📝 Episode Summary
We took a detour this month. No thrunting, no hunt repos, just a long honest look at social engineering in the age of AI, with the person who scares Lauren the most in the entire SE community: Matt Bangert (aka @bngrsec), DEF CON 30 black badge winner and the guy whose AI bots now do his social engineering for him. If you have spent a decade training users to spot bad grammar, robotic voices, and the Nigerian prince in your inbox, this is the episode that tells you those red flags are already gone.
The throughline is uncomfortable and simple: the cost of a convincing lure has cratered. Matt walks through the actual math, roughly 500 vishing calls for a hundred bucks, no doomer hand-waving required, and you only need one person to pick up. The old tells are dead, the perfect phish is here, and the gut check (”am I actually expecting this, and what is being asked of me right now?”) is most of what users have left. We get into device code phishing as an initial access path, why the help desk is the single highest-value vector going (ask Scattered Spider), and the part that genuinely kept Lauren up that night: attackers turning your own AI against you. Matt’s go-to move after initial access is opening Copilot and asking it to find the passwords in SharePoint. It works. One of his engagements turned up a password hidden as white text in a spreadsheet, invisible to a human eye, trivially readable to a machine.
But this is THOR Collective, so the answer is not “we are all going to die” (even if Matt says it twice). The defenses that actually hold are boring and process-driven: callback and manager verification, out-of-band notification for any sensitive help desk event, and real defense in depth that does not put the entire load on a tired human at 2 AM. Sydney brings the defensive read throughout, Lauren brings the CISO-adjacent reality of user fatigue and finite resources, and we close with a lightning round and a running joke about the War of 1812 that may or may not become your team’s new safe word. Stick around for the credits. There is a surprise.
⏱️ Episode Breakdown
00:23 – Intro and the May detour into social engineering
02:39 – Guest intro: Matt Bangert, and the Plenty of Fish AI bot research
07:21 – What AI is doing to social engineering, and the new economics of a lure
13:08 – Battle of the Bots, and how defenders actually respond
15:49 – Phishing at scale, device code abuse, and the help desk problem
24:57 – Turning their own AI against them: Copilot abuse and the persistent insider
33:56 – ⚡ Lightning Round
40:14 – Closing, DEF CON plans, and a credits Easter egg
🎤 Hosts & Guest
Lauren Proehl (Host) — Manager of the group, cautious AI optimist, and the one steering this conversation toward the parts that should actually scare you.
Sydney Marrone (Host) — Now officially a manager too (the elder thrunter holds the belt). Co-founder, builder of ATHF and HEARTH, and the defensive voice keeping this episode grounded in what teams can actually do.
Matt Bangert / @bngrsec (Guest) — DEF CON 30 black badge winner as part of team Spilt Beans in the Social Engineering CTF, nine-ish years deep in offensive security since his OSCP, and now hands his social engineering off to AI agents. Took first in the Social Engineering Community’s Battle of the Bots vishing competition. Currently between affiliations. Catch him at DEF CON this year running the GIFs during the live vishing calls at the Social Engineering Community Village (yes, he is taking your not-safe-for-work suggestions).
X: @bngrsec
LinkedIn: mattbangert1
🔗 Resources & Mentions
On the Dispatch
Ask-a-Thrunt3r: April 2026 — Signal vs Myth — last month’s episode, cutting through the Mythos hype with Trent Lo. Catch up if you missed it.
Featured in This Episode
Matt’s SecKC Talk on AI Bots and Dating App Honeypots — Matt and Snow’s research using AI agents to detect bots and scammers on Plenty of Fish, presented at SecKC in March
Social Engineering Community Village — the DEF CON village where Matt volunteers, led by Snow. Home of the vishing competition and Battle of the Bots.
Battle of the Bots (Vishing Edition) — the autonomous AI vishing competition that debuted at DEF CON 33. Five teams build agents that call companies and extract flags, fully hands-off. Returning this year.
📢 Call to Action
Audit your help desk — map your own verification flow before an attacker does it for you, and add out-of-band manager notification for MFA, phone, and password changes
Stop training users on grammar and spelling — the perfect phish is here; shift to “am I expecting this, and what is being asked of me right now?”
Look at what your own AI can reach — if a Copilot or assistant has a license in your environment, find out what it will hand over before someone else does
Pick a safe word — yes, really, ask people about the War of 1812
Come find Matt at DEF CON — Social Engineering Community Village, running the GIFs during the live vishing calls
Catch us at the Antisyphon Threat Hunting Summit — virtual and free, June 17, 2026, the day after this drops:
Sydney: Avoiding Hunt Amnesia: Building a Memory Your AI Can Use — 12:00 PM ET
Lauren: Fast-track Reports into Ready-Made Hypotheses with AI — 3:00 PM ET
Write for THOR Collective — first-time publishers, up-and-coming voices, builders with something to share: come find us
📬 Connect with THOR Collective
🗣️ Social Media
Twitter/X: @THOR_Collective
LinkedIn: THOR Collective
BlueSky: @thorcollective
📧 Contact
Reach out through any social channel for guest post opportunities, collaborations, or to tell us what you’re building.
