextual risk-scoring.
  • The result: fast, precise interventions that shape behavior and reduce risk.
  • Read insights from our 15-minute webinar to learn more.

Why human risk data needs a data lakehouse

In modern human risk management, delivering the right insights and recommendations requires assembling the right data and making it available to the right decision-makers, right away. Many platforms limit what data can be captured or constrain it as it’s being captured, making it hard for security practitioners to do high-value work like build personalized risk profiles, view behavioral timelines, detect changes over time, and correlate cross-platform signals down to the individual employee.

As we were building Fable, we knew we needed to integrate thousands of data points from hundreds of sources, and then transform that data into something accurate and meaningful for our customers, while also preserving the captured data in its original format. We modeled our data lakehouse architecture after the Medallion Data Foundation, an industry standard in modern data engineering.

Fable Security’s data lakehouse architecture showing raw data flowing through Bronze, Silver, and Gold layers toward human risk analysis.

Put simply, we needed to move from the static, rigid world of, “This employee fits X behavior,” to dynamic, flexible insights that take business context, timelines, newly-discovered data, and populations into account. We need to create insights like the following:

  Insight

  What’s required

  “This employee exhibits risky behavior”

  Personalized baselines vs. population rules

  “This employee’s behavior has shifted”

  Temporal change detection vs. static snapshots

  “This employee’s risk is escalating”

  Trend analysis vs. point-in-time assessment

  “This employee’s behavior correlates across platforms”

  Cross-system patterns vs. siloed alerts

  “This employee’s risk context matters”

  Seasonal/role-aware vs. one-size-fits-all

  “This employee recovered from previous risk”

  Dynamic scoring vs permanent flagging

These insights—and the recommendations they enable—are possible because we’ve organized our data lakehouse into a three-layer pipeline: bronze, silver, and gold. Each layer plays a distinct role in turning messy inputs into precise findings on which you can take action.

Our approach: A bronze, silver, and gold data lakehouse pipeline

The bronze layer: capture everything; lose nothing

The bronze layer is our raw landing zone for exact API responses. Here, we ingest data as nested JSON blobs from across the human attack surface: security event logs, phishing simulations, email gateways, endpoint detections, policy compliance records, HR data, workspace events, and more. 

The key at this stage is fidelity: we preserve the original data exactly as we receive it, schema quirks and all. This “store first, shape later” approach means we never lose potentially valuable context, even if we don’t yet know how we’ll use it.

The silver layer: make it consistent and connected

The silver layer is where raw chaos becomes usable. We flatten data (with no data loss), normalize formats, and correct quality issues. We also join data points from disparate systems, e.g., an endpoint alert to the employee who uses the device or a phishing click with an employee’s role, tenure, and past phishing simulation performance. We also remove obvious noise so downstream models and analytics don’t get tripped up by irrelevant events. The result is a unified, queryable view of human risk events across the enterprise. This layer is the difference between “we have the data” and “we can ask meaningful questions.”

The gold layer: deliver insights that drive action

The gold layer is where we have human risk data. Here, we apply advanced processing, analytics, and machine learning to identify patterns, score risk, and trigger interventions. A phishing click becomes a risk score adjustment; a policy violation becomes a two-way chat; anomalous behavior across multiple systems or from a foreign country flags a just-in-time security briefing. The gold layer is tightly coupled to our platform’s agentic intervention capability, ensuring that insights don’t just sit in dashboards; they actively shape behavior. 

By combining these three layers, we get a complete picture of human risk, like how repeated phishing missteps plus excessive access can reveal an employee’s rising risk.

Why this architecture matters

This bronze-silver-gold-layered approach matters because human risk data is messy, siloed, and often context-dependent. Without the bronze layer, you lose historical detail that could be vital in an investigation. Without silver, you can’t reliably connect behaviors across systems and people. And without gold, you can’t put insights into action in a way that changes outcomes. Together, these layers ensure that every security-relevant human action, whether a click, a login, or a policy acknowledgment, is part of a coherent, actionable risk picture.

What human risk use cases are possible

Because our Medallion-based pipeline keeps the data clean, connected, and context-rich, it enables capabilities that would otherwise be impossible. Some examples of human risk use cases are:

  • Behavioral trend analysis: Identify departments where phishing susceptibility is increasing month over month.
  • Precision interventions: Trigger a targeted briefing for an employee who failed a simulated phishing test and recently had a risky browser download.
  • Risk-informed policy changes: Highlight patterns where security policies are routinely bypassed, so leaders can address root causes rather than just symptoms.

In human risk management, speed, accuracy, and context aren’t nice-to-haves; they’re the difference between stopping a breach and cleaning up after one. Our data lakehouse architecture ensures we always have the intelligence we need, when we need it, to keep our customers secure.

Register for our webinar

Want to learn more about our human behavior data lakehouse? Sign up for our 15-minute webinar on September 4 at 10:00 am PT.

Shiny lures, sharp teeth: How to outsmart ShinyHunters

Posted on by Fable Security

The TL;DR

  • Cybercrime group ShinyHunters impersonates trusted parties to trick people
  • They urgently request access or a configuration change
  • This post shares their playbook and your prevention checklist
  • Scroll down for a free, <2-minute video briefing that you can use to arm your people

ShinyHunters diagram showing how they impersonate HR or IT via calls to steal data by bypassing MFA or installing malicious apps.

In this post, we’ll cover the threat posed by ShinyHunters, the cybercrime group behind several recent attacks. We’ll share how they operate and how your people can spot them. ShinyHunters is known for collaborating with other threat actors, such as Scattered Spider, in large-scale data breaches and supply chain attacks, leveraging sophisticated social engineering campaigns and phishing attacks to gain initial access. They often exploit vulnerabilities, conduct phishing attacks, and use social engineering techniques to achieve initial access to internal systems and salesforce environments.

The threat: Who are ShinyHunters?

ShinyHunters is a cybercrime group known for breaching high-profile organizations and selling their stolen customer data on the dark web. ShinyHunters and other threat groups often target cloud storage and web services to gain unauthorized access to sensitive data, including Salesforce data and source code. The impact of these breaches includes the exposure of sensitive customer data, hashed passwords, passwords stored, and source code, leading to data extortion and financial gain for threat actor groups. ShinyHunters is known for claiming responsibility for high-profile data breaches, and affected companies must monitor for stolen information and exfiltrate data.

They’ve been linked to breaches at companies like Ticketmaster, Santander, and Google by exploiting CRM systems like Salesforce and Workday. Their calling card: sophisticated social engineering paired with opportunistic targeting of big datasets.

Targeted cohorts

The best targets for ShinyHunters are people with access to databases of people, ideally customers. Key targeted cohorts include employees with access to Salesforce or another CRM. High value sectors such as financial institutions, retail sectors, and technology firms are frequently targeted due to their valuable data.

How they operate: Inside the ShinyHunters playbook

ShinyHunters reaches out to your employees from basic data available, such as names, titles, emails, and phone numbers. ShinyHunters use social engineering techniques to trick employees, including voice phishing (vishing), phone calls, phishing page tactics, and deploying a malicious version of legitimate tools, such as a malicious version of the Salesforce data loader or ticket portal. They impersonate a trusted person from HR, IT, payroll, or vendors and make an urgent request or pretext (e.g., “We need this right away”), often using escalating commitment to gain just one extra detail or one configuration tweak. They may also attempt to persuade users to authorize malicious connected apps or interact with phishing domains in Salesforce environments.

How to prevent ShinyHunters attacks

Urge your people to be vigilant about urgent requests, even from known people, and not to take chances. Specifically, they should:

  • Not share passwords, MFA codes, or other sensitive information by phone, text, or email.
  • Not make system configuration changes when asked to do so remotely.
  • Verify requests like this through a trusted channel, or ideally, establish a verification process ahead of time.
  • Use phishing simulations to train employees to recognize phishing attacks and social engineering campaigns.
  • Protect internal systems and Salesforce data from unauthorized access, and monitor API-enabled permissions.
  • Leverage threat intelligence and detection and response solutions to detect attacker access and respond to evolving cyber threats. Regularly reviewing insights from trusted sources like Google Cloud, Mandiant, or CISA can help strengthen threat awareness and response.

What to do if you’re compromised

If your people do fall victim (entirely or part-way), they should:

  • Stop interacting (hang up, stop texting)
  • Alert security
  • Save message or capture screenshots
  • Block caller or sender

And you should:

  • Review call logs, if applicable
  • Notify impacted parties (customers, employees, vendors)
  • Trace the entry point (CRM, etc.)
  • Monitor for suspicious activity or account compromise
  • Update policies
  • Deliver targeted employee interventions to avoid repeat incident
  • Enhance response capabilities, such as disabling attacker access, monitoring for data exfiltration, and using tools like Salesforce Shield to protect Salesforce environments and manage connected apps.

How Fable Security can help 

Here’s a short, highly-specific video briefing you can download for free and share with your employees.

Get practical guidance to prevent modern social engineering attacks and build resilience across your organization. Then download our Five Must-Haves playbook for additional insights.

Download now

If you’d like risk-based briefings and nudges that are hyper-targeted and customized to your organization, try the Fable platform.

Step inside Fable’s human behavior data lakehouse

Posted on by Sanny Liao

The TL;DR

  • Available now: 
    • Fable human behavior data lakehouse
    • Accurate, explainable, AI-assisted risk calculation and analysis
  • Coming soon: 
    • Generative AI-enabled, natural language conversational agent for querying and discovery
    • Automated remediation and policy control workflows
  • Register for our 15-minute webinar on 9/4 at 10 am PT to learn more

We’re excited to introduce the Fable human behavior data lakehouse, a foundational part of our platform that will unlock powerful insights and enable human risk-based policy enforcement across our customers’ technology stack. 

This new architectural component underpins everything we do at Fable, and is designed to help security leaders answer the four questions that they seem to come back to again and again: 1. Who are our riskiest employees? 2. What material risk do they pose to the organization? 3. How do we reduce that risk? 4. How do we communicate all of this clearly to the board?

These are deceptively hard questions. Answering them requires stitching together data from across the enterprise—HR, IT, and security systems—to build a clear and contextual picture of each employee: who they are, what they have access to, how they behave over time, and what business functions they support. Historically, this kind of integration has been nearly impossible because this information lives in silos and wasn’t built to work together.

That’s why we took a fundamentally different architectural approach. Instead of pre-defining a rigid data schema and building flexibility at the application layer, we flipped the script. Modeled after the industry-standard Medallion architecture, our data pipeline organizes human risk data into bronze, silver, and gold layers—ensuring we capture everything, make it consistent and connected, and deliver decision-ready insights. This structured approach means faster analysis, higher data quality, and a stronger foundation for advanced analytics, machine learning, and real-time interventions. It allows us to identify concrete behavior signals for every individual, uncover relationships and patterns between data points, calculate risk dynamically, and deliver interventions in the moment.

This is what sets Fable apart. Most human risk solutions can tell you who your riskiest employees are—and possibly why. And some of the smarter ones may pull a few pre-selected attributes to display in your dashboard or report. But they stop short of incorporating deeper business context, dynamically updating risk, and turning that intelligence into real-time decisions. With our data lakehouse, we don’t just let you report on risk—we help you interrogate it, understand it, explain it, and reduce it. 

Here are some examples of questions you can ask because of this platform choice: 

  • Are there elevated risks for employees traveling for work in China? What access do they have to our sensitive IP, and what should I do about it?
  • Are there any managers with former employees who still have access to crown jewel apps? Share the list and show them how to deprovision.
  • Which offices have the lowest rate of password manager usage? Which have a high number of employees with compromised credentials?
  • Which employees with access to customer information have a high number of data-handling alerts? Do any have a departure date already in our HR system?
  • Who is at risk for the latest Scattered Spider attack? Show me the employees at my organization who need to be prepared.

Another powerful aspect of our data lakehouse is how it pairs with generative AI. This combination will enable customers to do two key things: 1. Automatically convert paper-based policies into machine-readable formats, allowing for detection and analysis of out-of-policy behavior across the organization; and 2. Query Fable efficiently with a natural-language conversational agent. Lots of products use AI to enable natural-language queries, but with varying results. The good news is our data lakehouse retains the raw data, so every analysis is grounded in evidence you can verify. That means more accurate, explainable results, and guardrails against LLM hallucinations that can plague systems without a traceable source of truth.

Looking ahead, we’re evolving toward an agent-based experience—where you can go beyond simply asking questions and performing analysis, to taking action. The next step for us will be to extend the definition of “interventions” in Fable to include agentic workflows that execute policy changes in third-party solutions. This means turning human risk that you learn about in Fable into action across your technology stack. The Fable human behavior data lakehouse is the backbone that makes it all possible.

Register for our webinar

Want to learn more about our human behavior data lakehouse? Sign up for our 15-minute webinar on September 4 at 10:00 am PT.