Why an Effective Detection and Response Strategy Must Focus on Very Attacked People (VAPs)

When a business is considering its vulnerabilities and turns to consider which of its people might pose the most of a risk, it’s likely their first thought is the C-Suite or the Head of IT. But it’s not always the boardroom that ranks as VIP status in the world of cyber-targeting.

Gaining unauthorised access into files and data is all about easy access and value. Threat actors are becoming more intelligent and creative in finding the right people to target.

This is where the concept of Very Attacked People (VAPs) comes in. Beyond those with the top titles, it’s about the people who are in fact regularly targeted. We often give very high levels of access to entry-level employees who can be the most extensive users of applications — and attackers know it. It might even be the office manager with access to credit cards and financial information. Attackers know that these people hold the keys to the kingdom and are directing their efforts at a variety of sources.

The days of indiscriminate phishing blasts are over and we have entered a new, more sophisticated, era in human cyber targeting. The 2025 Verizon Data Breach Investigations Report (DBIR) reveals that almost three quarters of breaches (74%) involve a human element, including social engineering, phishing, and errors.

Attackers are focusing their efforts on specific individuals, tailoring their tactics and succeeding. In today’s attack environment, not knowing your VAPs is a risk no business can afford to take.

Those organisations that don’t know who their VAPs are will be perpetually behind. According to a recent Gartner report, 88% of boards see cybersecurity as a business risk, not just an IT issue. If cybersecurity is a business risk, then your people—the ones who can open doors to your business—need to be central to any security strategy.

Identifying and monitoring VAPs isn’t just helpful, it’s information that’s critical to act upon. There are three key reasons for this:

• Attacker Precision is Growing: Spear-phishing attacks, where the attacker crafts a message for a specific person, are 60% more effective than generic phishing attempts. This is no different to a burglar knowing which window has been left unlocked.
• Low-Level Alerts Can Mask High-Risk Threats: Not every alert is created equal. This means that a “low” alert tied to a VAP isn’t low—it’s a ticking time bomb. If an attacker targets the CFO, just a single phishing email warrants immediate attention. The tech team are reacting to alerts in a vacuum without any context of who is being attacked.
• A Business’ Risk Model Is Incomplete Without the Human Factor: Most risk scoring models are based on endpoints, not people. They indicate if a device is vulnerable or if a system is outdated. But if the same person has been phished three times in a month or if their credentials have been leaked on the dark web, they won’t be able to tell you. And that’s a problem because attackers aren’t looking for your “crown jewels”—they’re looking for the people who can give them access.

Spotting VAPs isn’t a guessing game, it’s about leveraging your data—the logs, the alerts, the threat intelligence and spotting trends and patterns that give insight. Security teams must take the following strategic actions to keep their biggest assets – their people and their data – safe:

• Correlate attack data across sources: It’s not about job titles; it’s about looking at real attack patterns. Who is receiving the phishing emails and the malware and are they clicking on those links? It’s important to check whether they are getting flagged by your endpoint tools.
• Tie alert priority to user risk: An attempted login from a suspicious location might not matter for some employees, but for the CFO or HR manager, it’s a different story. The alert priority must be elevated depending on the person’s role and risk profile.
• Build dashboards that focus on people: Most dashboards monitor endpoints rather than people. But without having visibility of who’s getting targeted, how often, and by what kinds of attacks, a business’ leaders are unable to fully understand their true risk. It’s essential to build a view that shows attack activity by individuals, over time.

Using an advanced platform is the best approach to operationalise the concept of VAPs and ensure that vigilance is embedded into the daily detection and response workflow to turn data into action. A VAP dashboard built into your SIEM provides a people-first view of attacks and connects the dots between a company’s data, its alerts, and its people.

Some real-life threats that might occur in a business include a phishing email targeting the CEO. This would be immediately flagged as a high-priority threat, whether it’s one email or 100.

Alternatively, repeated login attempts on an HR admin’s account highlight a high-risk threat for a potential account takeover. With the right tools, that pattern would be identified before any sensitive payroll data can be exposed.

Businesses that don’t know their VAPs are not in touch with their threat levels. By harnessing threat intelligence, anomaly detection, and asset data enrichment, organisations have a real-time, contextual view of their VAPs in today’s complex attack environment—without noisy alerts or guesswork.