In the summer of 2025, the cybersecurity landscape faced a stunning breach when a young tech professional named Trevor Roth* secured a remote position with the prominent cybersecurity vendor, Exabeam. Roth’s credentials seemed impressive; he not only excelled in his technical interview and practical tests but also navigated a video interview that raised some eyebrows among the hiring team. There were whispers that his performance might have been assisted by generative AI tools, leading to slight skepticism about his capabilities. Regardless, the company extended an offer, and after completing a typical pre-employment screening, which included a background check and the validation of his I-9 form, Roth was ready to begin his new role.
However, unbeknownst to Exabeam, “Trevor Roth” was a façade crafted by a malicious foreign actor from North Korea, who exploited a stolen identity accompanied by forged documents. Now embedded within Exabeam’s private network, he presented an alarming threat.
The Democratic People’s Republic of Korea (DPRK) has increasingly posed a serious threat to Fortune 500 firms around the globe. According to estimates from the U.S. Department of the Treasury, numerous individuals linked to the DPRK are allegedly on the payrolls of American companies, gaining access to corporate networks. The motives behind these infiltrations are twofold: first, they aim to provide financial sustenance to the regime’s authoritarian governance, and second, to facilitate malicious cyber intrusions. The evidence suggests that North Korean operatives have been involved in various forms of digital criminality, including cryptocurrency theft, sensitive data breaches, and extortion activities, leaving American businesses vulnerable.
Detecting such foreign threat actors has proven increasingly difficult since many adopt a stealthy approach, aiming to maintain their employment for extended periods. This tactic often involves “low-and-slow” attacks, where their activities remain undetected for substantial durations. Steve Povolny, Vice President of AI and Security Research at Exabeam, shared insights during the RSAC 2026 conference, stating that threats from these actors often manifest in ways that escape immediate attention. “Typically, these behaviors are subtle, flying under the radar until they eventually draw scrutiny.”
Unfortunately for Roth, his first day at Exabeam turned out to be his last, largely due to the vigilant oversight powered by agentic AI.
Upon Roth’s initial login into his Exabeam corporate account, the Security Operations Center (SOC) noted that his username had been flagged as high risk, connected to previous activities related to North Korean threat actors. Reacting swiftly, the incident response team cautiously isolated Roth’s laptop from the corporate network to prevent any potential compromise. Kevin Kirkwood, the Chief Information Security Officer (CISO) at Exabeam, acknowledged that initially the team considered the possibility that the alarming threat intelligence might have been erroneous. “We ascribed positive intent at first,” he commented, reflecting on their mindset regarding the newly hired Roth.
Simultaneously, the Security Information and Event Management (SIEM) system began to generate alerts related to Roth’s activities, revealing a series of troubling actions, such as downloading files from a dubious Zoom site, attempting connections to unauthorized third-party VPNs, installing Jump Desktop software, and accessing a streaming service.
If evaluated in isolation, each alert could have seemed innocuous. However, integrated with the prior intelligence regarding Roth’s flagged credentials, it became clear that a coordinated investigation was necessary. Enter Exabeam Nova, the organization’s investigative AI agent residing within the SOC. With remarkable efficiency, Nova collated Roth’s user and entity behavior analytics (UEBA) and assessed them against his role and status as a new hire. After concluding that his actions warranted an in-depth investigation, Nova deduced a troubling pattern: Roth’s activities aligned dangerously with a ‘Malicious Software’ threat vector, indicative of a compromised insider threat.
Further into the analysis, the AI suggested a series of necessary steps for the SOC analysts, which included isolating Roth’s device to avert further risk, launching a comprehensive forensic examination of the compromised host, and reviewing his activity history for any signs of phishing or unauthorized accesses. The investigation that might have demanded several hours of human effort was completed in seconds thanks to the capabilities of the AI in place.
The incident escalated as Kirkwood and his team monitored Roth’s actions for several hours, during which he attempted to install command-and-control software and exfiltrate sensitive company data. Reflecting on the scenario, Kirkwood likened the experience to witnessing a dramatic prize fight, humorously noting, “It was kind of like sitting back and watching the prize fights, drinking beer and eating peanuts.”
However, when Roth caught on to the fact that he was under scrutiny, he hastily began deleting his temporary files. This prompted Kirkwood to intervene, resulting in the immediate bricking of the device. The laptop, now rendered essentially useless, was sent along with gathered indicators of compromise to the FBI, who subsequently acted on the intelligence, leading to the dismantling of a laptop farm located in Austin.
The infiltration of North Korean IT operatives into American companies surged significantly during the remote work boom initiated by the COVID-19 pandemic, particularly since 2020. In 2025 alone, the DPRK-affiliated group Famous Chollima infiltrated over 320 organizations, marking an alarming 220% increase compared to the previous year. Experts attribute this rise in successful incursions partly to the advantages that generative AI provides, allowing unauthorized actors to forge documents and excel in technical assessments through real-time assistance from AI tools.
In light of these developments, Kirkwood and Povolny propose that CISOs adopt enhanced vetting tactics for job candidates. Suggested strategies include intentionally under-specifying problems to gauge clarification skills, prompting candidates to share personal decision-making experiences, altering technical problems mid-response, or requiring the use of external webcams for more comprehensive monitoring during interviews.
Moving forward, they advocate placing new hires on SOC watchlists for heightened oversight and employing agent-driven AI technologies to prioritize potential threats among the influx of new employees.
Ultimately, as malicious foreign actors like those from North Korea continue to adapt their strategies, organizations like Exabeam are left to wrestle with the implications of AI in employee monitoring and the cybersecurity landscape as a whole.
*Editor’s note: The name “Trevor Roth” has been altered to protect the identity of a potential victim of identity theft.
Alissa Irei serves as the senior site editor for Informa TechTarget Security.