AI Threat Modeling: Securing Identities with Zero Trust in 2025

Financial services firms are fighting off increasingly sophisticated identity-based attacks intent on stealing billions and disrupting transactions, ultimately destroying trust that took years to build.

Cybercriminals continue to sharpen their tradecraft, targeting the industry’s gaps in identity security. From attempting to weaponize LLMs to using the latest adversarial AI techniques to steal identities and commit synthetic fraud, cybercriminals, crime syndicates and nation-state actors are all taking aim at financial services.

Here’s how Rate Companies (formerly Guaranteed Rate) is battling back against these increasingly complex identity-based attacks — and what other industries and enterprise leaders can learn from their strategy.

How Rate Companies is defending against AI-driven threats

Financial institutions face more than $3.1 billion in exposure from synthetic identity fraud, which grew 14.2% in the past year, while deepfakes jumped by 3,000% and are projected to rise another 50 to 60% in 2024. Not to mention that smishing texts, MFA fatigue and deepfake impersonations have become alarmingly common.

As the second-largest retail mortgage lender in the U.S., Rate has billions of sensitive transactions flowing through its systems daily, making the company a prime target for cybercriminals.

VentureBeat recently sat down (virtually) with Katherine Mowen, the financial institution’s SVP of information security, to get insights into how she is orchestrating AI across Rate’s infrastructure, with a strong focus on protecting customer, employee and partner identities.

“Because of the nature of our business, we face some of the most advanced and persistent cyber threats out there,” Mowen told VentureBeat. “We saw others in the mortgage industry getting breached, so we needed to ensure it didn’t happen to us. I think that what we’re doing right now is fighting AI with AI.”

Mowen explained that AI threat modeling is crucial to protecting customers’ identities and the billions of dollars in transactions the company makes every year. She also emphasized that “even the best endpoint protections don’t matter if an attacker simply steals user credentials.”

This realization pushed Rate to enhance identity-based anomaly detection and integrate real-time threat response mechanisms. The company has adopted a zero-trust framework and mindset, anchoring every decision around identity and continuous verification.

Today, Rate operates with a “never trust, always verify” approach to validating identities, which is a core concept of zero trust. Using AI threat modeling, Rate can define least privileged access and monitor every transaction and workflow in real time, two additional cornerstones of a solid zero trust framework.

The company recognized the importance of addressing the increasingly short window for detection and response — the average eCrime breakout time is now just 62 minutes. To meet this challenge, the organization adopted the “1-10-60” SOC model: 1 minute to detect, 10 minutes to triage and 60 minutes to contain threats.

Lessons learned from Rate on building an AI threat modeling defense

To scale and address the mortgage industry’s cyclical nature — staff can surge from 6,000 to 15,000 dpending on demand — Rate needed a cybersecurity solution that could easily scale licensing and unify multiple security layers. Every AI threat modeling vendor has special pricing offers for bundling modules or apps together to achieve this. The solution that made the most sense for Rate is CrowdStrike’s adaptable licensing model, Falcon Flex, which allowed Rate to standardize on the Falcon platform.

Mowen explained that Rate also faced the challenge of securing every regional and satellite office with least privileged access, monitoring identities and their relative privileges and setting time limits on resource access while continuously monitoring every transaction. Rate relies on AI threat modeling to precisely define least privileged access, monitoring every transaction and workflow in real time, which are two cornerstones needed to build a scalable zero trust framework.

Here’s a breakdown of Rate’s lessons learned from using AI to thwart sophisticated identity attacks: 

Identity and credential monitoring are table stakes and are where security teams need a quick win

Rate’s information security team began tracking a growing number of complex, unique identity-based attacks targeting loan officers working remotely. Mowen and her team evaluated several platforms before selecting CrowdStrike’s Falcon Identity Protection based on its ability to identify often nuanced identity-based attacks. “Falcon Identity Protection gave us visibility and control to defend against these threats,” said Mowen.

Using AI to reduce noise-to-signal ratio in the (SOC) and on endpoints must be high-priority

Rate’s previous vendor was generating more noise than actionable alerts, Mowen noted. “Now, if we get paged at 3 a.m., it’s nearly always a legitimate threat,” she said. Rate settled on CrowdStrike’s Falcon Complete Next-Gen managed detection and response (MDR) and integrated Falcon LogScale and Falcon Next-Gen security information and event management (SIEM) to centralize and analyze log data in real time. “Falcon LogScale lowered our total cost of ownership compared to the clunky SIEM we had before, and it’s far simpler to integrate,” said Mowen.

Define a clear, measurable strategy and roadmap to gain cloud security at scale

Because the business is continuing to grow organically and through acquisitions, Rate required cloud security that could expand, contract and flex with market conditions. Real-time visibility and automated detection of misconfigurations across cloud assets were must-haves. Rate also required integration across a diverse base of cloud environments, including real-time visibility across its entire information security tech stack. “We manage a workforce that can grow or shrink quickly,” said Mowen.

Look for every opportunity to consolidate tools to improve end-to-end visibility

For AI threat modeling to succeed in identifying attacks, endpoint detection and response (EDR), identity protection, cloud security and additional modules all had to be under one console, Mowen pointed out. “Consolidating our cybersecurity tools into a cohesive system makes everything — from management to incident response — far more efficient,” she said. CISOs and their information security teams need tools to deliver a clear, real-time view of all assets through a single monitoring system, one capable of automatically flagging misconfigurations, vulnerabilities and unauthorized access.

“The way I think about it is, your attack surface isn’t just your infrastructure — it’s also time. How long do you have to respond?”, said Mowen, emphasizing that accuracy, precision and speed are critical.

Redefining resilience: Identity-centric zero trust and AI defense strategies for 2025

Here are some key insights from VentureBeat’s interview with Mowen: 

• Identities are under siege, and if your industry isn’t seeing it yet, they will in 2025: Identities are considered a weak point in many tech stacks, and attackers are constantly fine-tuning tradecraft to exploit them. AI threat modeling can protect credentials through continuous authentication and anomaly detection. This is essential to keep customers, employees and partners safe from increasingly lethal attacks.

• Fight AI with AI: Using AI-driven defenses to combat adversarial AI techniques, including phishing, deepfakes and synthetic fraud, works. Automating detection and response reduces the time needed to identify and defeat attacks.

• Always prioritize real-time responses: Follow Mowen’s lead and adopt the “1-10-60” SOC model. Speed is critical as attackers set new records based on how quickly they can access a corporate network and install ransomware, search for identity management systems and redirect transactions.

• Make zero trust core to identity security, enforcing least privileged access, continuous identity verification and monitoring every activity like a breach already happened: Every organization needs to define its own unique approach to zero trust. The core concepts keep proving themselves, especially in highly-targeted industries including financial services and manufacturing. Core to zero trust is assuming a breach has already occurred, making monitoring a must-have in any zero trust framework.

• When possible, automate SOC workflows to reduce alert fatigue and free up analysts for level two and three intrusion analysis: A key takeaway from Rate is how effective AI threat monitoring is when combined with process improvements across a SOC. Consider how AI can be used to integrate AI and human expertise to continuously monitor and contain evolving threats. Always consider how a human-in-the-middle workflow design improves AI accuracy while also giving SOC analysts a chance to learn on the job.