Robo8What Robo8 covers — and where the honest edges are.
Robo8 is a detection, triage and response layer over your existing telemetry — not an email gateway or a brand-protection service. So it covers a threat to the degree that threat produces a technical signal it can ingest and correlate. Here's the straight answer, mapped to MITRE ATT&CK, including phishing, impersonation, social engineering, and AI-era attacks.
Coverage matrix
| Threat | Coverage | How / where the line is |
|---|---|---|
| Phishing T1566 | Partial | Doesn't inspect mail/URLs/attachments at the door. Catches the consequences — payload execution, stolen-credential use, impossible travel, C2 — fused into one incident. Feed your email-gateway alerts (Proofpoint / Mimecast / M365 Defender) and the delivered email itself is correlated too. |
| Account-takeover / identity impersonation T1078 · T1528 | Covered | Core strength: impossible travel, MFA/token replay, OAuth-consent abuse and inbox-rule persistence correlate into one identity incident with an explainable verdict. |
| Business email compromise / email impersonation T1656 | Partial | Ingest email-security detections and Robo8 maps them to Impersonation and chains them to the downstream account activity. Sender-spoofing prevention itself (DMARC/SPF/DKIM) is your mail layer. |
| Lookalike-domain / brand impersonation | Out of scope | That's domain-monitoring / brand-protection — a different control class. Robo8 doesn't register or hunt lookalike domains. |
| Social engineering T1656 · T1204 | Indirect | It can't see a phone call or a chat message. It detects the technical aftermath when the target acts — runs a payload, hands over credentials — and correlates it. |
| Attacks on Robo8's own AI (prompt injection, data poisoning, autonomous misuse) | Covered | Untrusted telemetry is treated as data, not instructions; training is consensus-gated against poisoning; actions are dry-run + human-approved and the model can escalate but never silently suppress. See capabilities. |
| AI-powered attacks by adversaries (AI-written phishing, polymorphic malware) | Behavioural | Detection is content-agnostic, so an AI-generated attack that lands as an endpoint/identity anomaly is caught the same way. It does not attribute "this was AI-generated." |
| Deepfake voice / video | Out of scope | Media authenticity is a separate problem; Robo8 works on security telemetry, not audio/video. |
| Network intrusion, lateral movement, exfiltration T1046 · T1021 · T1041 | Covered | Flow/behaviour anomalies and cross-source correlation are the original core. |
| Endpoint: brute force, credential dumping, malicious execution T1110 · T1003 · T1204 | Covered | Endpoint detection plus the ML threat classifier and graduated response. |
| Robot / OT & Physical AI ATT&CK for ICS | Emerging | Reference slice: robot/OT telemetry maps to ATT&CK-for-ICS and correlates like any other source, and a fail-safe action governor gates actuation against an operating envelope (block + safe-stop on human-proximity, geofence, lost telemetry). A software/AI-governance guardrail — not a certified functional-safety system. |
| Known-exploited vulnerabilities KEV · NVD | Covered | Exploitability-ranked scanning — see the scanner. |
ATT&CK technique IDs are indicative. "Partial / via your stack" means Robo8 covers it when you feed it the relevant tool's alerts — consistent with its on-top-of-your-stack design.
The one-line version
See the phishing kill-chain
The dashboard ships a one-click "Email security (phish→ATO)" sample on the Operations tab: a delivered phishing email, an impossible-travel sign-in, an OAuth-consent grant and a hidden inbox-forwarding rule — all about one mailbox — fused into a single, explainable account-takeover incident.