.png)
The 73.5% Most Executive Protection Programs Are Missing
You can tell where adversaries are spending their time by where the impersonation volume lands.
One platform now absorbs 73.5 percent of all executive threat alerts we monitor. Not all social platforms combined. One. X alone generates more alerts than every other platform combined.
That number is one of the headlines in the 2026 Executive Attack Surface Report from Outtake Labs. We measured the executive attack surface across 877 monitored entities and 16 million threat alerts over twelve months. The data is striking, but the bigger story is what it tells you about how the role of the modern executive has changed, and what their security teams have not yet caught up to.
Executive alerts by platform, 2025. X / Twitter alone absorbed more attack volume than every other platform combined. Source: 2026 Executive Attack Surface Report, Outtake Labs.
The perimeter expanded
Executive protection used to be a physical security problem. A close-protection team, a residential officer, a travel risk plan. Then digital executive protection arrived as an addendum: monitor social media, take down impersonations, scan the dark web.
That model is broken.
The CFO on a Zoom call with executives who are not real. The board member receiving a WhatsApp message from someone who looks like the founder. The CEO whose face was lifted from an earnings call and rebuilt as a deepfake. None of these are edge cases anymore. They are the dominant attack patterns of 2026.
Outtake Labs' 2026 Digital Risk Report, an independent survey of 1,100+ cybersecurity and risk leaders, found that 53 percent of organizations had an executive or employee impersonated online in the past twelve months. Twenty-seven percent saw both executives and employees impersonated. Seventeen percent did not monitor it at all.
The pattern is no longer rare. It is endemic.
Volume, vector, variation
The Executive Attack Surface Report findings sharpen the picture.
Social text attacks dominate. 83.5 percent of executive alerts are social text impersonations, 11.7 percent are visual impersonations, and 4.8 percent are lookalike domains. Every category requires a different defense. Most programs are built for only one of the three.
Volume is accelerating. Threat alerts held steady through the first half of 2025 before spiking sharply from September onward, peaking above 3.3 million alerts in February 2026. The curve is not linear. Adversaries are scaling.
Monthly threat alert volume, March 2025 to March 2026. Social impersonation drove the surge, but lookalike domain activity and visual impersonation grew in parallel. The acceleration began in September. Source: 2026 Executive Attack Surface Report, Outtake Labs.
No two organizations share the same threat profile. When the threat mix is broken down across the enterprises in the dataset, the variation is extreme. Some face threats that are over 90 percent social impersonation. Others face threats that are 99 percent lookalike domains. The implication for CISOs and executive protection leads is the part most programs are missing: the industry average is not your threat profile. A program built for the average defends against no one specifically.
Threat vector mix across 25 enterprises. The variation is extreme. Generic protection programs assume a generic threat. The data says generic does not exist. Source: 2026 Executive Attack Surface Report, Outtake Labs.
What the role of CEO became while the playbook stayed the same
The reason the data looks the way it does is not technical. It is cultural.
A decade ago, the average Fortune 500 CEO was anonymous outside their industry. Today they speak on podcasts, post on social, headline conference stages, and operate as public figures with celebrity-grade reach. Every earnings call is voice training data. Every conference talk is deepfake source material. Every announced investor event is a location signal.
The consequences are showing up in proxy filings.
These line items did not exist five years ago. The role expanded. The protection model did not. And the gap is where adversaries operate.
What this means for the digital executive protection team
The teams running executive protection today inherit a structure built for a different threat. Three problems show up in every conversation.
The physical and digital perimeters are still managed by different teams, often in different reporting chains. The data says they are the same problem.
The protection scope is limited to the executive. The data says adversaries pivot through family, staff, and the executive's adjacent identities to get to the same target.
The takedown workflow is run by hand. The data says adversaries are scaling faster than any human-driven response cycle can match.
None of these problems are solved by another tool. Legacy digital risk protection was built to scan, flag, and route impersonations to an analyst queue, a labor model that an automated attack outruns by morning. The fix is architectural: treat the executive as a person entity operating on an external perimeter that now extends across every platform an adversary can reach.
The data on its own is not the work
Reading the data is the easy part. Translating it into the eight specific attack patterns adversaries are using right now, mapping each one to the indicators your team should be watching for, and getting an operational action you can take this week is the work.
We catalogued that operational layer in the Executive Protection Field Guide. Eight named patterns, anchored to public incidents and government data. A five-stage maturity model to score your program. One concrete action per pattern your team can take this week.
DOWNLOAD
The Executive Protection Field Guide
Eight attack patterns. One maturity model. Eight operational actions your team can run this week.
Frequently asked questions
What is executive impersonation?
Executive impersonation is a form of social engineering where an attacker poses as a company leader, a CEO, CFO, or board member, to deceive employees, partners, or the public. It shows up as fake social profiles, spoofed emails, lookalike domains, and AI-generated voice and video deepfakes, and it is used to commit fraud, steal data, or damage reputation.
How does executive impersonation happen?
Attackers harvest public material to build convincing fakes: earnings calls, conference talks, podcast appearances, social posts. Because today's executives operate as public figures, nearly every public appearance becomes source material an adversary can weaponize.
How can I detect executive impersonation threats?
Detection requires continuous monitoring across the full external attack surface: social platforms, domains, and visual media. Impersonation spans social text, lookalike domains, and deepfakes, and each demands a different detection method. Watch for newly created accounts mimicking your executives, domains that resemble your brand, and unexpected video or voice messages. Pair automated monitoring with human review to keep pace with the volume.
How can organizations protect themselves against impersonation attacks?
Unify physical and digital protection under one program. Extend monitoring beyond the executive to the family, staff, and adjacent identities attackers pivot through. Automate takedown so response matches the speed at which adversaries scale. Treating each executive as a person entity across every platform an adversary can reach, rather than buying one more tool, is what closes the gap most programs miss.