Defeating AI: Why We Need a Human in the Loop

I’ve been obsessing over the intersection of AI and offensive cyber operations for a long time now (I grew up on WarGames and even created an ebook on the topic when I joined BlastWave!). That obsession is actually what birthed the Hackopedia project, because I wanted to catalog not just what attacks were happening, but how the underlying mechanics were shifting from human-driven scripts to automated, intelligent swarms.

The conclusion I reached is terrifyingly simple: The era of "hacking in" is over. The era of "logging in" is here.

Clearly, none of the hacks anytime before the past year or so were AI-powered. But the recent report from Anthropic should set off alarm bells for those looking to figure out how to solve this problem in the future.

AI is getting frighteningly good at impersonation. It can draft phishing emails (or vishing, like in JLR)  that sound exactly like your boss. It can clone voices. It can navigate MFA fatigue attacks with the patience no human hacker possesses. If your security relies on a password (something you know) or even a simple push notification (something you have), an AI agent can eventually mimic, intercept, or bypass it.

This is why I believe the only way to defeat an artificial intelligence is with a human intelligence. We need a "Human in the Loop" (HITL).

The QR Code: A Physical Bridge in a Digital War

At BlastWave, we talk a lot about HITL, but I want to get specific about how we do it, because the mechanics matter. We don't just ask for a thumbprint; we require the user to scan a QR code generated on their phone using the BlastWave Authenticator app.

Why does this matter?

Because it creates a physical, temporal bridge that an AI cannot cross.

Think about a standard "MFA Push" attack. An AI agent compromises your credentials and spams your phone with "Approve Login?" notifications at 3:00 AM. Eventually, groggy and annoyed, you might hit "Yes" just to make it stop. That’s a passive failure.

Now, consider the QR code requirement. The BlastWave client never “calls you”. To log in with BlastWave, you have to physically lift your phone, aim the camera at your laptop screen, and scan a unique, ephemeral image.

• An AI cannot lift your phone.
• An AI cannot point your camera.
• An AI cannot be physically present at your workstation.

That simple act of scanning forces a deliberate, physical human interaction. It verifies that the person holding the credential is physically present at the requesting device. It turns authentication from a passive digital check into an active physical ritual. It is a gap that software (no matter how intelligent) cannot jump.

The NSA Flashback: Security Without the Friction

Now, I know what some of you are thinking. "Great, more steps."

I spent time at the NSA, and I vividly remember the old days of high-assurance security. I carried around one of those clunky "calculator" tokens. You had to read a challenge code off the screen, type it into the calculator, get a response code, and type that back into the terminal. It was secure, sure. But it was also a massive pain. It was friction that made you hate the security process.

We cannot do that to OT engineers. If we try to bring "NSA-style" friction to a factory floor or a remote substation, people will revolt. They will find workarounds.

That is the needle we are trying to thread with BlastWave. We are injecting that critical Human-in-the-Loop verification (the unhackable physical step), but we’re doing it with the device you already love (your phone) and a gesture you already know (scanning a QR code).

It’s about finding the balance. We need security that stops a supercomputer, but usability that doesn’t stop a human. Scanning a QR code is much easier than creating new passwords every day (ok, it's not daily, but it feels like it some days).

Need proof that hackers are just logging in? Check out the Hackopedia, and then ask for demo of how BlastWave’s secure remote access is simple and easy to use.

‍

— Cam Cullen, CMO, Blastwave