A Complete Human Risk Management Programme
Six pillars that together address every dimension of human-layer risk — from technical phishing resilience to cultural security ownership.
AI-Powered Phishing Simulations
Realistic phishing, smishing, and vishing simulations built on the same techniques used by real threat actors — including spear-phishing that uses employees' names, job titles, and publicly available social media data. Campaigns are automatically randomised across send times, subjects, and lure types to prevent employees from tipping each other off. Every click, credential entry, and report is tracked per user.
Engaging Training Content Library
Over 1,000 interactive training modules, videos, games, and newsletters covering phishing, ransomware, password hygiene, social engineering, safe browsing, USB drops, and physical security. Content is continuously updated as new threats emerge. Modules are typically 2–5 minutes — short enough to hold attention without disrupting productivity. Available in 30+ languages for global workforces.
Measurable Risk Scoring & Reporting
Every employee is assigned a risk score based on their phishing click rate, training completion, and historical behaviour. Aggregate scores roll up into team, department, and organisation-level dashboards. Executive reports show month-on-month risk reduction, compliance training completion rates, and benchmark comparisons against organisations in your sector. Risk scores can feed directly into your GRC platform.
Automated Training Enrolment
Employees who click phishing links or fail to complete required training are automatically enrolled in remedial micro-training — a 2-minute module that explains exactly what they missed and why it matters. This closes the behaviour loop immediately, at the moment of greatest learning impact, without requiring manual IT intervention. Repeat offenders receive progressively more intensive training pathways.
Simulated Social Engineering Attacks
Beyond email — simulated vishing (voice phishing) tests, SMS phishing (smishing) campaigns, and physical pretexting exercises test the full attack surface that adversaries use in the real world. QR code phishing (quishing) simulations address the fastest-growing attack vector of 2024. Results are benchmarked against industry averages so you understand your standing versus peers.
Security Culture Change Programme
Sustainable security requires culture, not just compliance. Gamification elements — leaderboards, badges, and team challenges — drive voluntary engagement beyond mandatory training. Monthly security newsletters keep security top of mind between formal training cycles. Phishing report buttons (one-click in Outlook/Gmail) turn employees into an active threat intelligence layer, reporting real phishing emails to your SOC.
The Human Attacks Your Technical Controls Cannot Stop
Spear-Phishing & BEC Attacks
- ✓Business Email Compromise (BEC) cost global organisations $2.9 billion in 2023 — it relies entirely on employees being deceived, not technical exploits
- ✓Spear-phishing simulations use employees' actual names, roles, and LinkedIn data to replicate the personalised attacks that bypass technical email filters
- ✓CEO/CFO impersonation simulations train finance and PA staff — the most frequently targeted roles in wire transfer fraud
- ✓Post-click training immediately explains the red flags the employee missed in that specific email
Compliance & Regulatory Training
- ✓GDPR, ISO 27001, Cyber Essentials, PCI DSS, and NIS2 all require demonstrable security awareness training for staff
- ✓Pre-built compliance training modules for GDPR data handling, PCI DSS cardholder data, HIPAA, and sector-specific regulations
- ✓Automatic completion certificates and audit-ready reports produced for every training module and phishing campaign
- ✓Training completion rates and phishing click rates are documented evidence of your security culture for auditors and cyber insurance underwriters
New Starters & Remote Workforce
- ✓Automated onboarding training ensures every new employee completes security awareness training in their first week — before they access sensitive systems
- ✓Remote workers are statistically 3x more likely to click phishing links than office-based staff, due to reduced oversight and informal security reminders
- ✓BYOD and home network guidance addresses the shadow IT and insecure Wi-Fi risks that remote work introduces
- ✓Scheduled refresher campaigns ensure awareness doesn't decay — the half-life of security training without reinforcement is approximately 6 months
Insider Threat & Data Handling
- ✓Accidental data loss — emailing sensitive files to the wrong recipient, misconfigured SharePoint sharing — is responsible for more GDPR breach notifications than malicious attacks
- ✓Training modules on safe data handling, correct use of cloud storage, and identifying sensitive data classification reduce accidental breach risk
- ✓USB drop simulations test physical security policies — a found USB device being plugged in is one of the oldest and most effective social engineering attacks
- ✓Reporting culture training encourages employees to report suspected incidents immediately, drastically reducing dwell time when breaches do occur
KnowBe4 vs Proofpoint Security Awareness
Both are Gartner-recognised leaders. We match the right platform to your environment and training objectives.
- ✓World's largest security awareness training library
- ✓AI-driven phishing simulation engine (AIDA)
- ✓PhishER inbox management and triage
- ✓Vishing, smishing, and USB simulation
- ✓SecurityCoach real-time coaching
- ✓Automated training enrolment on failure
- ✓Threat intelligence-driven simulations (real lures from live campaigns)
- ✓CyberStrength knowledge assessments
- ✓Highly personalised attack simulations
- ✓ThreatSim phishing templates from actual threats
- ✓Nexus People Risk Explorer risk scoring
- ✓Integration with Proofpoint email gateway
How We Deliver Your Programme
Baseline Phishing Assessment
We run a baseline phishing simulation across your entire user base — before any training — to establish your current click rate, credential submission rate, and reporting rate. This gives you an honest, measured starting point and identifies the highest-risk user populations.
Platform Configuration & Integration
KnowBe4 or Proofpoint is configured to your domain, integrated with your Azure AD / Active Directory for automated user sync, and connected to Outlook or Google Workspace with one-click phishing report buttons deployed to all mailboxes.
Campaign Design & Scheduling
We design a 12-month training calendar with escalating phishing difficulty, mandatory compliance modules, optional culture-building content, and automated remedial enrolment. Campaigns are tuned to avoid simulation fatigue while maintaining behavioural change.
Ongoing Reporting & Programme Review
Monthly executive dashboards, quarterly programme reviews, and annual risk score analysis track your ROI. We benchmark your click rates against your sector and recommend programme adjustments based on emerging threat intelligence.
What is your organisation's current phishing click rate?
A free baseline phishing simulation across your organisation takes 24 hours to set up, requires no user disruption, and gives you an honest picture of your human risk exposure before you invest in training.