Are you going to Black Hat?
Let's connect
Book demo
Book a demo

Category: Blog

What does adtech have to do with cybersecurity? Quite a lot, actually.

Posted on by Sanny Liao

The TL;DR

  • We borrowed from adtech to build Fable
  • It’s about the right message to the right person at the right time
  • Personalize based on behavior and context
  • Deliver interventions in the moment
  • Optimize for tone, timing, and channel
  • Embrace experimentation

When the dust settled on the Change Healthcare attack, we learned that the breach started with a remote access portal that had no MFA enabled. A simple human action to enable MFA on remote access portals could have prevented this massive breach. 

Change Healthcare was not the only organization that struggled with getting people to take the right security action. In fact, changing security behavior has a notorious reputation of being nearly impossible among security professionals. The thing though, is that behavior change is a honed science in fields like Adtech. Under the hood, the fields share the same goal: getting the right message to the right person at the right time, in a way that actually drives behavior. And this is why we started Fable. If we can get someone to buy a pair of shoes, we can get them to secure their account.

At Fable, we’re building a modern human risk platform—and we’ve borrowed liberally from our years of experience working in high-scale, high-performance adtech companies. Here’s what we’re doing to make our platform super-effective:

Let’s start with personalization. In adtech, platforms analyze browsing behavior, purchase history, and any other contextual tidbits they can learn to figure out what to show you—and when. In security, the stakes are higher (don’t tell advertisers that!), but the logic still applies. If someone has engaged in insecure behavior—admins sharing passwords, an executive reusing login credentials, a money-handler answering the call of a fake vendor, an employee forwarding work documents to their personal account, or simply someone missing important software updates—that’s the kind of behavior signal we want to act on. And the more specific and contextual, the better.

Adtech also taught us how to think about timing, frequency, and attention. In advertising, you wouldn’t show someone five ads in 30 seconds and expect them to retain and act on the information. But that’s just what the security industry has been doing for decades with its once-a-year awareness training. Ebbinghaus’s work on the forgetting curve describes an exponential loss of knowledge after learning, where people retain only about a fourth of what they learn after just one week. Those poor folks who underwent security awareness training last January—they don’t stand a chance! And we wonder why human error still accounts for 60% of cyber attacks. 

At Fable, we’re borrowing from adtech’s wisdom and being judicious about when and how often we deliver our AI-generated interventions, like nudges, video briefings, and two-way chats. We know they’re most effective when sent in the moment—precisely when the risky behavior is occurring. Not only are they timed right for the recipient on the first occurrence, but they are reinforced until it becomes a new habit.

Beyond intervening in problematic behavior on a just-in-time basis, we also study when people are generally most likely to engage with our training—what time of day, over what communication channel, and even based on what message we send or tone we use—and we’re using that data to shape and optimize our interventions so they totally land. And they do. Our customers are seeing massive behavior change because of the work we’re doing together. It turns out one size doesn’t fit all. Who knew? Oh yeah, advertisers.

Finally, we brought with us one of the most powerful habits from adtech: experimentation. In the ads world, everything is tested: subject lines, image formats, message length, emoji usage, delivery cadence. And at Fable, we’ve built experimentation directly into our platform and culture. We test what grabs attention, what drives engagement, what sustains behavior change, and what quietly fails. Heck, we even experiment with which restaurants to order our team lunches! We treat every data point as a chance to learn—and get better.

The result is a human risk platform that doesn’t just throw security messages at people. It adapts, iterates, and optimizes—just like the best-performing systems in adtech. Because changing behavior isn’t about telling people what to do. It’s about understanding what works, and doing it smarter each time.

Transform employees from targets to your first line of defense

Posted on by Nicole Jiang and Sanny Liao

The TL;DR

  • We’re launching Fable Security
  • We raised $31 million led by Greylock Partners for our Seed and Redpoint Ventures for our Series A
  • Despite spending billions, companies are still at risk
  • Human error is the problem, but we reject that it can’t be fixed
  • We’re building the modern human risk platform—that shapes behavior directly 

We couldn’t be prouder to launch Fable Security today. We’re emerging out of stealth with $31 million in funding —our Seed led by Greylock and our Series A led by Redpoint. But this milestone isn’t just about fundraising; it’s a testament to the vision we share with our customers and partners, and the growing recognition that there is a huge hole in cybersecurity: the risk posed by human error. 

Why now: AI is weaponizing threats

Despite spending billions annually on cybersecurity tools and training, organizations remain more vulnerable than ever to cyber attack. The reason? Human error. Shared credentials. Publicly-accessible documents. Unpatched systems. Secrets in code. Phishing clicks. And more. Human error is involved in more than 6 out of 10 breaches. And now attackers are weaponizing their operations with AI, delivering threats that grow more numerous and sophisticated by the day. 

Security awareness training: a tired playbook

They say insanity is doing the same thing over and over and expecting a different result. Yet, companies keep fighting human error with the same tired playbook: generic, outdated training and broad-based phishing simulations. We don’t blame them—they’re simply trying to check the boxes required by today’s privacy laws and cybersecurity frameworks, equipped with the limited tools they have available. 

While leading product and data science at Abnormal AI, we saw the limits of even the most advanced cybersecurity technology: companies fall victim to simple, preventable human mistakes over and over again. We weren’t just frustrated by the outdated tools available; we were troubled by the industry’s quiet resignation that people were the problem.

People aren’t the problem

We reject that notion. Human error isn’t inevitable. It’s addressable. In a world of billions of annual attacks—made more powerful by AI—even the smartest defenses depend on the everyday choices people make. That’s why we built Fable: a platform that brings together the best of AI, behavioral data science, and thoughtful design to shape material behaviors directly in the moment—not punishing , but with clarity, context, and action.

We’ve reimagined human risk management in the age of AI

So, what are we building here at Fable? It’s a platform that thinks about human risk as a process—a self-reinforcing system that synthesizes risk from thousands of human behavior signals, pinpoints the riskiest behaviors, and then auto-generates AI interventions to shape those behaviors, in real time, right where people work. The system learns from the actions people take and assesses risk anew—a first-of-its-kind, closed-loop engine for continuously driving down human risk for enterprises.

There’s a huge hole in cybersecurity, and we’re bringing the best of AI to fill it

Our customers use Fable in three primary ways:

  • Assess risk. Visualize and deeply understand employee risk at the individual, cohort, and organization level. Drill into risk factors and understand even the discrete behavior signals that comprise risk.  
  • Shape behavior. Auto-generate and deploy targeted AI interventions such as video briefings, nudges, two-way chats, and workflows to prompt behavior change in the moment.
  • Ensure compliance. Run relevant, modern training and social engineering simulations that are highly-specific to employees’ role, access, and behaviors.

People are changing behavior—for the better

Of course, where the rubber really hits the road is with customers: how they use Fable, and what value they get from it. Our customers’ outcomes surprise even us. They’re reducing phishing clicks by 85 percent, cutting PII exposure by more than 60 percent, and accelerating time-to-behavior change from weeks to hours.

“Traditional training and awareness messages often fall short because they focus solely on what needs to be said. Fable prioritizes the perspective of the listener rather than the speaker, resulting in a more effective and impactful awareness program."
Jonathan Chow
CISO, Genesys

Beyond that, our customers are delighting their employees with…a security program? (You read that right.) We’re getting tons of positive feedback to our nudges and briefings, and an average score of 4.8 stars. In a segment known for clunky tools, stale content, and reputational drag, these results change the narrative for security teams.

“As AI-powered threats evolve, we need AI-driven training to keep pace. Platforms like Fable deliver targeted, adaptive education that meets employees where they are, tracks engagement, and evolves with real-time feedback. That kind of precision is essential to reducing human risk across a large, diverse workforce.”
Arvin Bansal, CISO, C&S Wholesale Grocers
Arvin Bansal
Veteran Fortune 100 CISO

We’re rewriting the story

Now, with the partnership of Greylock Partners, Redpoint Ventures, and a community of forward-thinking customers (the “Fabelievers”), we’re coming in hot. Our mission is to eliminate the human attack surface. It’s a big, bold mission and will require hard work and plenty of collaboration. But we’re here to redefine what’s possible in human risk management—and to prove that with the right approach, employees don’t have to be the weakest link. They can, in fact, be your strongest one.

Curious about the Fable platform? Let us give you a complimentary risk assessment. We promise you won’t be disappointed.

And if you’re considering a career building a real-world, critical AI solution that meaningfully reduces human risk, while being part of a mission-driven culture, join our journey!

Black Hat USA: Amid the noise, find the signal

Posted on by Curtis Casella

The TL;DR: 

  • Black Hat is noisy, intense, and chock full of technical jargon.
  • Fable will be your refreshing oasis amid the chaos.
  • We’re a radically simple enterprise platform to shape behavior and reduce human risk.
  • Fable just may be the highest-ROI, lowest-drama product you see all week.
  • Book time with us at Black Hat.

Black Hat is many things. A firehose of threat research. A proving ground for technical prowess. A dazzling buffet of lateral malware movement, threat modeling, incident response, cloud architecture, and enough jargon to short-circuit a SIEM. It’s brilliant, intense, and unapologetically deep-in-the-weeds. But also: it’s a lot. Especially in the fluorescent hum of Vegas.

That’s why we’re bringing something different: Fable is the modern human risk platform that shapes human behavior. It’s simple and scalable and does three critically important things: synthesizes complex employee data to help you understand risk; pinpoints the most problematic behaviors; and deploys highly-relevant interventions to people automatically, in real time, right where they work. But our big promise? It’s likely to be the thing you’ll see at Black Hat that gives you the biggest bang for your buck, delivering real ROI, quickly, and in a way that’ll delight your people.

So if you need a breather between packet captures and purple teaming, come find us. We’ll show you how to reduce human risk at scale—without the complexity tax. Book time with us at Black Hat and see how the simplest idea on the floor might just be the most effective.

Brevity. It’s about respecting people’s time

Posted on by Curtis Casella

The TL;DR:

  • Respecting people’s time is key to behavior change
  • We’ve baked brevity into our design—and our culture
  • Every second of content should deliver value
  • Here are the ways we weave this concept into our business

We’ve sat through some painful security awareness training in our day. You know, the perma-sessions with cheesy clip-art visuals and utterly outdated content that you’ll forget as soon as you click “finish.” At former companies, these training sessions were excruciating…but also motivating. We started Fable with a promise to do things differently: not only to be effective, but to respect people’s time.

That’s why brevity is one of our core design principles. We don’t just aim for relevance or personalization. We aim for crispness—not just for crispness’s sake, but because there’s too much at stake in security. The more we talk or write, the greater the chance our message will be diluted—and ignored. Our customers can’t afford that.

Their employees are busy. Multi-tasking. Distracted. They’re used to Tik Tok, Reels, and memes. They don’t have time to read a tome—no matter how riveting security is (well, we think it’s riveting).  

When we build human risk interventions in the Fable platform like nudges, video briefings, two-way chats, and workflows, our goal is to deliver the maximum impact in the minimum time. Every second matters, and every word needs to have utility. It’s why we never ship a video over two minutes, and why we advise our customers to do the same when we hand over the keys to do customization on their own.

“[Fable content] makes the medicine go down a little bit easier. It matches the modern TikTok or Reels experience that people are used to today. And I think it feels like we’re on their side, like, “Hey, we’re trying to do something good for you and it’s not punitive.” In the past, you were told you have training to complete and it was going to be one, two, three hours long. It felt like you were being assigned work.”

—Jonathan Chow, CISO, Genesys

Over time, this belief in brevity has become about more than just design—it’s cultural. We’ve come to think of every word, every pixel, every second of interaction as a moment to earn trust and deliver value. If it doesn’t help, clarify, or move someone forward, it needs to go.

This obsession has reshaped how we work. Our videos are always under two minutes. Marketing emails fewer than 50 words. Blogs shipped with a TL;DR. Webinars capped at 15 minutes. Documentation clear and to the point. Even our website messages are designed to give you precisely what you need, and nothing more. Because respecting your time isn’t just good UX—it’s good business.

See what we mean with a demo (we promise not to waste your time!).