Blog

Samsung’s semiconductor division banned ChatGPT in May 2023 after three employees leaked confidential data in under a month. One engineer pasted proprietary source code to debug an error. Another submitted internal meeting notes to generate a summary. A third uploaded chip manufacturing measurements to get yield calculations. Each person was trying to do their job faster. Each left a copy of Samsung’s trade secrets on an OpenAI server.

Within weeks, Apple, JPMorgan, Bank of America, Verizon, Amazon, Goldman Sachs, and Deutsche Bank had followed with their own restrictions. The calculus was the same at every company. The productivity gains were real, but so was the risk of employees turning consumer AI tools into a data exfiltration channel nobody had authorized.

Two years later, the bans have softened into policies, and the policies have softened into training gaps. Most employees still don’t understand what happens to the text they paste into an AI chat window. This is the core of OWASP LLM02, the sensitive information disclosure risk that sits second on the OWASP Top 10 for LLM Applications.

Every risk category in the OWASP Top 10 for Agentic AI Applications now has a dedicated training exercise on RansomLeak. Ten exercises covering ten attack scenarios where AI agents act on their own and things go wrong. All free, no account required.

The OWASP Top 10 for Agentic AI Applications is the industry framework for categorizing security risks specific to autonomous AI agents. This course turns each category into a hands-on simulation where employees experience these attacks in realistic workplace scenarios.

Every risk category in the OWASP Top 10 for LLM Applications now has a dedicated training exercise on RansomLeak. Ten exercises covering ten attack scenarios, from prompt injection to denial-of-wallet. All free, no account required.

The OWASP Top 10 for LLM Applications is the industry standard for categorizing AI security risks. This course turns each category into a hands-on simulation where employees experience these attacks firsthand in realistic workplace scenarios.

Quishing is phishing delivered through a QR code. The attacker encodes a malicious URL inside a square of pixels, drops it into a corporate email or prints it over a legitimate sign, and lets the target’s phone do the rest. Email filters see an image, not a link. The victim scans on a personal device that sits outside every corporate security control. That mismatch is what makes quishing work.

Hoxhunt and RansomLeak both reject the idea that security training should be a passive, video-heavy compliance exercise. Both platforms bet on engagement over lecture slides. But they solve the engagement problem in fundamentally different ways.

Hoxhunt builds AI-adaptive phishing simulations that adjust difficulty based on each employee’s performance. The system learns who falls for what and sends progressively harder attacks to keep people challenged. It is a sophisticated approach to the phishing simulation problem specifically.

RansomLeak builds interactive 3D simulations where employees practice handling full attack scenarios. Not just phishing, but ransomware, social engineering, vishing, deepfakes, AI security threats, and GDPR compliance. The focus is hands-on practice across the full spectrum of security risks.

Both approaches work. The question is which one matches what your organization actually needs.