A new report from AI training company Hoxhunt reveals that AI agents can successfully create more effective simulated mass phishing campaigns than elite human red teams can.
Hoxhunt has been tracking the effectiveness of AI phishing since 2023 when AI was 31 percent less effective than humans. By November 2024, AI was 10 percent less effective than humans via development of Hoxhunt’s AI spear phishing agent. As of March 2025 though AI is now 24 percent more effective than human red teams.
“For the first time, AI has outperformed our elite human red teams in phishing simulations. The big bad AI wolf is knocking at the door and he’s irrefutably better at getting in. He’s huffing and puffing, but too many organizations are still building their human defenses out of straw. We need to immediately adopt the right AI platforms to build houses out of brick,” says Pyry Åvist, CTO and co-founder of Hoxhunt.
In 2023, human red teams outperformed AI with a failure rate of 4.2 percent for humans compared to 2.9 percent for AI. However, it seems that large language models have tipped the balance in AI’s favor and between 2023 and 2025 AI’s phishing performance relative to elite human red teams has improved by 55 percent.
The research used Hoxhunt’s own AI spear phishing agent, codenamed JKR — short for joker. This was designed to perform two tasks, firstly it was given user-specific context (role, country, etc.) and was asked to create a novel phishing attack that maximized the likelihood of the user clicking the phishing link. In the second the AI was also tasked with improving an existing human-created phishing attack, making it more effective.
Mika Aalto, co-founder and CEO of Hoxhunt stresses the need for proactive defenses, “When the first computer viruses emerged and rapidly spread in the 1980s, they shocked many people because no one had imagined the computer could be a weapon. But that moment gave rise to early cybersecurity — firewalls, antivirus, intrusion detection, and so on. Today, we’re at a similar crossroads with AI. Just like we built the immune system for computers back then, now we need to build one for people and the digital environment — powered by AI, rooted in behavior, and ready for what comes next.”
You can see the full report on the Hoxhunt site.
Image credit: dampoint/depositphotos.com
