Join
1
0 Comments

From Rules to Real-Time: A Conversation with Jeng-Ru Wu on the Next Phase of Cybersecurity

by Donald Greene

The phishing email used to give itself away. Bad grammar, a misspelled domain, a logo that looked off, a tone that did not match the sender. Those tells are gone. The attacker writing into your inbox today has flawless English, the right signature block, and a domain that mirrors a real bank, a real hospital, or a real federal agency. The old defenses, the blocklists, signatures, and keyword rules that worked for two decades, were tuned for the attacker that used to exist. That attacker is gone, and the volume of what replaced them is staggering. Roughly 376 billion emails moved through global inboxes every day in 2025, and between September 2024 and February 2025, 82.6% of phishing emails were assembled with the help of AI, a 53.5% increase over the prior year. Filtering still matters. What you filter on is the part that has changed.

Jeng-Ru Wu is a senior software development engineer working on threat detection at one of the major cloud email platforms, where his team handles inbound and outbound traffic at industrial scale. With a background in computer science and several years building production-grade email security infrastructure, he has spent the last two years moving the platform's defenses away from static rule sets and toward continuous, model-driven analysis. Wu, led the infrastructure work behind a new advanced email security capability that brought heuristic, behavioral, and machine-learning analysis from a third-party threat research vendor into the platform, expanding the kinds of attacks the system can recognize before they reach a customer's inbox.

We spoke with Jeng-Ru about why traditional defenses are running out of road, what AI-driven detection actually looks like in practice, and why the future of cybersecurity may belong less to any single platform and more to the alliances that form between them.

What has fundamentally changed about email-based attacks in the past two years?

The single biggest change is that the message itself stopped being the evidence. For two decades, the way you caught phishing was by looking at the email: bad grammar, a mismatched link, a domain that almost looked like your bank's domain. Generative AI took every one of those tells and erased it. Now an attacker can produce a message that reads like it came from your CFO, references the right project, and sounds exactly like the person they are pretending to be. The 1,265% surge in AI-linked phishing reported across the industry since 2023 captures the volume of the shift. The harder change to quantify is quality. The lures simply read better.

What that does to a defender is force you to stop trusting any single signal. We used to be able to look at a message and say it looked safe. Now we have to assume the message looks fine and ask what the rest of the picture says. Where did it come from. Who is the sender's account talking to. How does this pattern compare to what we saw an hour ago, a day ago, a week ago. The question shifted from is this email malicious to is this behavior malicious. That shift is what is moving the entire industry off rules and onto models.

A lot of the most damaging attacks now imitate banks, government agencies, and healthcare providers. Why is that combination so effective?

Those three categories share a common quality: people open the email. Nobody ignores a message from their bank about a suspicious charge, from their hospital about a test result, or from a government agency about a tax matter. Attackers know that, and AI lets them imitate the look and tone of those institutions almost perfectly. The FBI tracked $2.77 billion in business email compromise losses in 2024, and a lot of that volume sits in this exact category, perfectly crafted messages that pretend to be someone you trust.

What makes these cases hard is that the surface evidence supports the lie. The logo is right. The tone is right. The signature is right. The hard cases are the messages where ninety-five percent of the surface features match a real sender, and the only difference is something subtle, like a small inconsistency in the email's headers or a sending pattern that does not match the institution's normal rhythm. You catch those cases by stepping back and looking at hundreds of messages together, not by inspecting any one of them harder.

If rules and filters cannot keep up with that, what does?

Rule-based security made sense when threats were stable. You wrote a rule for a known bad pattern, and the rule kept working until the attacker found a new pattern, which usually took weeks. Today an attacker can change a campaign's signature in hours. So a rule you write Monday morning may already be irrelevant by Tuesday afternoon. The only sustainable answer is detection that learns continuously, and that means models that retrain on fresh data, behavioral baselines that update as senders' habits change, and decision logic that gets smarter the longer it runs.

In practice this means very little of the work is one big model making one big decision. It is many smaller models reading smaller signals, and a layer above them weighing the evidence in real time. A single message might be checked for sender reputation, content cues, authentication, and how the sending account has behaved across recent traffic. None of those signals alone is enough. Together, they produce a verdict in the fraction of a second between an email arriving and either reaching an inbox or being stopped.

Your team handles phishing, spoofing, and malware detection at significant scale. What is the trickiest part of getting that right?

The trickiest part is calibration. Anyone can build something that blocks every email. The hard work is blocking the bad ones without bouncing the good ones, and the good ones include things you cannot afford to break. Hospitals send appointment reminders. The CDC sent COVID-19 guidance during the pandemic. Schools send tuition notices. If you tune detection too aggressively, you bounce a message that someone needed, and the cost of that miss is sometimes worse than the cost of letting a phishing email slip through. So a huge amount of the engineering goes into calibration, not classification.

The other piece is that attackers are watching what works. They probe, they adjust, they retry, often within hours of being caught. So you cannot ship a model and walk away. You have to keep learning, keep retraining, and keep adjusting your thresholds, while also keeping the lights on for the legitimate traffic flowing through the same pipes. That tension between adaptation and stability is the engineering problem most people outside the field do not see.

Earlier this year, you led the integration of an advanced AI-based detection capability built with an external cybersecurity vendor. What was the thinking behind bringing in an outside partner?

No single team has full visibility into every threat surface. We see what flows through our platform, which is a lot, but the threat landscape is bigger than any one provider's traffic. A vendor that has spent years on dedicated threat research has signals we will never see, and we have signals they will never see.
The smart play is to combine views, not to pretend we have a complete one. The integration we rolled out this March puts heuristic, behavioral, and machine-learning analysis from a partner inline with our own infrastructure, and the customer gets the union of both views without managing a separate pipeline. 87% of organizations say they were targeted by AI-powered cyberattacks in the past year, and at that volume, no one is building defenses alone anymore.

What I think gets undersold in that kind of integration is how much of the work is plumbing rather than modeling. The models are the headline. The infrastructure that lets external classifiers run inside a live email stream without slowing it down or breaking deliverability is where most of the engineering went. That is the part that took us almost a year to build, and it is the part that future partnerships will be able to plug into much faster.

Beyond vendor partnerships, your team coordinates directly with abuse and anti-spam teams at Gmail, Outlook, and Yahoo. How does that ecosystem actually function?

It is far more cooperative than people realize. From the outside it looks like the major email providers are competitors, but on the abuse side we share intelligence almost daily. If a phishing campaign is hitting one provider, it is usually hitting all of us within hours. So the teams have informal channels and formal ones, and the goal is to coordinate enforcement, so that when a bad actor gets shut down on one platform they cannot just rotate to another and keep going.

The reason this matters more now is that attacks have gone fully cross-platform. A modern phishing operation might send the lure from one provider, host the credential capture page on a different cloud, and use a third platform for the payout. If each of us only sees our slice, we lose. The shared view is what makes enforcement actually stick. When our vendor integration shipped in March, industry press read it as evidence that email defense is moving in this collaborative direction, and they were right to read it that way. The global AI cybersecurity market is on track to grow from about $25 billion in 2024 to roughly $94 billion by 2030, and a lot of that spend is going toward platforms that can ingest and act on shared intelligence at machine speed.

Looking forward, where does cybersecurity go from here?

The thing I would push people to think about is that cybersecurity is not going to stay an email problem. The same logic that pushed us toward behavioral and AI-based detection in the inbox is now showing up in identity, in cloud workloads, and in the connections between services. An attacker who pivots from a phishing email to a compromised login to a misused cloud account is harder to catch than they should be, because each of those layers usually only sees its own slice. The next phase of this work is figuring out how to share context across those layers without trading it for privacy or performance. That is where I want to spend the next few years.

What I am more certain of than any prediction is the shape of the model. No single team, vendor, or platform is going to solve this alone. The collaboration that started on the abuse desks of the big email providers is moving into cloud security, identity, and supply-chain defense. The future of cybersecurity will be powered by AI, run across shared platforms, and built on cooperation that used to live behind closed doors. Defense is becoming a team sport, and the teams that share early are the ones that catch attacks first. That is the change worth tracking.

Avatar for Donald Greene Donald Greene
on May 24, 2026
Say something nice to DonaldGreene…
Post Comment
Trending on Indie Hackers
Hi IH — quick update. The MVP is live. User Avatar 32 comments Building ExpenseSpy solo, no funding — launching June 17 on iOS & Android User Avatar 25 comments Day 7: 51 people answered my question. I wasn't ready for what they said. User Avatar 18 comments I Built a Football Sentiment Platform in 18 Days. The World Cup Starts in 7 Days. Now I Need Distribution. User Avatar 17 comments Built an n8n booking alert system — is cold outreach dead for B2B micro-tools? User Avatar 16 comments I built a $5/1k-listing CRE data API because CoStar is overkill for first-pass scans User Avatar 14 comments