If your security priorities still center on CVSS scores and device vulnerabilities, you’re missing a significant piece of the risk puzzle. People. Attackers aren’t following your org chart. They’re targeting whoever gives them access.
Enter the concept of Very Attacked People (VAPs): individuals in your environment who attract the most persistent, targeted attacks. And they’re not always the CEO or the CISO.
Attackers Follow Access, Not Titles
According to the 2025 Verizon Data Breach Investigations Report, 74% of breaches involve the human element, including phishing, credential theft, and accidental errors. The days of generic phishing blasts are long gone. Today’s attackers are smart, precise, and persistent.
While your executives might still be in the crosshairs, the riskiest users often sit quietly in other roles:
- A marketing manager approving third-party contracts
- An HR admin with access to payroll systems
- A facilities lead managing badge entry systems
These users rarely rank as high-value assets in traditional models, but they often hold credentials and access that attackers want.
Traditional Risk Scoring Misses the Mark
Most risk models still evaluate device posture, not user behavior. They tell you if a system is out of date, but not whether its user has been phished multiple times or flagged by endpoint detection tools.
Without tying alerts to the person behind the screen, “low-severity” events can fly under the radar. A login anomaly for a guest account might not be a big deal. That same anomaly on your head of finance? That is an entirely different story.
Why Your Detection Strategy Needs a Human Layer
Security teams are buried in alerts. Prioritizing based on technical severity alone leads to noise, burnout, and missed threats. Detection becomes more effective when it accounts for who is being attacked, not just how.
At Graylog, we help teams operationalize VAP awareness through practical, people-focused workflows:
- Correlate attack data across sources like phishing, EDR, anomaly detection, and threat intel
- Tag users as VAPs in your SIEM’s asset database to give alerts human context
- Prioritize alerts based on the risk level of the user, not just the event
- Visualize human-centric attack trends to identify repeat targeting or emerging threats
This turns your detection playbook into a risk-based response strategy.
Cut Alert Fatigue by Focusing on VAPs
Security teams don’t need more alerts. They need better context.
Graylog reduces noise by highlighting activity tied to your most attacked users. A single phishing email targeting a known VAP triggers a high-priority alert. Repeated login attempts on a VAP’s account get flagged before they become a breach.
VAP-aware dashboards shift your view from disconnected logs to a cohesive story about who is under fire, how often, and why.
You Can’t Defend What You Don’t See
Most organizations think they’re protecting their highest-value users. But without clearly identifying your VAPs, you are playing defense with one eye closed. Attackers have already adjusted their tactics. It’s time your detection strategy caught up.
Want to start protecting the people attackers are really targeting? Learn how to identify and respond to Very Attacked People
