Are you human?

It’s an increasingly important question, and one that’s getting harder to answer.

With its squiggly letters, the old CAPTCHA, the Completely Automated Public Turing Test To distinguish Computers from Humans, was developed in the early 2000s to stop malicious bots from creating new email accounts and was later used, somewhat ironically, to train machines to “read” garbled text. But given recent advancements in machine learning, the test and its various successors can’t keep the bots at bay the way they used to.

This isn’t just a problem if you’re trying to buy concert tickets. Automatic CAPTCHA solving fuels a fusillade of online attacks, including phishing, password spraying, malware, and propaganda campaigns. Last December, Microsoft and a startup called Arkose Labs took down Storm-1152, a Vietnam-based operation that sold CAPTCHA-cracking services—powered by machine learning—to hacker groups like Octo Tempest that perpetrated ransomware attacks that eventually inflicted hundreds of millions of dollars in damages.

Which is why, if you sign in to some of the world’s biggest online platforms these days, you’re more likely to see something else: Instead of a text or image CAPTCHA, there might be a puzzle asking you to rotate a toy pickup in the direction of a pointing hand, or listen to three tunes and indicate which has a second instrument. The tests were developed by Arkose, which makes AI-enabled tools that help companies like LinkedIn, Roblox, X, and OpenAI stay ahead of the bots. Thanks to the explosion of generative AI and cybercrime vendors like Storm-1152, malicious bot activity is booming, now estimated to account for more than half of the web’s traffic.

A new AI-fueled arms race is erupting across the internet and everything connected to it. Machine learning has become “this incredible acceleration mechanism” for attacks, says Sherrod DeGrippo, director of threat intelligence at Microsoft. And if miscreants are using AI to break in, she says, “we should use machine learning, data science, and AI to improve our security tools and make it harder.” (To see how companies are making important strides in these areas today, read the full list of the Most Innovative Companies in the Security category.)

As AI supercharges ransomware attacks, by making it easier to construct convincing phishing campaigns, for instance, Texas-based Halcyon is using machine learning to block infections prior to execution, and in some cases, it says, even decrypt devices without the need for ransoms. The company is also armed with a deep fund of human intelligence about how attackers get in: the founders’ previous Thiel-backed venture Boldend got its start building cyberweapons for the U.S. government.

Before the hackers arrive, defenders are using AI to help organizations keep their posture from slouching. Cyera, founded by veterans of the Israeli military’s Unit 8200, uses AI to automatically and continuously identify an organization’s sensitive data and lets security teams literally interrogate their systems for vulnerabilities, generate and enforce new policies, or ask why a defense was triggered. DataGrail and Vanta are also leveraging AI and LLMs to help businesses map their data landscape, allowing customers to manage security and privacy workflows and comply with a growing raft of industry and regulatory frameworks like HIPAA and GDPR.

Being human is one thing—but are you who you say you are? Security mainstay Yubico is focused on a simple but growing vulnerability: the password-based login, which thanks to infostealers and other crimeware, is still a popular entry point for the bad guys. The YubiKey security key lets you log in using numerous multifactor authentication protocols, including biometric identification—without the need to quickly copy a code off your phone.

“We cannot depend on people” to be a security tool, says DeGrippo, but we can depend “on technology configured properly.” She thinks it’s pointless to blame us humans for getting duped by a hacker’s email—especially as AI gets ever better at tricking us.

You’re only human after all.

Right?