The inbox has historically been the most vulnerable entry point in enterprise security. As phishing campaigns become more convincing, personalized, and increasingly powered by generative AI, existing tools have been stuck in a reactive cycle: wait for an attack, analyze, respond. Atlanta-based email security vendor IRONSCALES believes this cycle is about to change.
In anticipation of the RSA Conference in San Francisco, the company revealed a new threat intelligence initiative, along with live demonstrations of three AI agents launched in its Winter 2026 platform release. These efforts mark IRONSCALES’ transition from a detection vendor to a preemptive security partner, modeling attacks before they occur rather than documenting them afterward.
The “Email Attack of the Day” series debuting at RSAC 2026 utilizes anonymized threat data from over 17,000 customer organizations. The concept is simple: highlight real-world email attack patterns as they emerge, publish them with technical context, and equip security teams with the intelligence to recognize new tactics before they spread.
This format isn’t entirely new, as other vendors frequently release threat advisories and campaign breakdowns. However, IRONSCALES presents the series as a complement to its broader strategy of “Phishing 3.0” defenses, integrating intelligence directly into adaptive detection rather than keeping it isolated in research.
The highlight of the RSAC demonstrations are the three AI agents introduced in the Winter 2026 release: Red Teaming, Phishing SOC, and Phishing Simulation. Each agent is specifically built rather than added to a general-purpose large language model, aiming to be more efficient in encoding domain-specific expertise.
The Red Teaming agent conducts continuous reconnaissance on an organization’s public presence, analyzing social media, executive communications, and org charts. It generates tailored attack simulations that are integrated into detection models, aiming to fortify defenses against campaigns specifically designed for the organization, not just generic threats.
The Phishing SOC agent specializes in the forensic investigation of suspicious emails, delivering a Level 2 analyst’s assessment within minutes, saving hours of human analyst time. This speed is crucial for managed service providers handling numerous client environments.
The Phishing Simulation agent uses reconnaissance data from the Red Teaming agent to create highly personalized training simulations. Instead of using generic phishing templates, it targets high-risk employees with scenarios based on real OSINT data, presented in their native language.
IRONSCALES is taking these steps amid a significantly more hostile environment. Research cited by the company suggests 88 percent of organizations have faced AI-powered security incidents in the past year. KnowBe4’s 2025 Phishing Threat Trends Report noted that over 82 percent of analyzed phishing emails showed signs of AI assistance. A Hoxhunt analysis documented a 14-fold rise in AI-generated phishing during the 2025 holiday season alone.
The economics have shifted too. Crafting an effective spear-phishing campaign once required time and expertise, but generative AI now reduces the task to minutes and a few prompts. IBM security researchers showed that AI could create phishing campaigns as effective as those by human experts, needing just five prompts instead of 16 hours of work.
RSAC 2026 itself mirrors this concern. Agentic AI, systems capable of autonomous multi-step operations, is a key theme at this year’s conference. Microsoft’s keynote addresses securing AI agents at enterprise scale. Various vendors are launching deepfake detection tools. The discussion has clearly shifted from whether AI will reshape email security to how quickly defenders can bridge the gap.
Beyond AI agents, the Winter 2026 release incorporates integrated email encryption for outgoing messages, designed to meet compliance needs without adding complexity. Encryption is applied through policy-based protection for regulated content and user-initiated encryption for sensitive workflows.
The release also expands the company’s deepfake protection for Microsoft Teams, which was first introduced in 2025. Enhanced voice detection now learns employee voice patterns passively from typical meeting participation, flagging impersonation attempts even when cameras are off. This is significant given that deepfake-driven fraud surged more than 700 percent year over year, according to Cyble’s 2025 Executive Threat Monitoring data, and Gartner surveys indicate 62 percent of organizations encountered a deepfake attempt in the last year.
IRONSCALES promotes a closed-loop architecture: reconnaissance informs detection, which informs training, and training enhances recognition. CEO Eyal Benishti describes this approach as distinct from competitors who use OSINT-driven attack generation solely for training. IRONSCALES, he claims, aims to improve detection first.
Whether this approach proves effective in practice will depend on how the agents perform at scale across varied customer environments. The email security landscape is competitive, with several vendors pursuing the same claim of preemptive protection. However, their architectural approach, deploying purpose-built agents unified by an adaptive model trained on data from 17,000 organizations, is at least a testable hypothesis.
RSAC 2026 attendees can witness the platform live at Booth #4600 in the North Expo