Most cybersecurity guidance assumes a simple threat model: attackers send large volumes of cheap attacks, hoping someone makes a mistake. While this model explains much of the internet’s background noise—phishing emails, credential stuffing, and drive‑by malware—it falls apart when applied to people who are deliberately and persistently targeted.
Journalists, activists, political candidates, founders, executives, and individuals who control valuable infrastructure or assets face a fundamentally different threat landscape. For them, security isn’t about avoiding generic attacks—it’s about surviving intentional, adaptive, and well‑resourced adversaries.
What Makes a Targeted Attack Different
Targeted attacks are defined less by the technique used and more by the intent behind them. Instead of cheaply targeting many people at once, attackers invest time and resources into a specific individual or small group. They research personal relationships, professional context, routines, and even beliefs. If the attack fails, they don’t move on—they escalate.
Unlike opportunistic attackers who “spray and pray,” targeted attackers move vertically. They begin with inexpensive methods—phishing emails, meeting requests, or social engineering—and only deploy more expensive tactics if earlier attempts fail. This escalation model allows them to conserve resources while still maintaining a high likelihood of success.
Crucially, success for an attacker doesn’t always mean financial theft. It may mean access to sensitive communications, impersonation of a trusted figure, influence over public discourse, or disruption of critical work.
Who Becomes a High‑Risk Target
High‑risk targets are not defined by fame alone. They are defined by value—political, economic, informational, or symbolic.
Commonly targeted groups include:
- Political campaigns and advocacy organizations with limited resources
- Journalists and media organizations reporting on sensitive topics
- Human rights defenders and activists
- Executives or founders at small but influential companies
- Individuals holding significant digital assets or access to critical infrastructure
These groups often operate under intense time pressure, rely on ad‑hoc teams, and prioritize mission over operational maturity. Security is rarely the primary focus, which makes them especially vulnerable to attackers willing to exploit gaps in tooling, training, or attention.
The Hidden Risk of “Adjacent” People
One of the most overlooked aspects of targeted attacks is that attackers rarely start with the primary target. Instead, they look for paths of least resistance—personal assistants, consultants, schedulers, or small third‑party vendors who have access or influence.
These adjacent individuals often use personal devices, lack formal security training, and are unaware they are part of a larger attack surface. Compromising them can be cheaper and easier than attacking the primary target directly, while still providing access to valuable information or systems.
In targeted contexts, protecting only the obvious target is insufficient. The broader ecosystem must be considered.
How AI Is Changing the Economics of Attacks
Artificial intelligence has dramatically lowered the cost of personalization. Attacks that once required days of research and manual preparation can now be generated in hours—or minutes—using widely available tools.
By combining leaked data, public information, and AI‑assisted analysis, attackers can:
- Map personal and professional networks
- Generate convincing impersonation messages
- Adapt language and tone to specific contexts
- Scale personalized attacks beyond one‑off scenarios
This creates a dangerous middle ground: attacks that are neither fully mass‑market nor fully bespoke, but semi‑targeted at scale. As a result, more people are exposed to attack styles historically reserved for high‑value individuals.
Why Traditional Security Advice Falls Short
Much consumer security advice prioritizes convenience tradeoffs that don’t map well to high‑risk users. VPNs, password rotations, and generic awareness training offer limited protection against attackers who are prepared, patient, and adaptive.
For targeted users, the most effective defenses tend to be opinionated and restrictive—reducing the attack surface rather than expanding user choice. This includes eliminating entire classes of attacks rather than attempting to detect them after the fact.
Raising the Security Baseline for High‑Risk Users
A recurring theme in modern security thinking is the idea of graduated protection levels. Not every user needs the same defenses, but platforms must provide pathways for users at higher risk to opt into stronger defaults.
Key principles include:
- Allowing users to self‑identify as high‑risk
- Automatically enforcing stronger authentication and recovery mechanisms
- Reducing reliance on fallible signals like SMS codes
- Prioritizing secure defaults over configurable complexity
- Taking responsibility for maintaining the higher baseline over time
This approach shifts the burden away from users having to understand every threat and toward platforms that proactively reduce exposure.
Practical Defensive Priorities
For individuals who believe they may be targeted, a few practices consistently stand out:
Hardware‑backed authentication
Physical security keys dramatically limit phishing and credential theft by binding authentication to a trusted device.
Verification over speed
Unexpected requests—even mundane ones like meeting invites or document reviews—should be verified out‑of‑band before action.
Institutional support
Dedicated organizations exist to help journalists, activists, and political actors with digital protection. Leveraging expertise reduces both risk and stress.
Awareness without paranoia
Skepticism should be informed and proportional. Fear is not a security strategy, but calm verification is.
Security When Failure Really Matters
Targeted attacks change the definition of success. For defenders, success often means nothing happens—no compromise, no disruption, no silent loss of trust.
As attackers become more patient, better resourced, and more automated, protecting high‑risk users requires rethinking assumptions about scale, usability, and responsibility. Security for these users isn’t an add‑on or an upgrade—it’s a different operating model entirely.
Designing for that reality is no longer optional.