RansomLeak | Blog

OWASP Top 10 for LLM Applications: 10 free training exercises now live

Fri, 03 Apr 2026 00:00:00 GMT

Every risk category in the OWASP Top 10 for LLM Applications now has a dedicated training exercise on RansomLeak. Ten exercises covering ten attack scenarios, from prompt injection to denial-of-wallet. All free, no account required.

The OWASP Top 10 for LLM Applications is the industry standard for categorizing AI security risks. This course turns each category into a hands-on simulation where employees experience these attacks firsthand in realistic workplace scenarios.

What is the OWASP Top 10 for LLM Applications training course?

The OWASP Top 10 for LLM Applications training course is a set of 10 interactive exercises covering every risk category in the OWASP LLM Top 10 (2025 revision). Published by the Open Worldwide Application Security Project, the OWASP LLM Top 10 identifies the most critical security risks in systems that use large language models: prompt injection, sensitive data exposure, supply chain compromise, data poisoning, unsafe output handling, excessive agency, system prompt leakage, RAG pipeline exploitation, AI-generated misinformation, and unbounded consumption. According to Gartner, 55% of organizations were using generative AI in production by mid-2025, while only 38% had any form of AI-specific security training. Each exercise in this course places employees inside a realistic attack scenario involving AI tools they already use at work: chatbots, coding assistants, RAG-powered knowledge bases, and AI-connected automation systems. Exercises run in the browser as interactive 3D simulations, take about 10 minutes each, and require no account or installation.

The course covers all 10 OWASP LLM risk categories:

Prompt Injection: Hidden instructions in a document hijack an AI assistant mid-task
Sensitive Data Exposure Through AI: Confidential data pasted into AI tools persists in training pipelines and logs
AI Supply Chain Compromise: A marketplace AI plugin passes functional tests while hiding a backdoor
AI Training Data Poisoning: Poisoned documents in a knowledge base corrupt AI-generated business answers
Unsafe AI Output Handling: Unsanitized AI output enables SQL injection and XSS through the AI layer
Over-Permissioned AI Agent: A manipulated prompt triggers unauthorized emails, file shares, and calendar changes
AI System Prompt Extraction: Conversational techniques extract hidden business rules and credentials from a chatbot
RAG Pipeline Exploitation: Vector similarity search bypasses document-level access controls
AI Hallucination and Misinformation: Fabricated statistics and fake citations appear in an AI-generated business report
AI Denial-of-Service: Crafted prompts spiral cloud costs from dollars to thousands in minutes

Each exercise runs in the browser as an interactive 3D simulation. Employees make decisions, observe consequences, and build intuition for recognizing these attacks in their own workflows.

Why do employees need LLM security training right now?

The gap between AI adoption and AI security awareness keeps growing. Your employees interact with LLMs every day. Support agents use chatbots. Developers rely on AI coding assistants. Marketing teams generate content. Finance teams summarize reports. Each of those interactions is a potential attack surface, and most employees have no idea.

The incidents are already adding up. Samsung engineers leaked proprietary source code through ChatGPT in 2023. A New York attorney submitted fabricated case citations generated by AI to a federal court the same year. In late 2025, Anthropic documented a Chinese state-sponsored group that weaponized an AI coding tool for espionage across more than 30 organizations. These are not hypothetical scenarios. They happened, and they keep happening.

Traditional security awareness training covers phishing, passwords, and social engineering. Those topics still matter. But they do not prepare employees for what happens when they paste an API key into a consumer AI chatbot, or when an AI assistant starts following hidden instructions from a document instead of their own commands.

How do these exercises work compared to slide-based training?

Most AI security training is a slide deck explaining what prompt injection is, followed by a quiz asking employees to repeat the definition. That checks a compliance box. It does not change behavior.

These exercises put employees inside the attack. In the Prompt Injection exercise, you watch an AI assistant process a document containing hidden instructions. You see the moment the AI’s behavior changes. You trace the data exfiltration path from your chat window to an attacker-controlled endpoint. That experience sticks in a way that reading a definition does not.

In the System Prompt Extraction exercise, you play the attacker. You try conversational techniques against a customer-facing chatbot, starting with polite requests and escalating to role-play manipulation. When the system prompt leaks and reveals hardcoded API keys and internal pricing rules, you understand why prompt hardening matters, because you just broke through it yourself.

The Data Poisoning exercise shows side-by-side comparisons of AI responses before and after poisoned documents enter the knowledge base. You ask routine business questions and watch the AI deliver confident, wrong answers, citing the poisoned documents as sources. Seeing the AI recommend a fake vendor with complete confidence is a more effective lesson than any slide about “knowledge base integrity.”

Each exercise takes about 10 minutes. No installation, no login. Open the link and start.

Which exercises should your team start with?

Not every role needs the same depth on all ten risks. Prioritize based on who is taking the training.

All employees should start with Sensitive Data Exposure and AI Hallucination. These two risks affect anyone who uses AI tools for work. The data exposure exercise teaches what happens when confidential information enters a consumer AI chatbot. The hallucination exercise builds practical fact-checking habits for AI-generated content.

Developers and engineers should add Prompt Injection, Unsafe Output Handling, and RAG Pipeline Exploitation. Anyone building AI-integrated applications needs to understand how AI outputs can carry injection payloads into downstream systems, and how RAG architectures leak data across permission boundaries.

IT and security teams should run all ten. Supply Chain Compromise, Over-Permissioned AI Agent, and Denial-of-Service cover infrastructure and configuration risks that security teams need to audit across the organization.

Managers and executives should focus on Excessive Agency and System Prompt Extraction. These exercises show the business consequences of rushed AI deployments: unauthorized actions performed by over-permissioned agents, and confidential business logic exposed through chatbot conversations.

How does this course fit into a broader AI security program?

The OWASP Top 10 for LLM Applications covers risks in the AI models and tools themselves. AI security extends beyond the model layer.

Our AI & LLM Security catalogue includes this course alongside the OWASP Top 10 for Agentic AI Applications (coming soon), which covers risks specific to autonomous AI agents: goal hijacking, tool exploitation, privilege escalation, memory poisoning, and cascading failures in multi-agent systems. For a deeper look at those risks, read our guide to the OWASP Agentic AI Top 10.

For organizations building their first AI security training program, start with this LLM course to establish baseline awareness across all employees. Layer in the agentic AI exercises for technical teams as those become available.

These exercises also complement existing training tracks. If your team already runs phishing detection and social engineering exercises, the AI security course fills the gap that traditional training leaves open. For a look at how AI is changing phishing tactics specifically, pair the LLM course with our deepfake social engineering content.

All ten OWASP Top 10 for LLM Applications exercises are live in our AI security training catalogue. Start with the Prompt Injection exercise or explore the full training catalogue to find the right path for your team.

Sources

Quishing: How QR Code Phishing Bypasses Your Email Filters

Fri, 27 Mar 2026 00:00:00 GMT

Your company’s email gateway can parse URLs, detonate attachments in a sandbox, and flag sender domains that were registered yesterday. It cannot read a QR code.

That is the entire premise of quishing. Attackers embed a malicious URL inside a QR code image, drop it into an email, and let the recipient’s phone do the rest. The email contains no clickable link. No suspicious attachment. Just a square of black and white pixels that your security tools treat as a harmless image file.

The attack is not new, but it scaled fast. Abnormal Security’s 2024 threat report found that QR code phishing attacks increased by over 400% in the second half of 2023 compared to the same period in 2022. HP Wolf Security documented corporate quishing campaigns impersonating Microsoft 365, DocuSign, and internal HR portals throughout 2024.

What makes quishing different from garden-variety email phishing is the device switch. The victim reads the email on their laptop but scans the code with their phone. That phone usually sits outside the corporate security perimeter. No web proxy, no DNS filtering, no endpoint detection. The attacker just moved the entire attack to an unmanaged device.

What is quishing?

Quishing is a phishing technique where attackers encode a malicious URL inside a QR code and deliver it through email, print, or physical placement. The term combines “QR” and “phishing.” When someone scans the code, their device opens a URL that typically leads to a credential-harvesting page, a malware download, or an OAuth authorization prompt designed to steal account access.

The reason quishing works so well against organizations is structural. Email security platforms operate on URLs and file signatures. A QR code is neither. It is a PNG or SVG image embedded in the email body, and most email gateways do not decode images to extract embedded URLs. Even platforms that have added QR code scanning struggle with false positive rates, because legitimate QR codes appear in marketing emails, event invitations, and internal communications every day.

How does a quishing attack work?

The attack follows a predictable pattern, but each stage exploits a different gap in corporate defenses.

The email

The attacker sends an email that looks like it came from a trusted source. Common pretexts include Microsoft 365 MFA setup notices, SharePoint document sharing notifications, HR policy acknowledgments, and package delivery confirmations. The email body contains a QR code and text urging the recipient to scan it. Sometimes the email explicitly says the link “only works on mobile devices” to justify the QR format.

Unlike traditional phishing, the email has no embedded URL for security tools to inspect. The QR code is rendered as an inline image. Some attackers go further and use ASCII art or HTML table-based QR codes that do not even register as image files during scanning.

The scan

The recipient scans the QR code with their phone camera. Modern smartphones open URLs automatically after scanning, which means the victim may land on the phishing page before they have a chance to inspect the destination. Even careful users who check the URL preview on their phone screen face a challenge: attackers use URL shorteners, redirect chains, and legitimate-looking domains to make the destination appear safe for the half-second it is visible.

The harvest

The phone opens a page that mimics a Microsoft 365 login, a Google Workspace prompt, or a corporate SSO portal. The page looks real. It asks for credentials. If the target enters them, the attacker captures the username and password in real time. Many quishing kits also proxy the login to the real service and intercept the MFA code, defeating two-factor authentication entirely.

This real-time proxying is the same technique used in adversary-in-the-middle (AiTM) phishing frameworks. The difference is delivery: instead of sending a clickable link, the attacker sends a QR code.

Why do QR codes bypass email security?

Email security tools were built to inspect two things: URLs and files. QR codes are neither.

A Secure Email Gateway (SEG) parses the email body for hyperlinks, extracts them, and checks each one against threat intelligence databases, URL reputation services, and real-time sandboxes. None of that works when the URL is encoded as a matrix of pixels inside an image.

Some enterprise email platforms (Microsoft Defender for Office 365, Proofpoint, Abnormal Security) have added QR code image decoding to their scanning pipelines since late 2023. But detection rates remain inconsistent. Attackers already adapt by using QR codes that redirect through multiple URL shorteners, embedding QR codes inside PDF attachments instead of inline images, or splitting the QR code across multiple image fragments that reassemble visually but confuse automated scanners.

The fundamental problem is not a single vendor’s limitation. It is that QR codes shift the interaction from a managed desktop browser to an unmanaged mobile device. Even if the email gateway decodes the QR code and flags the URL, the employee may still photograph the QR code from a printed copy or a shared screen, bypassing email security entirely.

Where do quishing attacks show up?

Email is the most common delivery channel, but it is not the only one.

Printed materials. Attackers place malicious QR codes over legitimate ones on parking meters, restaurant menus, conference badges, and public signage. The FBI issued a public warning about this in January 2022, after reports of tampered QR codes on parking meters in multiple U.S. cities redirecting users to fraudulent payment portals.

Internal documents. Attackers who gain initial access to a corporate network sometimes embed malicious QR codes in internal wiki pages, shared documents, or Slack messages. These carry higher trust because they come from “inside.”

Physical mail. QR codes in fake invoices, compliance notices, or benefits enrollment letters mailed to employees’ home addresses. This bypasses corporate email security completely and catches people in a low-suspicion context. The Swiss National Cyber Security Centre (NCSC) warned about a wave of these in November 2023, with fake postal notices containing QR codes that downloaded Android malware.

Social engineering combos. Quishing pairs well with callback phishing. The email contains a phone number and a QR code. “Call us or scan the code for faster service.” Two attack channels in one email, and neither contains a traditional phishing link.

How to spot a quishing attempt

Most of the detection rules that work for link-based phishing do not apply to quishing, because there is no link to hover over. You need a different mental checklist.

Question why a QR code is necessary. If the email is from IT, HR, or a vendor, ask yourself: why would they send a QR code instead of a regular link? Internal systems have URLs. Legitimate services have login pages you can navigate to directly. A QR code is almost always unnecessary in a corporate email context.

Check the sender carefully. Quishing emails impersonate the same brands that traditional phishing does: Microsoft, Google, DocuSign, your company’s own domain. Look at the actual sender address, not the display name. If the “Microsoft Security Team” is emailing from a random domain, that is your answer.

Preview before you visit. When you scan a QR code on most phones, the URL appears briefly before the browser opens. Read it. If the domain does not match the organization the email claims to be from, do not tap through. If it uses a URL shortener like bit.ly or tinyurl, treat it as suspicious.

Verify through a separate channel. If the email says you need to re-authenticate or confirm your identity, go to the service directly by typing the URL yourself. Do not scan the code. This is the same advice that applies to smishing and every other phishing variant: never use the contact method provided in the suspicious message itself.

Quishing vs traditional phishing

The two attacks aim for the same outcome but take different paths to get there.

	Traditional phishing	Quishing
Delivery	Email with clickable URL	Email with QR code image
URL visibility	Hoverable link, inspectable	Encoded in image pixels
Email filter evasion	Moderate (URL is scannable)	High (URL is hidden in image)
Target device	Desktop/laptop browser	Mobile phone browser
Security perimeter	Corporate network, managed browser	Personal device, unmanaged
MFA interception	Requires AiTM proxy	Same AiTM proxy, mobile delivery
User detection	Hover over link, check URL	Must preview QR destination

The device switch is the big one. When the attack moves to a personal phone, the organization loses visibility. No web proxy logs, no DNS query records, no endpoint telemetry. The credential theft happens on a device your security team does not control.

Traditional phishing detection training teaches employees to hover over links. That skill is useless against a QR code. Your training program needs to address both attack types separately, because the detection heuristics are different.

How quishing connects to larger attack chains

Quishing is rarely the entire attack. It is the initial access step in a longer chain.

The most common follow-on is business email compromise. The attacker captures an employee’s Microsoft 365 credentials through a quishing page, logs in from a proxy that matches the victim’s geographic location to avoid impossible-travel alerts, and begins sending emails from the compromised account. Those emails carry the trust of a real internal sender, which makes subsequent social engineering much more effective.

Quishing also feeds into account takeover campaigns. Once the attacker has valid credentials and can intercept MFA tokens, they can access SharePoint, OneDrive, Teams, and any other integrated service. From there, the playbook matches what you see in credential stuffing scenarios: data exfiltration, lateral movement, and in some cases, ransomware deployment.

Training employees on quishing

Standard phishing awareness training does not prepare employees for QR code attacks. The skill of hovering over a link to check the URL is the single most taught phishing detection technique, and it is completely irrelevant when the URL is encoded in an image.

Quishing training needs to build a separate set of reflexes.

Teach the “why would this be a QR code?” question. The most effective single habit is teaching employees to question the format itself. Legitimate internal communications almost never require a QR code. If an email from IT asks you to scan a QR code to update your credentials, the format is the red flag.

Practice QR code URL previewing. Most employees do not know their phone shows a URL preview before opening it. Walk them through the behavior on both iOS and Android. Make them practice scanning safe QR codes and reading the destination before tapping.

Address the device switch. Employees need to understand that scanning a QR code from a work email on a personal phone moves the attack outside corporate security controls. The phone has no web proxy, no managed browser, no endpoint protection from the company. That context matters.

Include quishing in simulation exercises. Send QR code phishing emails as part of your regular simulation program. Employees need to encounter these in a controlled environment before they face a real one. Our QR code phishing exercise simulates a realistic corporate quishing attempt so employees can practice identification and response.

Reinforce across channels. Because quishing also appears in printed materials and physical locations, training should extend beyond email. Teach employees to be skeptical of QR codes on posters, conference handouts, and even codes taped to equipment. If they did not personally generate or expect the QR code, they should verify it before scanning.

See what a corporate quishing attack looks like before you face a real one. Try our free QR code phishing exercise and practice spotting malicious QR codes in realistic email scenarios. For broader coverage, explore our security awareness training catalogue for exercises on phishing, smishing, email security, and social engineering.

RansomLeak vs Hoxhunt: Security Awareness Training Compared (2026)

Fri, 27 Mar 2026 00:00:00 GMT

Hoxhunt and RansomLeak both reject the idea that security training should be a passive, video-heavy compliance exercise. Both platforms bet on engagement over lecture slides. But they solve the engagement problem in fundamentally different ways.

Hoxhunt builds AI-adaptive phishing simulations that adjust difficulty based on each employee’s performance. The system learns who falls for what and sends progressively harder attacks to keep people challenged. It is a sophisticated approach to the phishing simulation problem specifically.

RansomLeak builds interactive 3D simulations where employees practice handling full attack scenarios. Not just phishing, but ransomware, social engineering, vishing, deepfakes, AI security threats, and GDPR compliance. The focus is hands-on practice across the full spectrum of security risks.

Both approaches work. The question is which one matches what your organization actually needs.

What is Hoxhunt?

Hoxhunt is a Finnish security awareness and phishing training platform founded in 2016 in Helsinki. The platform uses AI to generate and adapt phishing simulations to each individual employee. Hoxhunt’s core mechanism sends simulated phishing emails that increase or decrease in difficulty based on how each person responds. Employees who report simulations earn points and climb leaderboards. The platform focuses on building phishing reporting behavior through positive reinforcement rather than punitive click-rate tracking. Hoxhunt raised a $40 million Series B in 2022 and serves enterprise customers primarily in Europe and North America.

What is RansomLeak?

RansomLeak is a security awareness training platform built around interactive 3D simulations. Founded in 2025 by the creators of Kontra Application Security Training, the platform offers over 100 exercises covering phishing, social engineering, ransomware, business email compromise, vishing, smishing, privacy compliance (GDPR, CCPA, HIPAA), and AI security. Training is delivered through immersive scenarios where employees make decisions in realistic attack situations. RansomLeak supports both SCORM deployment into existing LMS infrastructure and a standalone cloud platform with analytics, SSO, and campaign management.

Feature comparison

Category	RansomLeak	Hoxhunt
Content approach	Interactive 3D simulations	AI-adaptive phishing simulations
Primary focus	Full security awareness (phishing, social engineering, ransomware, AI, privacy)	Phishing detection and reporting
Adaptive difficulty	Exercises range from beginner to advanced	AI adjusts per-employee in real time
Gamification	Points, badges, leaderboards	Points, leaderboards, team competitions
Content library	100+ exercises across 14 categories	Phishing templates (AI-generated)
SCORM support	SCORM 1.2 and 2004 export	No SCORM export
LMS flexibility	Any LMS or standalone cloud	Hoxhunt platform only
Free content	100+ exercises, no sign-up	Demo through sales team
Reporting focus	Completion, engagement, compliance	Reporting rates, resilience scores
SSO/SAML	Okta, Azure AD, Google Workspace	Major IdP support
Languages	Growing multilingual	30+ languages
Compliance reporting	SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, NIS2	SOC 2, GDPR
Pricing	Enterprise custom	Enterprise custom (premium tier)

Where Hoxhunt is stronger

AI-adaptive phishing simulations. Hoxhunt’s core strength is its adaptive engine. The system automatically adjusts phishing simulation difficulty based on each employee’s track record. New or struggling employees get simpler phishing emails. Employees who consistently report simulations face increasingly sophisticated attacks. This personalized approach means every employee is challenged at their level, which is a genuinely good way to build phishing detection skills over time.

Phishing reporting culture. Hoxhunt is specifically designed to build reporting behavior. The platform rewards employees who report suspicious emails rather than punishing those who click. This positive reinforcement model produces measurably higher phishing reporting rates. If building a strong reporting culture is your top priority, Hoxhunt’s approach is purpose-built for it.

Behavioral analytics depth. Hoxhunt tracks individual employee resilience scores over time, showing how each person’s ability to detect phishing evolves. This per-employee behavioral data is deeper than what most platforms offer for phishing-specific metrics. Managers can identify who needs more training and who is becoming an effective human firewall.

Language coverage. With support for 30+ languages, Hoxhunt handles global rollouts well. Phishing simulations are delivered in the employee’s language, which matters for realistic training.

Where RansomLeak is stronger

Topic breadth. This is the fundamental difference. Hoxhunt focuses on phishing detection and reporting. RansomLeak covers the full security awareness spectrum: phishing, social engineering, ransomware, business email compromise, vishing, smishing, callback phishing, USB drop attacks, insider threats, GDPR compliance, AI security, and real-world incident analysis. If your program needs to train employees on threats beyond email, RansomLeak covers ground that Hoxhunt does not.

Learning method. Hoxhunt trains through simulated phishing emails. RansomLeak trains through interactive 3D scenarios where employees step into realistic situations and make decisions. Both methods beat passive video, but the simulation approach allows for complex multi-stage scenarios that a phishing email cannot replicate. A deepfake social engineering exercise or a ransomware response drill requires more than an inbox interaction.

SCORM and LMS flexibility. RansomLeak exports as SCORM 1.2 and 2004 packages that integrate with any standards-compliant LMS. Hoxhunt operates exclusively through its own platform. If your organization mandates that all training runs through a central LMS (Cornerstone, Workday, Moodle, or similar), RansomLeak meets that requirement. Hoxhunt does not.

Free evaluation. RansomLeak offers 100+ exercises for free with no account or sales conversation required. You can assess the content quality, the interaction model, and the topic coverage before committing. Hoxhunt requires a sales-led demo process to evaluate the platform.

Compliance framework coverage. RansomLeak provides audit-ready reporting for SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and NIS2. This broader compliance coverage matters for organizations operating under multiple regulatory frameworks.

Who should choose Hoxhunt?

Hoxhunt is the right platform if:

Phishing detection and reporting are your program’s primary focus
You want AI-driven adaptive difficulty that personalizes to each employee
Building a phishing reporting culture matters more than broad topic coverage
Your organization does not need SCORM/LMS integration
You have the budget for premium per-seat pricing

The typical Hoxhunt buyer is a mid-to-large enterprise with a security team that prioritizes phishing resilience metrics and wants automated, AI-driven simulation campaigns that run with minimal manual configuration.

Who should choose RansomLeak?

RansomLeak is the right platform if:

You need training that covers more than phishing (social engineering, ransomware, AI threats, compliance)
You want employees to practice handling attacks in realistic simulations
SCORM integration with your existing LMS is a requirement
You want to try the full content library before committing (free exercises)
Your compliance program spans multiple frameworks (SOC 2, ISO 27001, HIPAA, GDPR, NIS2)

The typical RansomLeak buyer is an organization that needs a comprehensive security awareness program, not just a phishing simulation tool, and wants training that employees actually engage with.

How does pricing compare?

Both platforms use custom enterprise pricing. Hoxhunt positions itself at the premium end of the market. Exact pricing requires a quote from both vendors, but industry conversations suggest Hoxhunt’s per-seat cost is higher than the market average, reflecting its AI-adaptive technology.

RansomLeak’s all-free exercise library means you can assess the full training content at zero cost before entering a pricing conversation for enterprise features. This is unusual in the SAT market, where most vendors gate their content behind sales calls.

The pricing question matters less than the scope question. If phishing simulation is all you need, compare Hoxhunt’s price against other phishing-focused tools. If you need phishing plus ransomware plus social engineering plus compliance plus AI security training, comparing Hoxhunt’s phishing-only price to RansomLeak’s full-spectrum price is not apples-to-apples.

How to decide

The choice between Hoxhunt and RansomLeak is not about which platform is “better.” It is about what your security awareness program needs to accomplish.

If your primary goal is reducing phishing susceptibility through AI-adaptive simulations and building a strong reporting culture, Hoxhunt is purpose-built for exactly that.

If your program needs to cover the full range of security threats, from phishing to ransomware to credential stuffing to AI security risks, and you want employees to practice handling those threats in interactive simulations, RansomLeak covers more ground.

Try both. Hoxhunt offers demos through their sales team. RansomLeak’s full exercise catalogue is free to try right now.

See how interactive simulations compare to adaptive phishing. Try a free phishing exercise, vishing scenario, or deepfake whaling simulation. Browse the full training catalogue for 100+ exercises. No sign-up required.

RansomLeak vs KnowBe4: Security Awareness Training Compared (2026)

Fri, 27 Mar 2026 00:00:00 GMT

KnowBe4 is the largest security awareness training platform in the world. They have been in the market since 2010, trained tens of millions of users, and built a content library that runs into thousands of modules. If you are evaluating security awareness training, KnowBe4 will be on your shortlist. It should be.

But “largest” and “best fit” are different things. KnowBe4’s strengths are real, and so are the reasons organizations look beyond it. Pricing scales fast. The content library is massive but largely video-based. Phishing simulations are strong, but the broader training experience can feel like a compliance checkbox.

RansomLeak takes a different approach. Interactive 3D simulations instead of video lectures. Hands-on exercises where employees make decisions and see consequences. SCORM packages that work with any LMS, or a standalone cloud platform if you do not have one. Over 100 free exercises with no sign-up required.

This is an honest comparison. We will cover where KnowBe4 is stronger, where RansomLeak is stronger, and who each platform is built for. We are biased (we built RansomLeak), so we will be transparent about it.

What is KnowBe4?

KnowBe4 is a security awareness training and simulated phishing platform founded by Stu Sjouwerman in 2010. It is the market leader by user count, with over 65,000 customer organizations globally. The platform combines a large library of training content (videos, interactive modules, games, posters, newsletters) with simulated phishing campaigns that test employee susceptibility to email-based attacks. KnowBe4 was taken private by Vista Equity Partners in 2023 after trading publicly on NASDAQ. The platform targets organizations of all sizes but has the strongest foothold in mid-market and enterprise accounts.

What is RansomLeak?

RansomLeak is a security awareness training platform built around interactive 3D simulations. Founded in 2025 by the creators of Kontra Application Security Training, the platform offers over 100 exercises across phishing, social engineering, ransomware, privacy compliance, and AI security. Training is delivered through immersive scenarios where employees practice handling realistic attacks, not by watching videos about them. RansomLeak supports both SCORM deployment (for existing LMS infrastructure) and a standalone cloud platform with built-in analytics, SSO, and campaign management.

Feature comparison

Category	RansomLeak	KnowBe4
Content approach	Interactive 3D simulations	Video-based modules + some interactive
Content library size	100+ exercises, growing monthly	1,000+ modules across formats
Phishing simulations	Exercise-based scenarios	Full-featured campaign platform
Topic coverage	Phishing, social engineering, ransomware, GDPR, AI security, privacy	Phishing, social engineering, compliance, ransomware, insider threats
SCORM support	SCORM 1.2 and 2004 export	Limited SCORM (primarily own platform)
LMS flexibility	Any LMS or standalone cloud	Primarily KnowBe4 platform
Free content	100+ exercises, no sign-up	Limited free resources
Gamification	Points, badges, leaderboards	Gamification features available
Reporting	Real-time analytics, compliance reports	Extensive reporting and dashboards
SSO/SAML	Okta, Azure AD, Google Workspace	Major IdP support
SIEM integration	Splunk, Sentinel, QRadar export	API-based integration
Compliance frameworks	SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, NIS2	SOC 2, ISO 27001, HIPAA, PCI DSS
Languages	Growing multilingual library	35+ languages
Pricing model	Enterprise custom pricing	Per-seat tiered pricing

Where KnowBe4 is stronger

Content library depth. KnowBe4 has over a decade of content production behind it. Thousands of modules, dozens of content series, materials in 35+ languages, plus supplementary resources like posters, newsletters, and screensavers. If you need a training module on a niche compliance topic, KnowBe4 probably has one. RansomLeak’s library is growing but cannot match this breadth today.

Phishing simulation maturity. KnowBe4’s simulated phishing platform is among the most mature in the industry. Thousands of phishing templates, landing pages, USB drive testing, vishing simulations, and detailed reporting on click rates, reporting rates, and susceptibility trends over time. If phishing simulation campaigns are your primary need, KnowBe4 has the deepest tooling.

Market presence and vendor approval. For organizations where the procurement process heavily weights vendor size, market share, and established track record, KnowBe4 is the safe choice. They clear compliance questionnaires and security reviews with well-documented SOC 2 reports and a decade of operational history. New vendors face longer approval cycles.

Language coverage. With content in 35+ languages, KnowBe4 serves global organizations with distributed teams. This matters if you need training materials in languages beyond English, Spanish, French, and German.

Where RansomLeak is stronger

Learning method. RansomLeak’s core differentiator is how training is delivered. Instead of watching a video about phishing and answering quiz questions, employees step into interactive 3D simulations where they face realistic attack scenarios. They make decisions, see the consequences, and build muscle memory for real incidents. Research from the National Training Laboratories shows that practice-based learning produces retention rates around 75%, compared to roughly 10% for passive lectures. This is the central difference between the two platforms.

SCORM flexibility. RansomLeak exports training as SCORM 1.2 and SCORM 2004 packages that run in any standards-compliant LMS. Cornerstone, Workday, SAP SuccessFactors, Docebo, Moodle, Canvas, and dozens more. KnowBe4 operates primarily through its own platform. If your organization already has an LMS and wants security training inside it (not in a separate portal), RansomLeak fits that requirement without workarounds.

Free exercises. RansomLeak offers over 100 exercises for free with no account required. You can evaluate the actual training content, not a demo environment. KnowBe4 requires a sales conversation to see most of their content.

Engagement metrics. Gamification is a feature in both platforms, but RansomLeak’s interactive approach drives measurably higher completion rates. When training requires active participation rather than passive watching, employees treat it as something other than a compliance checkbox. Industry data suggests gamified interactive training achieves 3x higher completion rates than standard video-based modules.

Topic breadth for emerging threats. RansomLeak covers AI security, OWASP LLM risks, deepfake social engineering, and other emerging attack vectors as first-class training topics. KnowBe4’s library addresses some of these through supplementary content, but the depth varies.

Who should choose KnowBe4?

KnowBe4 is the right platform if:

You need training content in 10+ languages for a globally distributed workforce
Phishing simulations are your primary program pillar and you need the deepest template library
Your procurement process requires a vendor with 10+ years of operational history
You want a massive content library where breadth matters more than interactivity
You are already using KnowBe4 and switching costs outweigh the engagement benefits of a different approach

The typical KnowBe4 buyer is a mid-to-large enterprise with a mature security program that needs a proven, widely-deployed platform, even if the training itself skews toward passive video consumption.

Who should choose RansomLeak?

RansomLeak is the right platform if:

You want employees to practice handling attacks, not just watch videos about them
You need SCORM-compatible training that runs inside your existing LMS
You want to evaluate the actual content before committing (100+ free exercises)
Engagement and behavior change matter more than checking a compliance box
You need coverage of AI security, deepfakes, and OWASP LLM/Agentic risks
You prefer a platform that focuses on training quality over volume

The typical RansomLeak buyer is an organization that has tried video-based security training, found that employees treat it as a chore, and wants a different approach that produces actual behavior change.

How does pricing compare?

KnowBe4 uses per-seat tiered pricing across three tiers (Silver, Gold, Platinum, Diamond), with pricing varying by organization size. Published pricing starts around $18-26 per user per year for small organizations, scaling down for volume. Enterprise pricing requires a quote.

RansomLeak uses custom enterprise pricing. All exercises are available to try for free, and enterprise features (analytics, SSO, campaign management, SCORM export, compliance reporting) are part of the paid offering.

Direct price comparison is difficult because the two platforms bundle features differently. The more relevant question is cost per actual behavior change. A cheaper training program that employees click through in ten minutes produces less security improvement than one that takes twenty minutes but leaves a lasting impression. Training ROI research consistently shows that engagement quality, not price per seat, determines whether a program reduces incident rates.

How to decide

Both platforms are legitimate options. The choice depends on what matters more to your organization.

If you need the largest possible content library, the most mature phishing simulation engine, and the safest vendor choice for enterprise procurement, KnowBe4 is hard to beat.

If you want training that employees actually remember, content they engage with instead of click through, and the flexibility to deploy through your own LMS, RansomLeak is built for that.

The best way to decide is to try both. KnowBe4 offers demos through their sales team. RansomLeak lets you try 100+ exercises for free right now, no sales call needed. Start with a phishing exercise, a social engineering scenario, or a ransomware response simulation and see how the interactive approach compares to what you have used before.

See the difference between watching a video and practicing an attack. Try our free phishing exercise, business email compromise scenario, or ransomware simulation. Browse the full training catalogue for 100+ exercises across security awareness, privacy, AI security, and real-world incident response. No sign-up, no sales pitch.

RansomLeak vs Ninjio: Security Awareness Training Compared (2026)

Fri, 27 Mar 2026 00:00:00 GMT

Most security awareness training is boring. Both Ninjio and RansomLeak acknowledge this. Where they disagree is the solution.

Ninjio says the answer is better entertainment. Produce Hollywood-quality animated episodes that tell real cybersecurity stories in three to four minutes. Make training so watchable that employees actually look forward to it. Replace the forgettable compliance slides with something people want to see.

RansomLeak says the answer is better practice. Build interactive 3D simulations where employees handle realistic attack scenarios. Make training something people do, not something they watch. Replace passive viewing with active decision-making.

One platform invests in production value. The other invests in interaction design. Both reject the status quo, but they reject it in different directions.

What is Ninjio?

Ninjio is a security awareness training platform founded in 2015 in Los Angeles. The company produces animated micro-learning episodes, three to four minutes each, created by a team of Hollywood writers, animators, and producers. Each episode tells the story of a real cybersecurity incident, showing how the attack happened, where the victim went wrong, and how the audience can avoid the same mistake. Ninjio releases new episodes regularly, maintaining a fresh content cadence. The platform also includes phishing simulations, assessments, and a reporting tool. Ninjio positions itself as the entertainment-first approach to security awareness, competing on watchability rather than interactivity.

What is RansomLeak?

RansomLeak is a security awareness training platform built around interactive 3D simulations. Founded in 2025 by the creators of Kontra Application Security Training, the platform offers over 100 exercises across phishing, social engineering, ransomware, business email compromise, vishing, smishing, privacy compliance, and AI security. Training is delivered through immersive scenarios where employees make decisions in realistic attack situations. RansomLeak supports SCORM deployment into any LMS and a standalone cloud platform with analytics, SSO, and campaign management.

Feature comparison

Category	RansomLeak	Ninjio
Content approach	Interactive 3D simulations	Hollywood-animated micro-learning episodes
Content format	Hands-on exercises (15-25 min)	Animated videos (3-4 min)
Employee role	Active participant (makes decisions)	Passive viewer (watches story)
Content production	Software-driven scenarios	Hollywood writers and animators
Content cadence	Monthly new exercises	Regular new episodes
Phishing simulations	Exercise-based scenarios	Phishing simulation campaigns
Topic coverage	14 categories including AI security	General security awareness topics
SCORM support	SCORM 1.2 and 2004	SCORM support available
LMS flexibility	Any LMS or standalone	LMS via SCORM or Ninjio platform
Free content	100+ exercises, no sign-up	Demo through sales
Gamification	Points, badges, leaderboards	Completion tracking
SSO/SAML	Okta, Azure AD, Google Workspace	SSO support
Compliance reporting	SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, NIS2	Basic compliance reporting
Pricing	Enterprise custom	Per-user pricing

Where Ninjio is stronger

Production quality. Ninjio’s animated episodes are genuinely well-produced. Hollywood writing talent creates stories with narrative arcs, character development, and emotional hooks that make security concepts memorable through storytelling. For organizations whose employees actively resist traditional training, Ninjio’s entertainment value reduces resistance to watching the content in the first place.

Episode brevity. At three to four minutes per episode, Ninjio demands minimal time from employees. This micro-learning format fits into busy schedules and reduces the friction of training completion. Managers are more willing to assign four-minute episodes monthly than longer training modules. Completion rates benefit from the short format.

Storytelling approach. Each Ninjio episode is based on a real cybersecurity incident, told as a narrative. Stories are fundamentally how humans learn and remember. The “what happened, what went wrong, and what you should do differently” structure is an effective teaching framework. Employees who remember the story of a CEO who fell for a whaling attack carry that awareness into their own inbox.

Content freshness. Ninjio’s regular episode releases keep the training library current. New episodes address recent attack trends and headline-grabbing breaches. This topicality keeps the content feeling relevant rather than dated.

Where RansomLeak is stronger

Active vs passive learning. This is the core difference. Ninjio employees watch a story about someone else handling (or failing to handle) a security threat. RansomLeak employees step into the scenario themselves, make decisions, and experience the consequences. The learning science is clear on this distinction: practicing a skill produces better retention and behavior change than observing someone else practice it. Training effectiveness research consistently shows that active participation outperforms passive consumption by significant margins.

Skill building vs awareness building. Ninjio builds awareness: employees understand that phishing exists, that social engineering is dangerous, that they should be careful. RansomLeak builds skills: employees practice identifying a spear phishing email, responding to a callback phishing call, handling a ransomware incident, and detecting a QR code phishing attack. Awareness tells you the stove is hot. Skill building teaches you to cook without getting burned.

Topic depth. Ninjio covers general security awareness topics through short episodes. RansomLeak goes deep across 14 categories: phishing variants (spear phishing, whaling, quishing, vishing, smishing, callback phishing), device security, password management, GDPR compliance, AI security, OWASP LLM risks, and real-world incident case studies. A four-minute animated episode cannot cover a GDPR data breach response workflow with the same depth as a 20-minute interactive simulation.

Hands-on exercise library. RansomLeak offers 100+ free exercises covering scenarios that range from basic phishing detection to complex AI security threats. Ninjio’s content is exclusively video-based. For organizations that want employees to practice, not just understand, the exercise format is the difference.

Compliance framework reporting. RansomLeak provides audit-ready reporting for SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and NIS2. Organizations in regulated industries need this documentation. Ninjio’s compliance reporting covers basic completion tracking but is thinner on multi-framework audit support.

Free evaluation. RansomLeak’s full exercise library is free to try without an account. You can assess the quality, depth, and engagement level of the training before committing. Ninjio requires a sales process to evaluate their content.

Who should choose Ninjio?

Ninjio is the right platform if:

Your biggest problem is employees not completing training at all, and you need content they will actually watch
Short-format micro-learning (3-4 minutes) fits your culture better than longer exercises
Entertainment value and storytelling are more important than hands-on practice
You want to build general security awareness rather than specific incident-response skills
Budget allows for Hollywood-quality content production but not necessarily interactive platforms
You value fresh, topical content released on a regular schedule

The typical Ninjio buyer is an organization struggling with training completion rates that wants to make security awareness feel less like work and more like entertainment.

Who should choose RansomLeak?

RansomLeak is the right platform if:

You want employees to build practical skills, not just absorb information
Interactive training where people make decisions matters more than production-value videos
Your program needs depth across phishing, ransomware, social engineering, AI security, and compliance
SCORM integration with your existing LMS is a requirement
Multi-framework compliance reporting (SOC 2, ISO 27001, HIPAA, GDPR, NIS2) is needed
You want to evaluate 100+ exercises for free before purchasing

The typical RansomLeak buyer is an organization that believes security training should build muscle memory for real incidents, and that watching a story about a phishing attack is not the same as practicing how to handle one.

How does pricing compare?

Ninjio uses per-user pricing with annual contracts. The Hollywood production model means their content investment is high, and pricing reflects that. Exact pricing requires a vendor quote.

RansomLeak uses custom enterprise pricing with all exercises available for free evaluation. Enterprise features (analytics, SSO, campaign management, SCORM export, compliance reporting) are part of the paid offering.

Both platforms position above commodity SAT providers, but for different reasons. Ninjio charges for production quality. RansomLeak charges for interaction quality and enterprise features. The relevant comparison is not price per seat but what kind of learning each dollar produces.

How to decide

The decision between Ninjio and RansomLeak comes down to what you believe about how adults learn security behaviors.

If you believe that storytelling creates lasting awareness, that entertainment value drives completion, and that a well-told four-minute story changes behavior more than a forgettable training module, Ninjio’s approach has logic behind it.

If you believe that practice builds skills, that making decisions in simulated attacks produces better outcomes than watching someone else handle them, and that 20 minutes of active participation outweighs four minutes of passive viewing, RansomLeak is built on that premise.

The best test is direct comparison. Ninjio offers demos through their sales team. RansomLeak lets you try 100+ exercises for free right now. Run a social engineering exercise, a vishing scenario, or a deepfake whaling simulation, then ask yourself whether watching a video about those scenarios would have taught you the same thing.

Practice beats watching. Try a free social engineering exercise, phishing scenario, or ransomware response simulation. Browse the full training catalogue for 100+ exercises across security awareness, privacy, AI security, and real-world incidents. No sign-up, no sales pitch.

RansomLeak vs Phished: Security Awareness Training Compared (2026)

Fri, 27 Mar 2026 00:00:00 GMT

Phished and RansomLeak share a European DNA and a belief that traditional video-based training does not change behavior. Both platforms try to fix the engagement problem. But they approach it from opposite directions.

Phished automates everything. AI generates personalized phishing simulations, adjusts difficulty automatically, and triggers training content when employees need it. The philosophy is that automation produces consistency and scale. Set it up, and the system runs your awareness program with minimal manual intervention.

RansomLeak makes everything interactive. 3D simulations put employees inside attack scenarios where they make decisions and learn from consequences. The philosophy is that hands-on practice builds skills that passive content cannot. The training itself does the heavy lifting, not the automation around it.

Both approaches have merit. The right choice depends on whether your program needs automation breadth or training depth.

What is Phished?

Phished is a Belgian security awareness and phishing simulation platform founded in 2018 in Leuven. The platform uses AI to automatically generate and personalize phishing simulations for each employee. Phished’s engine creates simulations based on current threat intelligence, adjusts difficulty to individual performance, and triggers automated training interventions (micro-learnings called “Phished Academy”) when employees fail simulations. The platform includes behavioral scoring, an employee reporting button for suspicious emails, and compliance reporting with a strong GDPR focus reflecting its European origin. Phished serves mid-market and enterprise organizations, particularly in Europe.

What is RansomLeak?

RansomLeak is a security awareness training platform built around interactive 3D simulations. Founded in 2025 by the creators of Kontra Application Security Training, the platform offers over 100 exercises covering phishing, social engineering, ransomware, business email compromise, vishing, smishing, privacy compliance (GDPR, CCPA, HIPAA), and AI security. Training is delivered through immersive scenarios where employees handle realistic attack situations. RansomLeak supports SCORM deployment into any LMS and offers a standalone cloud platform with analytics, SSO, and enterprise features.

Feature comparison

Category	RansomLeak	Phished
Content approach	Interactive 3D simulations	AI-generated phishing + micro-learning
Primary focus	Full security awareness training	Phishing simulation automation
AI role	Not AI-driven	AI generates and personalizes simulations
Automation level	Campaign-based management	Fully automated (set-and-forget)
Behavioral scoring	Completion and engagement metrics	Individual behavioral risk scores
Training trigger	Scheduled campaigns or self-paced	Triggered automatically on simulation failure
Topic coverage	14 categories (phishing to AI security)	Phishing-focused with supplementary training
SCORM support	SCORM 1.2 and 2004	No SCORM export
LMS flexibility	Any LMS or standalone	Phished platform only
Free content	100+ exercises, no sign-up	Demo through sales
Reporting button	Not included	Browser extension for reporting
GDPR compliance	Yes (Estonian entity, EU data)	Yes (Belgian entity, EU data)
Compliance frameworks	SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, NIS2	GDPR, ISO 27001
Languages	Growing multilingual	15+ languages
Pricing	Enterprise custom	Per-user pricing

Where Phished is stronger

Automation. Phished’s core selling point is that it runs your phishing simulation program without manual effort. The AI generates simulations, personalizes them to each employee, adjusts difficulty over time, and triggers training when needed. For security teams that do not have bandwidth to manually configure and manage simulation campaigns, this automation is genuinely valuable. RansomLeak requires more active campaign management.

AI-personalized simulations. Phished’s engine creates phishing simulations tailored to each employee’s role, department, and past performance. The content is generated using current threat intelligence, which means employees see simulation attacks that reflect real-world phishing trends. This personalization is more granular than template-based approaches.

Reporting button. Phished provides a browser extension and email button that employees use to report suspicious emails directly from their inbox. This builds the reporting habit into the daily workflow. Reports feed back into the behavioral scoring system, creating a feedback loop that rewards vigilance.

European GDPR focus. As a Belgian company, Phished built its platform with GDPR compliance at the core. Data processing, storage, and privacy controls are designed for European regulatory requirements from the ground up. For EU-based organizations with strict data residency requirements, Phished’s European infrastructure is a natural fit.

Behavioral risk scoring. Phished tracks individual employee risk scores based on simulation interactions, reporting behavior, and training completion. This per-person risk profile helps security teams identify who is most vulnerable and whether the program is reducing organizational risk over time.

Where RansomLeak is stronger

Training depth. Phished’s training content consists of short micro-learning modules (“Phished Academy”) that are triggered when employees fail phishing simulations. These are useful for immediate remediation but limited in scope and depth. RansomLeak’s interactive 3D simulations are full training experiences where employees practice complex scenarios: responding to a ransomware attack, handling a callback phishing call, detecting a deepfake video, or navigating a GDPR data breach response. The training itself is the product, not a remediation afterthought.

Topic breadth. Phished focuses on phishing detection and reporting. RansomLeak covers 14 categories: phishing, social engineering, ransomware, business email compromise, vishing, smishing, USB attacks, insider threats, GDPR compliance, AI security, and real-world incident analysis. If your security awareness program extends beyond email phishing, RansomLeak covers the ground.

SCORM and LMS integration. RansomLeak exports as SCORM 1.2 and 2004 packages that run in any standards-compliant LMS. Phished has no SCORM export. For organizations that centralize training in a corporate LMS, this is a deciding factor.

Free evaluation. RansomLeak’s entire exercise library is free to try without an account. Over 100 exercises available immediately. Phished requires a sales conversation to access the platform. Evaluating content quality before committing changes the risk profile of the purchasing decision.

Compliance framework breadth. RansomLeak provides audit-ready reporting for SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and NIS2. Organizations subject to multiple regulatory frameworks, common in healthcare and financial services, need this breadth. Phished’s compliance reporting focuses primarily on GDPR and ISO 27001.

Learning method. Phished’s micro-learnings are short, text-and-video-based modules. RansomLeak’s exercises are interactive 3D simulations where employees make decisions inside realistic scenarios. The difference in engagement and retention follows the same pattern documented in training effectiveness research: active practice produces better behavior change than passive consumption.

Who should choose Phished?

Phished is the right platform if:

Phishing simulation automation is your top priority and you want a set-and-forget program
AI-personalized simulation difficulty appeals to your program design
Building a phishing reporting culture with a one-click reporting button matters
You are an EU-based organization with strict GDPR data residency requirements
Your security team lacks bandwidth to manage manual simulation campaigns
You want per-employee behavioral risk scores for phishing specifically

The typical Phished buyer is a European mid-market organization that wants automated phishing simulations running continuously without heavy security team involvement.

Who should choose RansomLeak?

RansomLeak is the right platform if:

You want training that covers more than phishing (social engineering, ransomware, AI threats, compliance)
Interactive simulations where employees practice handling attacks are more valuable than automated simulations they receive
SCORM integration with your LMS is a requirement
You need compliance reporting across multiple frameworks (SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, NIS2)
You want to try the full library before purchasing (100+ free exercises)
Training quality and depth matter more than automation of delivery

The typical RansomLeak buyer is an organization that sees security training as a skill-building investment, not a background automation, and wants exercises employees actively engage with.

How does pricing compare?

Phished uses per-user pricing that scales with organization size. Exact pricing requires a vendor quote. As a European mid-market platform, Phished’s pricing is generally competitive within the SAT market.

RansomLeak uses custom enterprise pricing with all exercises free to evaluate before purchasing. The pricing conversation happens after content evaluation, not before.

The cost comparison depends on scope. If you need phishing simulation automation and nothing else, compare Phished to other phishing-focused tools. If you need phishing plus ransomware plus social engineering plus compliance plus AI security, comparing Phished’s phishing-only platform to RansomLeak’s full-spectrum offering is not an equivalent comparison.

How to decide

The choice maps to a simple question: do you primarily need automated phishing simulations, or do you need comprehensive security training?

If phishing simulation is the core of your program and you value automation, AI personalization, and a reporting button, Phished is purpose-built for that workflow.

If your program needs to cover the full range of threats employees face, from email phishing to QR code attacks to credential stuffing to AI security risks, and you want employees to build skills through hands-on practice, RansomLeak delivers that experience.

Try both. Phished offers demos through their sales team. RansomLeak’s full exercise catalogue is free to explore right now.

See what hands-on training feels like. Try a free phishing exercise, GDPR data breach response, or social engineering simulation. Browse the full training catalogue for 100+ exercises. No account required.

RansomLeak vs Proofpoint: Security Awareness Training Compared (2026)

Fri, 27 Mar 2026 00:00:00 GMT

Proofpoint Security Awareness Training (formerly Wombat Security) is part of a broader email security ecosystem. If your organization already uses Proofpoint for email protection, their awareness training plugs directly into the same threat intelligence data that powers your email gateway. That integration is the main reason organizations choose it.

RansomLeak has no email security product. It is a standalone training platform that works with any email vendor, any LMS, and any security stack. The training itself is built around interactive 3D simulations rather than Proofpoint’s video and module-based approach.

The comparison comes down to a straightforward question: do you want training that is tightly integrated with one vendor’s email security suite, or training that is platform-agnostic and built around hands-on engagement?

What is Proofpoint Security Awareness Training?

Proofpoint Security Awareness Training is one component of Proofpoint’s broader cybersecurity platform, which includes email security, threat intelligence, data loss prevention, and email archiving. The awareness training product, acquired when Proofpoint bought Wombat Security in 2018, provides video-based training modules, simulated phishing campaigns, and assessments. Its differentiator is integration with Proofpoint’s Targeted Attack Protection (TAP), which allows organizations to target training based on real threat data: employees who receive the most actual phishing attacks get prioritized for training. Proofpoint serves large enterprise customers, particularly in financial services, healthcare, and government.

What is RansomLeak?

RansomLeak is a security awareness training platform built around interactive 3D simulations. Founded in 2025 by the creators of Kontra Application Security Training, the platform offers over 100 exercises covering phishing, social engineering, ransomware, business email compromise, vishing, smishing, privacy compliance, and AI security. Training is delivered through scenarios where employees practice handling realistic attacks. RansomLeak supports SCORM deployment into any LMS and offers a standalone cloud platform with analytics, SSO, and campaign management.

Feature comparison

Category	RansomLeak	Proofpoint SAT
Content approach	Interactive 3D simulations	Video modules + assessments
Threat intelligence integration	No (vendor-agnostic)	Yes (Proofpoint TAP integration)
Phishing simulations	Exercise-based scenarios	Campaign platform with TAP data
Topic coverage	14 categories including AI security, privacy	Phishing, compliance, general security
SCORM support	SCORM 1.2 and 2004	Limited SCORM capabilities
LMS flexibility	Any LMS or standalone	Primarily Proofpoint platform
Free content	100+ exercises, no sign-up	No free content
Email security bundling	None (standalone training)	Part of Proofpoint security suite
Reporting	Real-time analytics, multi-framework compliance	Threat-intelligence-powered dashboards
SSO/SAML	Okta, Azure AD, Google Workspace	Enterprise IdP support
Compliance frameworks	SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, NIS2	SOC 2, HIPAA, GDPR
Pricing	Enterprise custom	Bundle pricing with Proofpoint suite

Where Proofpoint is stronger

Threat intelligence integration. This is Proofpoint’s genuine competitive advantage. The awareness training product connects to Proofpoint’s Targeted Attack Protection engine, which means you can target simulated phishing and training based on real threat data. Employees who receive the most real phishing attempts in their inbox get prioritized for simulation campaigns. This data-driven targeting is difficult to replicate with a standalone training vendor.

Email security ecosystem. If your organization uses Proofpoint for email gateway, DLP, archiving, and threat intelligence, adding their awareness training creates a unified security workflow. One vendor, one dashboard, one support contract. The administrative simplicity of a single-vendor stack has real value for security teams managing multiple tools.

Enterprise credibility. Proofpoint is a large, publicly-known cybersecurity company. For organizations in regulated industries where vendor risk assessments are extensive, Proofpoint’s brand recognition and established compliance posture reduce procurement friction.

Very Attack Person (VAP) targeting. Proofpoint identifies “Very Attacked People” within your organization based on their email threat data. Training campaigns can automatically prioritize these high-risk individuals. This is a data advantage that only an email security vendor can provide.

Where RansomLeak is stronger

Learning method. Proofpoint’s training content is primarily video-based modules with quizzes and assessments. RansomLeak’s content is built around interactive 3D simulations where employees practice handling attack scenarios. The difference matters for retention: practicing a social engineering response builds different neural pathways than watching a video about social engineering. Hands-on training produces higher retention and engagement rates than passive content consumption.

Vendor independence. RansomLeak works with any email security vendor, any LMS, and any security stack. Proofpoint’s awareness training is most valuable when bundled with their email security product. If you switch email vendors, the training-to-threat-intelligence integration breaks. RansomLeak’s SCORM compatibility and standalone deployment model means you are never locked into a broader vendor ecosystem.

SCORM flexibility. RansomLeak exports training as SCORM 1.2 and 2004 packages for any standards-compliant LMS. Proofpoint’s training runs primarily through their own platform. Organizations that centralize all training in a single LMS find this a significant limitation.

Topic coverage. RansomLeak covers AI security, OWASP LLM risks, deepfake social engineering, callback phishing, QR code phishing, and real-world incident case studies. Proofpoint’s training library is solid on core topics but thinner on emerging threats. If your program needs to address the full range of modern threats, RansomLeak covers more territory.

Free evaluation. RansomLeak’s entire exercise catalogue is free to try with no account required. Proofpoint requires a sales engagement and contract discussion before you can access their training content. The ability to evaluate content quality before buying changes the procurement dynamic.

Cost structure. Proofpoint’s awareness training is typically sold as part of a broader email security bundle. This means you often pay for the full Proofpoint platform to get the training component. If you already have an email security vendor you are happy with, paying for Proofpoint’s entire stack to access their training module is not cost-effective. RansomLeak is a standalone training purchase.

Who should choose Proofpoint?

Proofpoint Security Awareness Training is the right choice if:

You already use Proofpoint for email security and want training integrated with your threat data
Identifying and targeting “Very Attacked People” with training is a priority
You want a single-vendor approach to email security and awareness training
Enterprise procurement processes favor large, established vendors
You operate in a heavily regulated industry where Proofpoint already passes your vendor requirements

The typical Proofpoint SAT buyer is a large enterprise already invested in the Proofpoint email security ecosystem, looking to add training that plugs into existing threat intelligence data.

Who should choose RansomLeak?

RansomLeak is the right choice if:

You want training content employees engage with, not click through
Vendor independence matters (you do not want training tied to your email vendor)
You need SCORM-compatible content for your existing LMS
Your training program needs to cover AI security, deepfakes, and emerging threats
You want to evaluate content before purchasing (100+ free exercises)
You use a different email security vendor and do not plan to switch to Proofpoint

The typical RansomLeak buyer is an organization that wants best-of-breed training quality regardless of their email security vendor, and values interactive engagement over video-based modules.

How does pricing compare?

Proofpoint’s awareness training pricing is typically bundled with their broader email security products. Standalone awareness training pricing exists but is less commonly deployed outside the Proofpoint ecosystem. Enterprise contracts vary significantly based on the bundle.

RansomLeak offers custom enterprise pricing for platform features (analytics, SSO, campaign management, compliance reporting), with all exercises free to try beforehand. The pricing conversation starts after you have already evaluated the content.

The meaningful cost comparison is not price-per-seat. It is whether you are buying training as an add-on to an email security platform, or buying training as a standalone product optimized for engagement. If you are already paying for Proofpoint email security, adding their training is incremental cost. If you are not a Proofpoint email customer, their training alone may not justify the platform investment.

How to decide

The decision between Proofpoint and RansomLeak depends on your existing vendor relationships and what you expect training to accomplish.

If you are a Proofpoint email security customer and want training that uses your real threat data to target the right employees, Proofpoint’s integration is a genuine advantage no standalone training vendor can match.

If you want the best training content regardless of email vendor, need SCORM compatibility, or want employees to actively practice handling threats instead of watching videos about them, RansomLeak is built for that.

Try both. Proofpoint offers demos through their enterprise sales team. RansomLeak lets you try 100+ exercises for free right now, no sales conversation required. Start with a phishing exercise, an email security scenario, or a callback phishing simulation.

Compare the training, not the sales pitch. Try our free phishing exercise, BEC scenario, or callback phishing simulation. Browse the full training catalogue for 100+ exercises across security awareness, privacy, AI security, and real-world incidents. No account needed.

RansomLeak vs Usecure: Security Awareness Training Compared (2026)

Fri, 27 Mar 2026 00:00:00 GMT

Usecure and RansomLeak serve different segments of the security awareness market. Understanding which segment you belong to is more useful than comparing feature lists.

Usecure is built for managed service providers (MSPs) who deliver security training to their clients. The platform automates enrollment, risk assessment, and training delivery so that an MSP can manage awareness programs for dozens of client organizations from a single dashboard. It is efficient, affordable, and designed for scale across multiple tenants.

RansomLeak is built for organizations that want the best possible training experience for their employees. Interactive 3D simulations, hands-on exercises, SCORM flexibility, and deep topic coverage across phishing, social engineering, AI security, and compliance.

If you are an MSP looking for a multi-tenant platform, you are probably evaluating Usecure. If you are an enterprise looking for training your employees will actually remember, you are probably evaluating RansomLeak. Both are valid starting points.

What is Usecure?

Usecure is a UK-based security awareness platform founded in 2017, designed primarily for managed service providers (MSPs) and small-to-medium businesses. The platform automates security training through risk assessments, auto-enrolled learning paths, simulated phishing, and dark web monitoring. Usecure’s multi-tenant architecture allows MSPs to manage training programs for multiple client organizations from a single pane of glass. Pricing is positioned below enterprise competitors, making it accessible for SMBs. The platform integrates with common MSP tools (ConnectWise, Datto, HaloPSA) and focuses on automation to minimize administrative overhead for service providers managing many accounts.

What is RansomLeak?

RansomLeak is a security awareness training platform built around interactive 3D simulations. Founded in 2025 by the creators of Kontra Application Security Training, the platform offers over 100 exercises covering phishing, social engineering, ransomware, business email compromise, vishing, smishing, privacy compliance, and AI security. Training is delivered through immersive scenarios where employees practice handling realistic attacks. RansomLeak supports both SCORM deployment and a standalone cloud platform with analytics, SSO, campaign management, and enterprise integrations.

Feature comparison

Category	RansomLeak	Usecure
Content approach	Interactive 3D simulations	Video modules + assessments
Primary audience	Enterprise direct	MSPs and SMBs
Multi-tenant management	No (single-tenant)	Yes (MSP multi-tenant dashboard)
Risk assessment	Exercise-based evaluation	Automated risk profiling
Auto-enrollment	Campaign-based	Risk-based auto-enrollment
Dark web monitoring	No	Yes (credential exposure scanning)
SCORM support	SCORM 1.2 and 2004	No SCORM export
LMS flexibility	Any LMS or standalone	Usecure platform only
Content library	100+ exercises, 14 categories	Video modules + assessments
Free content	100+ exercises, no sign-up	Free trial available
Gamification	Points, badges, leaderboards	Basic completion tracking
SSO/SAML	Okta, Azure AD, Google Workspace	Azure AD, limited SSO
MSP tooling	No MSP-specific features	ConnectWise, Datto, HaloPSA integration
Compliance reporting	SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, NIS2	Basic compliance reports
Pricing	Enterprise custom	Per-user, MSP-friendly pricing

Where Usecure is stronger

MSP multi-tenant management. Usecure is purpose-built for MSPs managing dozens of client organizations. The multi-tenant dashboard, per-client reporting, and integrations with PSA tools (ConnectWise, Datto, HaloPSA) are features RansomLeak does not offer. If you are an MSP, Usecure’s management layer saves significant administrative time.

Risk-based auto-enrollment. Usecure automatically assesses employee security knowledge through questionnaires, identifies gaps, and enrolls them in relevant training modules. This hands-off approach is valuable for MSPs and lean IT teams that cannot manually curate training paths for every employee.

Dark web monitoring. Usecure includes credential monitoring that scans dark web databases for exposed employee credentials and alerts the organization. This is a complementary security feature that goes beyond training content. RansomLeak does not include dark web monitoring.

SMB-friendly pricing. Usecure’s per-user pricing is positioned below most enterprise competitors, making it accessible for small and medium businesses, particularly when purchased through an MSP. For organizations where budget is the primary constraint, Usecure’s price point is hard to beat.

Speed to deployment. Usecure’s automation means an MSP can have a client’s training program running within hours. Automated risk assessment, auto-enrollment, and templated phishing campaigns minimize setup time. For MSPs onboarding many clients, this efficiency matters.

Where RansomLeak is stronger

Training quality and engagement. This is where the platforms diverge most. Usecure delivers training through standard video modules and assessments. RansomLeak delivers training through interactive 3D simulations where employees practice handling realistic attack scenarios. The experience is fundamentally different. An employee completing a Usecure module watches a video and answers questions. An employee completing a RansomLeak exercise steps into a social engineering scenario, makes decisions, and sees consequences. Research on training retention consistently shows that active practice produces better outcomes than passive consumption.

Topic depth and breadth. RansomLeak covers 14 categories including AI security, OWASP LLM risks, deepfake social engineering, callback phishing, QR code phishing, and real-world incident response. Usecure covers core security topics well but does not go as deep on emerging threats. For organizations facing sophisticated attack types, RansomLeak’s content library addresses risks that Usecure’s does not.

SCORM and LMS integration. RansomLeak exports as SCORM 1.2 and 2004 packages compatible with any LMS. Usecure has no SCORM export capability. Enterprise organizations that centralize training in Cornerstone, Workday, or similar platforms need SCORM support.

Enterprise features. RansomLeak’s enterprise capabilities (SIEM integration with Splunk/Sentinel/QRadar, comprehensive SSO, role-based access control, white-label branding, multi-framework compliance reporting) are built for direct enterprise deployment. Usecure’s feature set is optimized for MSP-managed delivery, which means some enterprise-grade capabilities are thinner.

Free content evaluation. RansomLeak’s entire exercise catalogue is free to try without creating an account. Usecure offers a trial but with limited access. Being able to evaluate 100+ exercises at no cost before committing changes how procurement conversations go.

Who should choose Usecure?

Usecure is the right platform if:

You are an MSP managing security awareness for multiple client organizations
Multi-tenant management and PSA tool integration are requirements
Your budget is limited and SMB-friendly pricing matters most
Automated risk assessment and training enrollment reduce admin overhead
Dark web credential monitoring is a desired add-on feature
Speed to deployment is more important than training content depth

The typical Usecure buyer is an MSP looking for an affordable, automatable security awareness platform they can deploy across their client base with minimal manual effort.

Who should choose RansomLeak?

RansomLeak is the right platform if:

Training engagement and behavior change are your primary goals
You want employees to practice handling attacks, not just watch videos about them
SCORM integration with your LMS is a requirement
Your program needs to cover AI security, deepfakes, and emerging threats
Enterprise features (SIEM, SSO, RBAC, compliance reporting) matter
You want to evaluate the full content library for free before purchasing

The typical RansomLeak buyer is an enterprise organization that wants training their employees will actually engage with, deployed through their existing LMS or a dedicated platform with full enterprise capabilities.

How does pricing compare?

Usecure’s pricing is designed for MSP economics: low per-user cost that allows managed service providers to mark up and resell at a profit while remaining affordable for SMB clients. This makes Usecure one of the more affordable options in the SAT market.

RansomLeak uses custom enterprise pricing based on organization size and deployment model. The free exercise library means content evaluation happens before pricing conversations.

The pricing gap reflects different value propositions. Usecure optimizes for low cost and automated delivery. RansomLeak optimizes for training quality and engagement. For an MSP managing 50 clients who need basic security awareness, Usecure’s economics make sense. For a single enterprise that wants measurable behavior change from its training investment, the per-seat cost matters less than the quality of each training interaction.

How to decide

If you are an MSP, start with Usecure. Its multi-tenant architecture, PSA integrations, and MSP-friendly pricing are built for your business model. RansomLeak is not designed for multi-tenant MSP management.

If you are an enterprise buying training directly, start with RansomLeak. The interactive content, SCORM flexibility, and enterprise features are built for organizations deploying training to their own workforce. You can try 100+ exercises for free before making a decision.

The two platforms serve different buyers. Choosing between them is less about which is “better” and more about whether you are buying training-as-a-managed-service or training-as-a-direct-enterprise-investment.

Try the training your employees will actually remember. Start with a free phishing exercise, ransomware simulation, or social engineering scenario. Browse the full training catalogue for 100+ exercises. No sign-up needed.

Typosquatting: When One Wrong Letter Hands Over Your Credentials

Fri, 27 Mar 2026 00:00:00 GMT

Type “gogle.com” into your browser. You misspelled it. Twenty years ago, that typo would have landed you on a page stuffed with ads. Today, it might land you on a pixel-perfect replica of Google’s login page, one that captures your username and password before redirecting you to the real thing. You would never know.

This is typosquatting, and it has been around since domain names became valuable. What changed is the sophistication. Modern typosquatting campaigns do not just buy obvious misspellings. They register domains using character substitutions that are nearly invisible to the human eye, pair them with valid HTTPS certificates, and deploy them as part of targeted credential-harvesting operations against specific companies.

Palo Alto Networks’ Unit 42 found that roughly 13,857 squatting domains were registered per month in 2023, with typosquatting and combosquatting accounting for the majority. These are not opportunistic parked pages. Many are active phishing sites with a shelf life measured in hours, just long enough to harvest a batch of credentials before being reported and taken down.

What is typosquatting?

Typosquatting is the practice of registering domain names that are very close to legitimate ones, targeting users who make typing mistakes, misread a URL, or click a lookalike link without inspecting it closely. The attacker controls the destination, which can be anything from a credential-harvesting page to a malware distribution site to a fake corporate portal.

The attack succeeds because humans are bad at reading URLs character by character. We recognize domain names the way we recognize faces: by overall shape and context, not by examining each pixel. A domain like “rnicrosoft.com” (with “rn” instead of “m”) looks correct at a glance. So does “arnazon.com” or “linkedln.com” (with an “l” instead of an “I”). Attackers know this and choose substitutions specifically to exploit how our eyes process text.

How do attackers create typosquat domains?

The techniques fall into several categories, each targeting a different failure mode in human perception.

Keyboard proximity typos

The simplest approach: register domains where one character is replaced with an adjacent key on a QWERTY keyboard. “Gogle.com” (missing an ‘o’), “Gmial.com” (swapped ‘a’ and ‘i’), “Anazon.com” (missing an ‘m’). These target people who type URLs from memory and make a single keystroke error.

Character substitution

Replace one character with a visually similar one. “rn” for “m” is the classic. “l” (lowercase L) for “I” (uppercase i). “1” (one) for “l” (lowercase L). “0” (zero) for “O.” In many fonts, these are indistinguishable at body text sizes. An email that says “Please log in at rnicrosoft.com” looks correct in most inbox rendering engines.

Homoglyph attacks

This is character substitution taken further, using Unicode characters from non-Latin scripts that look identical to Latin letters. The Cyrillic “а” (U+0430) is visually identical to the Latin “a” (U+0061) in most fonts. An attacker can register a domain using Cyrillic characters that appears byte-for-byte different from the legitimate domain but renders identically on screen.

Modern browsers defend against this with Internationalized Domain Name (IDN) display policies. Chrome and Firefox show the Punycode representation (xn—…) for domains that mix scripts. But not all applications render URLs through a browser. Email clients, messaging apps, and mobile notification banners may display the Unicode version directly.

Combosquatting

Instead of misspelling the domain, the attacker adds a plausible word. “microsoft-login.com,” “google-security.com,” “amazon-delivery-status.com.” These are technically not misspellings, so they do not trip the same cognitive alarm. They feel like subdomains or microsite URLs that a large company might actually use.

Researchers from Georgia Tech found in a 2017 study that combosquatting domains were 100 times more prevalent than traditional typosquatting and were used in significantly more active attack campaigns. The trend has only accelerated since then.

TLD swaps

Register the same domain under a different top-level domain. “company.co” instead of “company.com.” “company.org” instead of “company.com.” “company.cam” instead of “company.com.” The proliferation of new TLDs (.app, .dev, .cloud, .team) has expanded this attack surface considerably, because many organizations do not defensively register their name across all available TLDs.

Where do typosquat domains appear?

People assume typosquatting only catches users who manually type URLs. That used to be true. Now it is just one of several attack surfaces.

Phishing emails. An email from “support@arnazon.com” linking to a fake order confirmation page. The domain passes a quick visual check because the substitution is subtle. This overlaps directly with standard email phishing, but the domain similarity adds an extra layer of credibility.

Search engine ads. Attackers bid on brand keywords in Google Ads and link to typosquat domains. A user searching for “Dropbox login” sees an ad at the top of the results that links to “dr0pbox.com” or “dropbox-login.com.” Google has policies against this, but enforcement is reactive. The ad runs for hours before being flagged.

Link manipulation in documents. A shared document, wiki page, or Slack message contains a hyperlink with display text that reads “company.com” but actually points to “cornpany.com.” The user sees the display text, trusts it, and clicks. This is why safe browsing habits need to extend beyond the browser and into every tool where clickable links appear.

QR codes. A QR code phishing attack that encodes a typosquat URL. The domain looks close enough on the brief URL preview that most users tap through without noticing the difference.

Dependency confusion. In software development, attackers publish packages to npm, PyPI, or other registries using names that are one character off from popular libraries. Developers who mistype a package name in their dependency file pull in the malicious version. This is typosquatting applied to the software supply chain, and it has caused real incidents. The 2021 ua-parser-js incident and the 2022 colors/faker.js attacks demonstrated how fragile the supply chain trust model is.

Real-world typosquatting at scale

Typosquatting is not a theoretical risk. It operates at industrial scale.

In 2023, Akamai identified over 30,000 domains targeting the top 100 retail brands during the holiday shopping season alone. Many were active for fewer than 48 hours. They harvested credentials, collected payment card numbers, or distributed malware disguised as promotional apps.

The IRS warned U.S. taxpayers in 2024 about typosquat domains impersonating the official IRS.gov website during tax season. The fake sites collected Social Security numbers and banking information under the pretense of “processing refunds.”

Financial institutions face particularly aggressive campaigns. A 2022 study by Infoblox found that the average Fortune 500 bank had over 200 active typosquat domains registered against it at any given time. Some were credential phishing. Others were fake customer support portals designed for social engineering attacks conducted over the phone.

How to protect against typosquatting

There is no single defense that eliminates the risk. Protection requires layering technical controls with employee awareness.

Technical controls

Defensive domain registration. Register common misspellings, adjacent-key typos, and TLD variants of your primary domain. This is expensive at scale, but it prevents the most obvious attacks. Redirect all defensive registrations to your real site.

DNS-level filtering. Configure corporate DNS resolvers to block known typosquat domains. Services like Cisco Umbrella, Cloudflare Gateway, and Zscaler maintain threat intelligence feeds that include recently registered lookalike domains.

Browser security policies. Use a managed browser or browser extension that warns users when they navigate to a domain that closely resembles a known corporate resource. Some endpoint protection platforms include this functionality.

Email authentication enforcement. DMARC, DKIM, and SPF will not prevent an attacker from sending email from a typosquat domain, but they make it harder for that email to pass authentication checks. Strict DMARC policies on your own domain also protect your brand by preventing spoofing of your exact domain.

Certificate transparency monitoring. Monitor certificate transparency logs for TLS certificates issued to domains similar to yours. If someone registers “yourcompany-login.com” and gets a certificate for it, that is an early warning signal.

Employee awareness

Technical controls catch many typosquat domains, but they cannot catch all of them. Employees need to recognize the attack pattern themselves.

Teach URL reading as a skill. Most employees have never been taught to actually read a URL character by character. They glance at it and make a snap judgment. Training should include exercises where employees compare legitimate and typosquat URLs side by side, because the difference is often a single character. Our typosquatting awareness exercise puts employees through exactly this kind of comparison in realistic scenarios.

Reinforce direct navigation. The safest habit is typing known URLs directly or using bookmarks, never following links in emails or messages to log into sensitive services. This advice applies equally to credential protection and password security.

Explain the bookmark habit. For services employees use daily (email, cloud storage, internal tools), they should bookmark the login page and use only that bookmark. This eliminates the mistyped URL vector entirely.

Cover the mobile angle. Mobile browsers show less of the URL, and mobile keyboards increase typo rates. Employees who access corporate services on phones are more vulnerable to both typosquatting and smishing attacks that link to lookalike domains.

Typosquatting vs other domain-based attacks

Typosquatting is one of several techniques that exploit domain trust. Understanding how they differ helps you build the right defenses.

Technique	Method	Example	Primary defense
Typosquatting	Misspelled domain	gogle.com	Defensive registration, DNS filtering
Combosquatting	Real name + added word	google-security.com	DNS filtering, user awareness
Homoglyph attack	Unicode lookalike chars	gооgle.com (Cyrillic о)	Browser IDN policies
Domain spoofing	Forged From: header	Displays “google.com”	DMARC/DKIM/SPF
Subdomain abuse	Trusted domain prefix	google.com.malicious.site	User awareness, URL reading

The common thread is that all five techniques target the same human weakness: we trust URLs based on pattern recognition rather than character-by-character verification. Training needs to address this underlying habit, not just the specific technique.

Training employees on typosquatting

Typosquatting awareness requires a different training approach than standard phishing training. The attack does not depend on urgency, fear, or social pressure. It depends on inattention. A tiny visual difference that the brain glosses over.

Use visual comparison exercises. Show employees pairs of URLs and ask them to identify the fake. Start easy (“faceboook.com” vs “facebook.com”) and progressively increase difficulty (“rn” vs “m,” “l” vs “I,” Cyrillic homoglyphs). This builds the habit of actually reading URLs instead of pattern-matching them.

Demonstrate real examples. Show employees actual typosquat domains that have been registered against your organization. If you can, show them the phishing pages those domains served. Seeing that attackers specifically target your company makes the threat concrete.

Connect it to browser habits. Typosquatting training fits naturally alongside browser security training. Teach employees to check the full URL after a page loads, not just before clicking. Some typosquat sites redirect through multiple domains, so the URL in the email may differ from the URL that ultimately loads.

Make it part of the simulation program. Include typosquat domains in your phishing simulation emails. An email from “hr@yourcompnay.com” (transposed letters) with a link to a lookalike portal tests whether employees catch the domain discrepancy. Our typosquatting awareness exercise and safe browsing exercise cover these scenarios specifically.

Train your team to catch the URLs that are one letter off. Try our free typosquatting awareness exercise and see how many lookalike domains your employees can spot. You can also explore exercises on browser security, HTTPS and website verification, and the full security awareness training catalogue.

RansomLeak Partners with Cyber Helmets for Threat Intelligence-Driven Training

Mon, 23 Mar 2026 00:00:00 GMT

Ransomware and phishing attacks keep evolving in scale and sophistication. Theoretical training alone does not cut it anymore. Organizations need practical, experience-driven learning that mirrors how attacks actually happen.

That is why RansomLeak has partnered with Cyber Helmets to deliver cybersecurity training and awareness programs grounded in real-world ransomware intelligence.

What this partnership brings together

Cyber Helmets runs instructor-led cybersecurity programs built around their Training Development Process (TDP), a continuous, skills-based framework that ensures teams don’t just train but learn, apply, and evolve alongside real threats. RansomLeak brings immersive 3D simulation exercises where employees experience attacks firsthand, plus threat intelligence drawn from active ransomware groups, attack patterns, and leak data.

The result: training content that reflects how attackers actually operate, not how a slide deck imagines they do.

What the joint programs cover

Together, Cyber Helmets and RansomLeak support organizations through:

Cybersecurity awareness workshops based on real attack scenarios, not hypothetical situations
Phishing simulation and training aligned with current threat tactics, including vishing, smishing, and whaling
Ransomware preparedness and incident response training covering detection, containment, and recovery
Threat intelligence briefings providing risk insights drawn from active threat actor operations
Continuous security awareness and culture programs that keep security top of mind beyond annual compliance checkboxes

By combining immersive simulations with real threat intelligence, the partnership helps organizations understand attacker behavior, strengthen response capabilities, and build a security-first culture.

Why this matters

Most security awareness training relies on static videos and multiple-choice quizzes. Employees click through, pass the test, and forget everything by Friday. Attack techniques move faster than slide decks get updated.

This partnership takes a different approach. Cyber Helmets contributes deep offensive and defensive security expertise. RansomLeak contributes 100+ interactive exercises where employees experience attacks before learning to defend against them. Threat intelligence from active ransomware operations keeps exercise content current.

The training is hands-on, regularly updated, and built by people who study how attacks actually work.

Get started

If you are interested in threat intelligence-driven training for your team, get in touch. We work with organizations of all sizes to build security awareness programs that match their risk profile and compliance requirements.

About Cyber Helmets

Cyber Helmets delivers hands-on cybersecurity training designed to build real-world capability across security domains. At the core of its approach is the Training Development Process (TDP), a continuous, skills-based framework that ensures teams don’t just train, but learn, apply, and evolve in alignment with real-world challenges and business objectives. Through instructor-led programs, practical labs, and tailored enterprise training, Cyber Helmets helps teams develop the skills needed to detect, respond to, and mitigate modern cyber threats.

For more information, visit cyberhelmets.com.

About RansomLeak

RansomLeak is a cybersecurity training platform that places users in a 3D simulated workplace where they experience cyberattacks firsthand: installing malware, answering phishing calls, joining Zoom meetings with a deepfake of their boss, and more. The platform includes 100+ interactive exercises covering security awareness, privacy and compliance, AI and LLM security, and the OWASP Top 10. Users experience the attack, then learn how to detect and remediate it.

For more information, visit ransomleak.com.

Browser Security Training: What Employees Actually Need to Know

Wed, 18 Mar 2026 00:00:00 GMT

An employee searches Google for a PDF converter. The first result looks right. Logo, branding, download button. She installs it. Within 48 hours, her browser credentials, saved passwords, and session tokens are exfiltrated to a server in Eastern Europe. The download page was a poisoned search result that ranked above the legitimate tool.

This is not a theoretical scenario. Palo Alto Unit 42 reported in 2024 that web browsers have become the number one enterprise attack vector, involved in over 80% of initial access incidents. Your firewall, endpoint agent, and email gateway don’t help much when the threat lives inside the browser itself.

Browsers have quietly become the operating system of work. SaaS apps, cloud consoles, internal tools, communication platforms. Nearly everything runs in a browser tab. And every one of those tabs is a potential attack surface that most security training ignores.

What is browser security training?

Browser security training is structured education that teaches employees to recognize and avoid threats that operate within or through web browsers. It covers attack vectors like malicious extensions, autofill exploitation, notification hijacking, SEO poisoning, and unsafe download behavior. Unlike general security awareness programs, browser-specific training focuses on the tool employees use more than any other during their workday.

According to a 2023 LayerX report, the average enterprise employee spends 85% of their working time in a browser. That makes the browser the primary interface between your workforce and your threat environment. Yet most training programs dedicate a single slide to “don’t click suspicious links” and move on.

The browser is also where technical controls have the least visibility. Endpoint detection sees processes and file system activity. Network monitoring sees traffic flows. But what happens inside a browser tab, which permissions get granted, which forms get submitted, which extensions read which pages, is largely opaque to your security stack. That’s why the human layer matters here more than almost anywhere else.

Why do browsers trust hidden form fields?

Browser autofill is a convenience feature designed for speed. When an employee fills in their name on a web form, the browser offers to complete the rest: email, phone, address, sometimes even credit card numbers. What most people don’t realize is that forms can contain hidden fields that the browser fills silently.

An attacker creates a page with a visible “name” field and invisible fields for email, phone number, and address. The employee types their name. The browser populates everything else. One click submits the whole thing. The Browser Autofill Risks exercise walks through this exact attack, showing how hidden form fields exploit a feature most employees rely on daily.

Google’s Chromium team has acknowledged this as a known design tradeoff since 2018. Their position: autofill should fill all matching fields regardless of visibility, because hiding fields is a legitimate web development practice (for accessibility, for example). That means the protection has to come from user awareness, not from the browser.

The practical fix isn’t “disable autofill entirely.” That creates friction employees will route around. Instead, teach employees to review what autofill proposes before submitting a form, and to be suspicious of pages that ask for minimal input but trigger autofill suggestions for unrelated fields.

For organizations managing Chrome or Edge through group policy, you can restrict autofill to specific domains. But policy alone doesn’t help employees on personal devices or unmanaged browsers. That’s where training closes the gap: employees who understand the risk make better decisions regardless of which browser or device they’re using.

How do fake CAPTCHAs hijack push notifications?

This one is brilliantly simple. An employee lands on a page that displays what looks like a standard “I am not a robot” CAPTCHA. Clicking “Allow” on the browser prompt doesn’t verify they’re human. It grants the site permission to send push notifications forever.

Once granted, the attacker sends notifications that mimic system alerts: “Virus detected,” “Windows update required,” “VPN disconnected.” Clicking any of these leads to credential phishing pages or malware downloads. The notifications persist across browser sessions and appear even when the site isn’t open. Our Browser Notification Abuse exercise simulates this attack so employees can see the manipulation before encountering it in the wild.

Kaspersky’s 2023 web threat report found that notification abuse campaigns increased by 42% year over year, with enterprise users being targeted specifically through work-related lures. The fix is technically simple (revoke notification permissions in browser settings), but employees first need to understand that they were tricked.

The deeper problem is that browser permission prompts all look the same. “Allow notifications?” uses the same dialog pattern as “Allow camera access?” or “Allow location?” Employees who click “Allow” without reading have been trained by years of cookie consent banners and pop-ups to dismiss dialogs as fast as possible. Reversing that instinct is one of the hardest parts of browser security training.

The attack also exploits a timing gap. The moment between landing on a page and thinking critically about it is short. Attackers fill that gap with urgency: “Verify you’re human to continue.” By the time the employee realizes the CAPTCHA was fake, the permission is already granted and the site is already queued to send notifications.

What makes browser extensions so dangerous?

Extensions operate with broad permissions that most users never review. A grammar-checking extension that requests “read and change all your data on all websites” has, by definition, the ability to read every page you visit, capture every form you submit, and exfiltrate session cookies for every service you’re logged into.

The 2024 Spin.AI Browser Extension Risk Report analyzed over 300,000 browser extensions and found that 51% were rated high risk. Not because they’re all malicious. Many are simply poorly maintained, with overly broad permissions and no security audit history. But the malicious ones hide in plain sight. The Browser Extension Safety exercise teaches employees to evaluate permissions, spot red flags in extension listings, and understand what “access to all site data” actually means.

Supply chain attacks through extensions are a growing concern. In December 2024, Cyberhaven’s Chrome extension was compromised after a phishing attack targeted the developer. The attacker pushed a malicious update to all 400,000 users that harvested Facebook session tokens and advertising credentials. The compromised version was live for over 24 hours before detection. This wasn’t a fake extension. It was a legitimate tool that was weaponized through its own update mechanism.

Employees should evaluate extensions the same way they’d evaluate a stranger asking for their house keys. Check the developer’s identity. Read recent reviews for reports of suspicious behavior. Question whether the permissions match the stated functionality.

Periodic review matters just as much as initial vetting. An extension that was safe six months ago may have been sold to a new owner or had its update pipeline compromised. The Chrome Web Store has a documented history of legitimate extensions being acquired by advertisers or data brokers who add tracking code in the next update. Employees who installed the original version never get a second permission prompt. The Duo Labs “CRXcavator” project found that 35% of Chrome extensions hadn’t been updated in over two years, meaning known vulnerabilities go unpatched indefinitely.

How do poisoned search results bypass employee instincts?

Employees trust search engines. If Google ranks a page first, it must be legitimate. Attackers exploit that trust through SEO poisoning, using techniques like keyword stuffing, link farming, and expired domain hijacking to push malicious pages into top search results.

The targets are predictable: software downloads, IT documentation, login pages for popular SaaS tools. Sophos reported in 2024 that SEO poisoning campaigns targeting enterprise software downloads increased by 60% compared to the previous year. The SEO Poisoning Awareness exercise shows employees how to distinguish real download pages from fakes, even when the fake ranks higher in results.

Paid search ads make this worse. Attackers buy ads for brand keywords like “Slack download” or “Zoom installer,” and the ad appears above organic results. Google’s own Threat Analysis Group documented multiple campaigns in 2023 where malicious ads for popular software led to info-stealer malware. Employees who click the first result without checking the URL are doing exactly what the attacker paid for.

This is closely related to typosquatting, where attackers register domains like “slacck.com” or “githb.com” to catch mistyped URLs. The difference is intent: typosquatting waits for mistakes, while SEO poisoning actively lures employees through legitimate search behavior. Both exploit the same underlying gap: employees don’t verify the domain they’ve landed on before interacting with the page.

Teach employees one simple habit: before downloading anything, check the domain in the address bar against the software vendor’s official site. If the download is hosted on a domain you don’t recognize, go find the vendor’s real site and download from there directly. Ten seconds of verification prevents hours of incident response.

IT teams can help by maintaining an internal directory of approved software download links. When employees need a tool, they check the directory instead of searching Google. This removes the search engine from the trust chain entirely for the most common downloads.

What does effective browser security training look like?

Compliance-style training that lectures employees about browser settings is mostly wasted time. People forget configuration instructions within days. What sticks is the visceral experience of watching an attack succeed against you.

Interactive exercises work because they create emotional memory. An employee who watches hidden form fields silently capture their data in a simulated autofill attack develops a gut reaction to autofill prompts. That reaction persists longer than any policy document. Similarly, practicing safe browsing and download habits in a controlled environment builds reflexes that transfer to daily work.

The training should cover five distinct areas: autofill and form behavior, extension evaluation and hygiene, notification permission management, search result verification, and HTTPS literacy (understanding what the padlock does and doesn’t guarantee). Each topic is specific enough to teach in a 10-minute module but connected enough that employees start seeing browser interactions as a unified attack surface.

Frequency matters more than duration. A 10-minute browser security exercise every month produces better outcomes than a 90-minute annual course, according to the 2023 SANS Security Awareness Report. Spacing the topics out gives employees time to apply what they’ve learned before the next module introduces new material.

Role-specific depth helps too. Developers need to understand how their own extensions affect other people’s browsers. Finance teams need extra focus on form-based attacks that target payment workflows. Executives, who are often the least willing to restrict browser functionality, need to see how their browsing habits create high-value targets.

Measuring retention is straightforward. Run a simulated SEO poisoning page or a fake notification prompt quarterly and track the response rate over time. If the number isn’t improving, the training isn’t sticking and needs a different approach.

Where does browser security fit in a broader program?

Browser threats don’t exist in isolation. A phishing email drops the employee on a malicious page where a browser-based attack takes over. A shadow IT tool installs a browser extension with excessive permissions. A colleague shares a link over chat that leads to a poisoned download page.

Effective programs layer browser training with email security, mobile security, and phishing recognition to cover the full attack chain. Browser-specific training fills the gap that general awareness programs leave open.

The IBM X-Force Threat Intelligence Index 2024 found that 30% of incidents involving valid credential abuse traced back to browser-based initial access, not email. That’s a significant share of breaches that email-focused training can’t address.

Organizations in regulated industries should also consider how browser-based data exposure intersects with compliance requirements. An employee who autofills personal data into an unauthorized form is a potential data handling violation under GDPR and CCPA, regardless of whether the form was malicious.

The attack chains are getting more creative too. An attacker sends a phishing email that links to a legitimate-looking page. That page requests notification permissions. The employee grants them. Weeks later, a fake “IT Security Alert” notification leads to a credential harvesting page. No single training module catches this. Only a program that connects browser, email, and social engineering training gives employees the full picture.

How do you measure whether browser training is working?

The clearest signal is incident volume. Track browser-related security tickets before and after training rollout. Extension audit findings, notification permission abuse reports, and malware installations traced to web downloads all provide concrete numbers.

Metric	Baseline (pre-training)	Target (6 months)	Strong program
Unauthorized extensions per audit	15-30 per 100 employees	Under 10	Under 5
Notification permission abuse incidents	Unreported	Reported within hours	Blocked by policy
Malicious download incidents	Monthly	Quarterly	Rare
Employee-reported suspicious sites	Rare	Weekly	Part of culture

Simulation results also tell a story. If you run periodic exercises where employees encounter fake download pages or permission prompts, track how the response rate changes over time. A drop from 25% to 8% in click-through on simulated SEO poisoning pages tells you more than any satisfaction survey.

Don’t overlook qualitative signals. When employees start Slacking the security team about a suspicious extension they found, or asking IT whether a particular download site is legitimate before installing anything, the training is working. Behavior change shows up in questions before it shows up in metrics.

One underused approach: ask employees to screenshot their browser extension lists during training and compare against a company-approved baseline. The gap between what people think they have installed and what’s actually running is consistently surprising. It turns an abstract risk into something personal and concrete.

What should you do this week?

Start with the obvious: audit browser extensions across your organization. If you don’t have visibility into what extensions employees have installed, you don’t have browser security. Tools like CRXcavator or Spin.AI provide free extension risk scoring.

Next, set a browser notification policy. Most employees don’t need push notifications from any website to do their job. Chrome, Edge, and Firefox all support managed policies that block notification requests by default while allowing a whitelist for specific domains. This one configuration change eliminates an entire attack category.

Then give employees hands-on experience with the attacks targeting them. The Browser Autofill Risks, Browser Extension Safety, Browser Notification Abuse, and SEO Poisoning Awareness exercises each take under 10 minutes and cover the highest-risk browser attack vectors.

The browser is the most used and least trained-for tool in your organization. Closing that gap doesn’t require a massive program. It requires specific, targeted exercises that show employees what these attacks look like before they encounter them at work. Browse our full security awareness training catalogue for the complete set of browser and web security exercises.

Collaboration Tool Security: Hidden Risks in Slack, Teams, and Chat Platforms

Wed, 18 Mar 2026 00:00:00 GMT

It is 11:47 PM. A backend engineer is debugging a production outage. The database is returning timeout errors and the on-call Slack channel is filling up with pings from customer support. Her colleague asks for the production database credentials so he can check connection pool settings. She pastes the username and password directly into the channel. Eleven people are in the channel. Three of them are contractors whose access was supposed to expire last quarter. The message is indexed, searchable, and will exist in Slack’s retention archive for as long as the workspace does.

The outage gets resolved by midnight. The credentials stay in that channel forever. Six months later, when a contractor’s Slack account is compromised through a reused password, those credentials are the first thing the attacker finds.

This scenario plays out constantly in organizations of every size. The risks hiding in workplace chat platforms go far beyond the occasional careless message.

What makes collaboration tools a security risk?

Collaboration tool security refers to the policies, controls, and employee behaviors that protect corporate data flowing through workplace chat platforms, video conferencing tools, and shared workspaces like Slack, Microsoft Teams, Zoom, and Google Chat. These platforms process an enormous volume of sensitive information daily. Slack reports that its average enterprise customer sends over 200,000 messages per month. Microsoft Teams surpassed 320 million monthly active users in 2024. Each message, file upload, screen share, and integration represents a potential exposure point that most security programs overlook.

The core problem is a perception gap. Employees treat chat messages like hallway conversations. Informal, ephemeral, low-stakes. But unlike a hallway conversation, a chat message is stored on third-party servers, backed up, indexed for search, accessible to workspace admins, potentially subject to legal discovery, and readable by every integration connected to that channel. The informality that makes chat productive also makes it dangerous.

Most organizations have invested heavily in email security: phishing filters, DLP scanning, encryption gateways. Chat platforms receive a fraction of that scrutiny, despite carrying an increasing share of sensitive communication. Gartner estimated that by 2025, 70% of team communication in large enterprises would happen outside of email. The security tooling has not kept pace with that shift.

The attack surface is also wider than most security teams realize. Beyond messages, collaboration platforms handle file storage, video recordings, voice transcripts, screen shares, calendar integrations, and third-party app connections. A single Slack workspace is not just a messaging tool. It is a data warehouse of conversations, decisions, credentials, and documents that accumulates continuously and is rarely pruned.

Why do credentials keep ending up in chat messages?

This is the single biggest risk in collaboration tools, and it happens with depressing regularity. A 2023 1Password survey found that 34% of IT and security workers have pasted credentials into a chat message or shared document. Among all employees, the number is likely higher because non-technical staff are less aware of the risk.

The scenario is almost always the same. Someone needs access to a system. The “proper” way to grant it (updating permissions, using a secrets manager, submitting an access request) takes time. Pasting the password into Slack takes three seconds. Under deadline pressure, three seconds wins every time.

It is not just production credentials. AWS access keys, Stripe API tokens, database connection strings, SSH keys, VPN credentials, admin panel passwords. GitGuardian’s 2024 State of Secrets Sprawl report found that 12.8 million new hardcoded secrets appeared in public GitHub commits in 2023 alone. The same behavior that puts secrets in code puts them in chat. The difference is that GitHub has automated scanning for leaked secrets. Slack and Teams do not, unless an organization specifically configures DLP rules to catch them.

Once credentials land in a chat channel, they are searchable. Anyone with access to that channel can find them by searching for keywords like “password,” “credentials,” or “login.” Attackers who compromise a single Slack account often run exactly this search as their first move. The Collaboration Tool Hygiene exercise walks through this scenario in detail, showing employees how credentials posted in chat create persistent, searchable vulnerabilities that outlast the original need.

Deleting the message does not solve the problem either. Slack retains deleted messages in its backend for compliance and legal hold purposes. Even if the message vanishes from the channel, it persists in exports and backups. And anyone who saw it before deletion could have copied it. The credentials are burned the instant they hit the channel, regardless of what happens to the message afterward.

The fix is not telling people to stop sharing credentials in chat. It is giving them a tool that makes the secure path faster than the insecure one. A password manager with secure sharing lets you grant time-limited access to a credential without ever exposing the plaintext password in a message. The recipient gets access. The password never touches the chat log. For organizations dealing with credential security more broadly, the password manager also eliminates the reuse problem that turns a single chat exposure into a multi-system compromise.

What happens with integrations nobody audits?

The average Slack workspace has dozens of integrations: bots, webhooks, custom apps, third-party connectors. Each one has an API token with specific permissions. Some can read messages. Some can post on behalf of users. Some have access to file uploads across the entire workspace.

A 2024 Productiv analysis found that enterprises average 87 SaaS integrations connected to their primary collaboration platforms. Many were installed for a specific project, by a specific person, who may no longer be at the company. The integration stays active. Its token stays valid. Nobody reviews whether it still needs the permissions it was granted.

Webhooks are particularly risky. An outgoing webhook that posts build notifications to a channel sounds harmless. But if that webhook URL leaks or the receiving endpoint is compromised, an attacker can inject messages into internal channels. Incoming webhooks are worse. They provide a URL that anyone with the link can use to post messages to a specific channel. These URLs are often stored in CI/CD configs, scripts, and documentation wikis with minimal access control.

In 2023, security researchers demonstrated how a compromised incoming webhook URL could be used to post convincing phishing messages to internal Slack channels, impersonating automated systems that employees trust. A message from “Jira Bot” asking employees to re-authenticate looks credible when it appears in an engineering channel alongside real Jira notifications.

This is a form of shadow IT that hides in plain sight. The integrations are technically “approved” because someone with workspace admin rights installed them. But nobody maintains an inventory, reviews permissions quarterly, or deactivates integrations when the project that needed them ends.

The 2024 EA Games Slack breach illustrates the risk. Attackers purchased a stolen Slack session cookie for $10 on a dark web marketplace, logged into EA’s internal Slack workspace, and used it to social-engineer an IT support agent into granting them access to the internal network. From there, they stole 780 GB of source code. The initial entry was through a collaboration tool. The path from cookie to source code took less than a day.

Our Collaboration Tool Hygiene exercise includes a module on identifying and auditing stale integrations before they become entry points. It also covers session token hygiene, which most employees do not think about when they check “keep me signed in” on their work laptop at home.

Who still has access after they leave?

When an employee departs, IT typically deactivates their Active Directory account, revokes VPN access, and collects their laptop. Collaboration tool access is often an afterthought. The problem is particularly acute because Slack and Teams accounts may not be tied to the same identity provider as other corporate systems, especially for external guests and contractors who were never in Active Directory to begin with.

Slack guest accounts for contractors and agency partners are especially problematic. They are created for a specific engagement, rarely documented in the same system as employee accounts, and almost never included in offboarding checklists. A 2023 Cerby report found that 60% of organizations had active accounts for former employees or contractors in at least one SaaS application. The average large enterprise works with 200+ external vendors and agencies at any given time. Each vendor relationship generates guest accounts that someone needs to track and eventually revoke.

Microsoft Teams shared channels compound the risk. When two organizations connect via shared channels, users from the external organization gain access to messages, files, and sometimes SharePoint sites. When the partnership ends, disconnecting the shared channel is a manual step that someone has to remember to do.

The problem is worse at organizations that use multiple collaboration platforms simultaneously. A company might use Slack for engineering, Teams for the rest of the business, and a separate tool for external client communication. Each platform has its own identity system, its own guest access model, and its own deprovisioning process. Nobody owns the complete picture of who has access where.

Our Guest Access Management exercise trains employees to audit external access grants and flag accounts that have outlived their purpose.

The access problem connects to broader insider threat risks. An ex-contractor with lingering Slack access can read strategic discussions, monitor hiring plans, or exfiltrate shared files without tripping any security control, because as far as the system is concerned, they are still authorized.

Slack’s own 2024 transparency report showed that enterprise workspace admins deactivate guest accounts an average of 23 days after the engagement ends. That is 23 days of continued access to potentially sensitive channels, files, and message history. For organizations handling regulated data, those 23 days can constitute a compliance violation.

Can someone eavesdrop on your collaboration tool calls?

Remote and hybrid work moved sensitive conversations from conference rooms to video calls conducted over WiFi and Bluetooth headsets. This introduced a category of risk that most collaboration tool security programs ignore entirely. A 2024 Buffer State of Remote Work report found that 98% of remote workers want to continue working remotely at least some of the time. The distributed workforce is permanent, and so are the audio security risks it brings.

Bluetooth, the protocol connecting your headset to your laptop, has known vulnerabilities. The KNOB (Key Negotiation of Bluetooth) attack, disclosed in 2019, allows an attacker within radio range to force a Bluetooth connection to use a weaker encryption key, potentially enabling real-time audio interception. The BLUFFS attack, published by researchers at EURECOM in late 2023, demonstrated that an attacker can force Bluetooth devices into a legacy pairing mode that allows session key brute-forcing across multiple sessions.

The practical risk is highest in shared spaces. Coffee shops, coworking spaces, airport lounges, hotel lobbies. An employee taking a board call from a hotel lobby over a Bluetooth headset is broadcasting audio data within a 30-foot radius. The Safe Bluetooth Practices exercise covers the specific scenarios where wireless eavesdropping becomes a realistic threat and teaches employees when to switch to wired audio or defer sensitive calls.

This is not theoretical paranoia. State-sponsored and corporate espionage operations have documented Bluetooth interception capabilities. For most organizations, the bigger risk is opportunistic. An attacker sitting in the same coworking space, scanning for Bluetooth devices, and intercepting fragments of a call that happens to contain something valuable.

Screen sharing creates a parallel risk. During a Zoom or Teams call, an employee shares their screen to walk through a document. A notification pops up from their personal email, or a browser tab with sensitive data is briefly visible, or a Slack message with a customer name scrolls past. Screen sharing broadcasts everything on the display, not just the intended window. A 2023 Tessian survey found that 28% of employees have accidentally shared sensitive data during a screen sharing session. The Shadow IT Awareness exercise covers how personal apps running alongside work tools create these accidental exposure moments.

How often do files end up in the wrong channel?

Accidental sharing is quieter than credential exposure but potentially just as damaging. An HR manager uploads a salary spreadsheet to a public channel instead of a private one. A sales rep shares a contract with a customer’s competitor because she picked the wrong channel from a dropdown. A developer posts a production config file containing API keys into a general engineering channel instead of the restricted infrastructure channel. These are not edge cases. They happen in every organization with more than a handful of channels.

The Verizon 2024 DBIR found that misdelivery, sending information to the wrong recipient, accounted for 43% of errors leading to data breaches. Collaboration tools make misdelivery frictionless. When every channel is one click away, the wrong click has the same weight as the right one.

Unlike email, where you at least see the recipient’s name before sending, chat platforms let you post to channels with similar names in rapid succession. The muscle memory of typing in the message box and hitting Enter does not leave room for the “did I pick the right channel?” check. Our Insider Threat (Accidental) exercise simulates exactly this type of scenario, where a well-intentioned employee sends the wrong file to the wrong place and has to deal with the consequences.

The problem is compounded by how collaboration tools handle file permissions. A document shared in a Slack channel inherits the channel’s access permissions. If the channel has 200 members, all 200 now have access to that file. Some platforms retain file access even after the message is deleted.

Most employees have never been trained to think about file permission inheritance in chat. They understand email attachments go to specific recipients. They do not realize that uploading a file to a Teams channel can make it accessible to everyone with SharePoint access to that team’s underlying site. Understanding cloud sharing controls and how file permissions propagate through chat platforms is a practical skill that prevents these quiet data exposures.

Are “private” channels actually private?

Employees say things in private channels they would never put in an email. Strategic plans, opinions about clients, complaints about management, salary discussions. They assume “private” means what it sounds like. It does not.

Workspace administrators in Slack on Enterprise Grid plans can access private channel messages through Compliance exports. Microsoft Teams admins with eDiscovery permissions can search and export private channel content. Corporate legal teams can obtain private channel records through litigation holds. And any integration with the right OAuth scope can read private channel messages silently. A 2022 survey by Aware (formerly Aware360) found that 68% of employees believed their direct messages in workplace chat were visible only to the participants. They are not.

The 2023 Slack security breach demonstrated the stakes. Slack disclosed that attackers used stolen employee tokens to access externally hosted code repositories and internal Slack messages. Private channels were not exempt. The breach did not result from a vulnerability in the private channel feature itself, but from the broader access that authentication tokens grant. If an attacker has your session token, every channel you belong to is accessible to them, private or not.

This matters for data leakage prevention because employees treat private channels as safe spaces for sharing sensitive information. They post API keys “just between us,” share customer complaints with identifying details, and discuss acquisition targets. All of this content is discoverable, exportable, and accessible to anyone who compromises an admin account or a sufficiently privileged integration.

For organizations in regulated industries, this creates compliance exposure when protected data appears in channels that are not subject to proper retention and access controls. A private Slack channel containing HIPAA-covered patient information or GDPR-protected personal data is subject to the same regulatory requirements as a database or email thread. The channel’s “private” label provides no legal protection. See the compliance mapping guide for how training requirements map to specific regulatory frameworks.

What does a practical collaboration tool security program look like?

Telling employees to “be careful in chat” accomplishes nothing measurable. Vague guidance produces vague compliance. A working program addresses the specific behaviors that create risk, with controls and training mapped to each one.

Credential sharing. Deploy a password manager with secure sharing features and make it the path of least resistance. Block messages containing patterns that look like passwords or API keys using Slack Enterprise DLP or Microsoft Purview. Train employees on why chat-based credential sharing is dangerous through exercises like our Collaboration Tool Hygiene simulation.

Integration hygiene. Audit connected apps quarterly. Require admin approval for new integrations. Set expiration dates on webhook URLs. Remove integrations installed by employees who have left the organization. Rotate webhook URLs on a regular schedule, the same way you rotate API keys. Secure messaging practices training should include integration awareness, not just message content.

Access lifecycle. Add collaboration tool deprovisioning to your offboarding checklist. Audit guest accounts monthly. Set expiration dates on external access grants. Review shared channel connections when partnerships end. For contractors and agency partners, set calendar reminders tied to contract end dates rather than relying on someone remembering to revoke access manually.

Channel discipline. Establish naming conventions that signal sensitivity levels. A prefix like #proj- for project channels, #ext- for channels with external guests, and #restricted- for sensitive topics gives employees a visual cue before they post. Train employees to verify the channel before posting. Implement data classification labels in channels that handle sensitive content. Use DLP policies to flag and quarantine messages containing PII, credentials, or classification-marked content.

Wireless security awareness. Include Bluetooth and WiFi hygiene in your remote work security policy. Teach employees when wired connections are necessary for sensitive calls. Cover this gap with exercises like Safe Bluetooth Practices and reinforce awareness of how social media oversharing can reveal details that make targeted eavesdropping easier.

Screen sharing hygiene. Train employees to use window-level sharing instead of full-screen sharing during video calls. Close unnecessary apps and disable notification pop-ups before presenting. These small habits prevent the accidental exposures that happen when a Slack DM or personal email notification flashes across a shared screen during a client presentation.

The fastest way to build these habits is through practice, not policy documents. Browse our full security awareness training catalogue for exercises covering collaboration tools, credential management, data leakage, and access control. Every exercise puts employees inside a realistic scenario where these risks play out, because reading about credential exposure in a slide deck is not the same as watching a simulated attacker search your Slack history for the word “password.”

Data Classification Training for Employees

Sun, 15 Mar 2026 00:00:00 GMT

An account manager at a healthcare company needed to share patient outcome data with a prospective partner. She opened the company’s analytics dashboard, exported a CSV, and emailed it to the partner’s Gmail address. The export included patient names, treatment dates, and billing codes. She did not realize any of this was in the file. She had only wanted the aggregate numbers.

The company discovered the incident two weeks later during a routine DLP review. By then, the email had been forwarded internally at the partner organization. HIPAA breach notification was required. Legal costs, remediation, and fines totaled over $200,000. All because one employee could not tell the difference between aggregate statistics and protected health information in a spreadsheet.

This type of incident happens constantly. Not because employees are careless, but because nobody taught them how to look at data and ask: “What am I actually holding?”

What is data classification training?

Data classification training teaches employees how to categorize information by its sensitivity level and apply the correct handling procedures for each category. A typical classification framework uses four tiers: Public, Internal, Confidential, and Restricted. Each tier maps to specific rules about who can access the data, how it can be shared, where it can be stored, and what happens if it leaks. IBM’s 2024 Cost of a Data Breach report found that breaches involving misidentified or improperly classified data cost organizations an average of $223,000 more than breaches where data was properly categorized. Effective data classification training moves beyond policy recitation to give employees practical judgment: looking at a document, dataset, or email and recognizing which classification tier applies before they share it, store it, or forward it.

Why employees misclassify data

The failure mode is almost never “employee intentionally ignores policy.” It is almost always one of three things: they do not understand the classification system, they do not realize what is in the data, or the system is too complicated to apply under normal working pressure.

Classification policies that nobody reads

Most organizations have a data classification policy somewhere in their intranet. It was written by legal, reviewed by compliance, approved by the CISO, and then placed where no employee will ever voluntarily read it. The policy uses phrases like “data whose unauthorized disclosure could cause significant harm to the organization’s competitive position.” Nobody opens a spreadsheet and thinks in those terms.

Training needs to translate policy language into concrete examples. “Customer email addresses are Internal. Social Security numbers are Restricted. Published blog posts are Public.” Specificity is more useful than definitions.

Mixed-sensitivity data in one file

The healthcare example at the top of this post is common because real-world data is messy. A single spreadsheet may contain public aggregate numbers alongside personally identifiable information. A sales report might combine general revenue figures with individual client contract values. A project document might mix publicly known product plans with unreleased acquisition targets.

The highest-sensitivity element in any file determines the classification of the entire file. Employees need to know this rule, but more importantly, they need the habit of scanning data before sharing it. Our data classification basics exercise builds this scanning instinct through realistic scenarios.

Overclassification as a dysfunction

Some organizations see the opposite problem: employees classify everything as Confidential or Restricted to avoid getting in trouble. This creates its own damage. When everything is marked Confidential, nothing is treated as Confidential. Overclassification desensitizes people to labels, slows down legitimate work, and makes it harder to identify the data that genuinely needs protection.

Training should address this explicitly. It is just as wrong to classify a public press release as Restricted as it is to email customer PII to an external partner. Both represent classification failures.

How to build a practical classification framework

The best classification systems are simple enough to apply under pressure and specific enough to produce consistent decisions across the organization.

Four tiers are enough

Tier	Description	Example	Handling
Public	Information intended for external audiences	Marketing materials, published blog posts, job listings	No restrictions on sharing
Internal	Business information not meant for outside the company	Org charts, internal announcements, meeting notes	Keep within the organization, no external sharing without approval
Confidential	Sensitive business or customer data	Customer lists, financial reports, contracts, source code	Encrypt in transit and at rest, share only with authorized parties
Restricted	Highest-sensitivity data with legal or regulatory implications	PII, PHI, payment card data, trade secrets, credentials	Strict access controls, encryption required, audit logging, breach notification if exposed

This framework covers most use cases. Adding more tiers (some organizations have seven or eight) increases precision on paper but decreases consistency in practice. Employees will not remember eight levels. They will remember four.

Category-specific rules that people can follow

For each tier, employees need to know three things: where they can store it, how they can share it, and what to do if they find it somewhere it should not be.

Storage. Restricted data should never live in personal email folders, desktop files, or unapproved cloud services. This is where Shadow IT creates real risk. An employee who signs up for a free file-sharing tool and uploads a spreadsheet of customer records has just moved Restricted data outside the organization’s security perimeter. Our cloud sharing controls exercise covers this scenario.

Sharing. Internal data can be shared within the company freely. Confidential data requires verification that the recipient has a business need. Restricted data typically requires management approval and must be sent through encrypted channels. Never over personal email. Never through consumer messaging apps.

Incident response. If an employee finds Restricted data in a public Slack channel or realizes they sent Confidential data to the wrong recipient, they need to know who to contact and what to do. The answer should be simple: report it to [your security team] and do not try to fix it yourself. Attempting a cover-up always makes it worse. Our data leakage exercise simulates this exact moment.

Where classification failures cause the most damage

Abstract training about “data sensitivity” becomes concrete when employees see the consequences mapped to specific failure modes.

Someone adds an outside partner to an internal Slack channel that contains Confidential project data. Someone shares a Google Drive folder with “anyone with the link” without checking what else is in the parent directory. Someone replies-all to an email thread that includes a Restricted attachment two levels deep in the chain.

These are not exotic attack scenarios. They happen weekly in most organizations. The fix is not stricter technology controls alone, although secure sharing practices training helps. It is building the reflex to check before sharing: “Who will see this? What is in here?”

Insider threats and data exfiltration

Insider threat detection depends partly on classification. An employee downloading 500 Internal documents is probably doing their job. An employee downloading 500 Restricted documents in the two weeks before their resignation is probably not.

Without classification, security tools cannot distinguish between these two scenarios. DLP systems work by matching content patterns against classification rules. If the organization has not classified its data, the DLP system has nothing to enforce. Our insider threat exercise and least privilege exercise teach employees how classification connects to access control.

Compliance violations with teeth

Regulatory frameworks do not care whether an employee “meant to” expose data. GDPR fines are calculated based on the nature and sensitivity of the data involved. HIPAA breach notifications are triggered by unauthorized disclosure of protected health information, regardless of intent.

Data classification is how organizations translate regulatory requirements into employee behavior. GDPR training becomes actionable when employees can identify what constitutes personal data. Compliance requirements become followable when employees know which tier their data falls into.

Exercises that build classification instincts

Reading about classification tiers is necessary but not sufficient. The skill only develops when employees practice applying it to realistic scenarios under mild time pressure.

Document review exercises

Present employees with sample files (spreadsheets, PDFs, emails) that contain mixed-sensitivity data. Ask them to identify the classification tier and explain why. This forces the scanning habit: looking through a document for sensitive fields before deciding how to handle it.

Our data classification basics exercise includes scenarios from different departments, because the marketing team and the finance team encounter different types of sensitive data.

Give employees realistic sharing requests. “Your colleague at a partner company asks for last quarter’s churn data. Here is the spreadsheet. Can you send it?” The spreadsheet contains aggregate churn numbers (Internal) alongside individual customer account details (Confidential). The correct answer depends on which data they extract and how they share it.

Incident response practice

Simulate a classification failure and see how employees respond. “You just realized the report you shared with a vendor includes employee Social Security numbers in a hidden column. What do you do?” The goal is not to test whether they can recite the incident response policy. It is to see whether they act on it under pressure.

Measuring classification competency

Classification accuracy tests

Present employees with 20 data samples and ask them to classify each one. Measure accuracy by tier. Most organizations find that employees do well on the extremes (Public and Restricted) but struggle with the Internal/Confidential boundary. That boundary is where targeted training should focus.

DLP incident rates

Track the number of DLP policy violations per quarter. These are events where an employee attempted to share or store classified data in an unauthorized way and the system blocked it. A decreasing trend after training suggests the training is working. A persistent rate suggests the training did not address the right scenarios.

Time-to-report for classification incidents

When a classification mistake occurs, how quickly does the employee report it? Fast reporting limits damage. Delayed reporting usually means the employee either did not realize the mistake or hoped nobody would notice. Training should address both failure modes.

Connecting classification to the bigger security picture

Data classification does not exist in a vacuum. It connects to access control, incident response, shadow IT governance, third-party vendor management, and privacy compliance.

When employees understand classification, other security concepts become easier to teach. Least privilege access makes intuitive sense once you know what Restricted data is: of course only authorized people should see it. Encryption becomes practical once you can identify what needs encrypting. Incident reporting becomes less intimidating when you understand that early disclosure is always better than delayed discovery.

The organizations that handle data well are not the ones with the most sophisticated DLP tools. They are the ones where an employee opens a spreadsheet and thinks, before sharing it: “What classification is this? Who should see it? Am I sending it the right way?”

That instinct is not natural. It is trained.

Build data classification instincts in your team. Start with our data classification basics exercise and data leakage prevention exercise, then explore our security awareness catalogue and privacy and compliance catalogue for comprehensive data protection training.

Password Security Training That Changes Behavior

Sun, 15 Mar 2026 00:00:00 GMT

A financial services firm rolled out its annual password policy update. Minimum 12 characters, one uppercase, one number, one special character. Employees complied. Security felt good. Then a red team engagement three months later found that 38% of employees had chosen variations of “Company2026!” and that nearly half were reusing their corporate password on personal services.

The policy was technically met. The behavior it was supposed to create never materialized.

This pattern repeats across industries. Organizations invest in password rules and compliance checklists, then wonder why credential-based attacks keep succeeding. The problem is not that employees lack awareness. Most people know password reuse is risky. The problem is that knowing something is risky does not automatically produce the alternative behavior.

What is password security training?

Password security training is structured education that teaches employees how to create, manage, and protect authentication credentials across corporate and personal accounts. Effective programs go beyond rule memorization to build practical habits: adopting password managers, configuring multi-factor authentication, and recognizing credential theft attempts like phishing and credential stuffing. According to Bitwarden’s 2024 World Password Day Survey, 65% of people admit to reusing passwords across accounts, and the Verizon 2024 DBIR found stolen credentials as the initial vector in 31% of all breaches. Unlike compliance-focused training that tests whether employees can recite rules, behavioral password training measures whether they actually change how they handle credentials day to day.

Why most password training fails

The standard approach treats password security as a knowledge problem. Teach people the rules, test them on the rules, check the compliance box. But the gap between knowing and doing is where attacks succeed.

Rules without tools

Telling employees to use a unique password for every account without giving them a password manager is asking for the impossible. The average person has over 100 online accounts (NordPass, 2024). No one memorizes 100 unique, complex passwords. So they write them down, reuse them, or create predictable variations. Company2026! becomes Company2027! the next year.

The fix is obvious but often skipped: deploy an enterprise password manager, set aside time during onboarding for setup, and provide real support when people get stuck. Our password manager habits exercise walks employees through the practical steps of generating, storing, and auto-filling credentials.

One-and-done delivery

Annual training sessions produce a spike of attention followed by rapid decay. A 2023 study published in the USENIX Security conference found that password security knowledge retained from a single training drops by 40% within six months. Reinforcement matters more than the initial session.

Quarterly micro-sessions, breach notification walkthroughs, and simulated attack exercises keep password hygiene in working memory. Not as nagging, but as normal parts of the security rhythm.

Abstract threats instead of personal ones

“Weak passwords can lead to a data breach” is true but does not motivate behavior change. What motivates change is seeing your own email address next to a plaintext password in a breach database.

Show employees how Have I Been Pwned works. Let them check their personal emails. When they see their credentials exposed, the conversation shifts from abstract policy to personal risk.

What good password training actually covers

Effective training programs focus on three capabilities, not three rules. The goal is building habits that persist without enforcement.

Password manager adoption

This is the single highest-impact behavior change. An employee who uses a password manager with auto-generation does not need to remember complex passwords, does not reuse credentials, and does not fall for most phishing sites (since the manager will not auto-fill on a lookalike domain).

Training should include hands-on setup during work hours. Walk through installing the browser extension, importing existing passwords, and generating replacements for reused credentials. Address the common concern up front: “What if the password manager gets hacked?” Enterprise managers use zero-knowledge architecture, meaning the vendor cannot see stored passwords. The master password and device are the keys, and both should be protected with MFA.

Multi-factor authentication configuration

MFA reduces the impact of compromised passwords by requiring a second factor. But not all second factors provide equal protection.

SMS codes can be intercepted through SIM swapping attacks, where an attacker convinces a mobile carrier to transfer the victim’s phone number. Authenticator apps (TOTP) are stronger. Hardware security keys (FIDO2/WebAuthn) are the only option that is fully phishing-resistant, because the key verifies the domain before responding.

Our MFA setup exercise helps employees configure the strongest option their accounts support and understand why the differences matter.

Credential theft recognition

Password security does not exist in isolation. A perfectly unique, 20-character password stored in a vault is still compromised if an employee enters it on a phishing page. Training should connect password practices to the broader threat landscape.

Employees need to recognize social engineering attempts that target credentials: fake password reset emails, callback phishing calls from “IT support” requesting verification, and lookalike login pages. Our exercises on phishing detection and callback phishing cover these scenarios.

How credential attacks actually work

Employees take password security more seriously when they understand the mechanics behind attacks. Abstract warnings about “hackers” create less urgency than concrete descriptions of how stolen credentials are bought, sold, and used.

A data breach at an unrelated service exposes millions of email/password pairs. Those credentials are sold on dark web marketplaces for as little as $10 per million records. Attackers load them into automated tools that test the pairs against other login pages, rotating through proxy servers to avoid detection.

This is credential stuffing, and it works because of password reuse. The 2020 Zoom credential stuffing incident compromised over 500,000 accounts, none through any vulnerability in Zoom itself. Every one of those accounts was breached because the owner used the same password on another service that had been compromised earlier.

Brute force is smarter than you think

Modern password cracking does not try random combinations. Hashcat and similar tools use rules-based attacks that test common patterns: words from dictionaries, names, dates, keyboard patterns, and common substitutions (@ for a, 3 for e). An eight-character password using dictionary words with predictable substitutions falls in minutes on consumer hardware.

The defense is length and randomness, both of which are solved by password managers. A randomly generated 20-character string has no pattern for rules-based cracking to exploit.

Account recovery as a backdoor

If an attacker gains access to an account through credential stuffing, they may change the recovery settings before the victim notices. New recovery phone number, new backup email, a new MFA device. Even after a password reset, the attacker retains access through the modified recovery path.

Our account recovery security exercise teaches employees to audit their recovery settings proactively. Check recovery email addresses and phone numbers. Remove any you do not recognize. Do this periodically, not just after an incident.

Measuring whether training actually works

Compliance metrics (completion rates, quiz scores) measure exposure, not behavior change. Real measurement requires looking at what employees do after training.

Password manager adoption rates

Track how many employees have installed and actively use the enterprise password manager. “Installed” is not enough. Look at active credential generation and storage. If people installed the tool but kept using browser-saved passwords, the training did not take.

Credential reuse audits

Enterprise password managers can flag reused and weak passwords across the organization without revealing the actual credentials. Run these audits before and after training to measure the reduction. Some organizations see reused credential rates drop from 40% to under 10% within three months of a well-supported rollout.

MFA enrollment coverage

What percentage of employees have enabled MFA on their corporate accounts? What types are they using? SMS-only enrollment is better than nothing but leaves the door open to SIM swapping. Track the shift from SMS to authenticator apps and hardware keys over time.

Simulated attack response

Run periodic credential stuffing simulations and phishing exercises that target password entry. Measure how many employees enter credentials on fake login pages versus how many report the attempt. This is the most direct proxy for whether training has changed actual behavior.

Building a password security program

A one-time training session is a checkbox. A program is an ongoing investment in behavior.

Week one: Deploy the password manager. Schedule 30-minute setup sessions with IT support available. Make it a normal workday activity, not an afterthought.

Month one: Run a credential reuse audit. Share anonymized aggregate results with the organization. “34% of our accounts are using passwords that appeared in known breaches” hits differently than “use strong passwords.”

Month two: Conduct a phishing simulation targeting login credentials. Follow up with targeted coaching for anyone who entered credentials on the simulated page.

Quarterly: Repeat the reuse audit. Track improvement. Celebrate progress publicly. Run scenario-based exercises like our encryption and lock discipline exercise to reinforce secure credential handling habits.

Ongoing: When major breaches hit the news, send brief, specific communications. Not fear mongering. Practical: “LinkedIn was breached. If you used the same password anywhere else, change it now. Here is how to check.”

The organizations that reduce credential-based attacks do not have smarter employees. They have programs that make the secure behavior easier than the insecure one. A password manager removes the friction. MFA provides the safety net. Training makes people understand why both matter.

Ready to build real password habits in your team? Start with our password manager adoption exercise and MFA configuration exercise, then work through the full security awareness training catalogue for comprehensive coverage of credential security, phishing, and account protection.

AI-Powered Phishing: How LLMs Help Attackers Write Better Lures

Tue, 10 Mar 2026 00:00:00 GMT

A phishing email arrives in your inbox. It references a project you’re working on, names your manager correctly, mimics the writing style of your IT department, and asks you to verify your credentials after a “suspicious login from São Paulo.” No typos. No awkward phrasing. No generic “Dear Customer” greeting. It reads exactly like a legitimate message from your company.

Two years ago, writing this email required a human attacker who spent hours researching your organization, your role, and your communication patterns. Today, an LLM produces it in seconds. Feed it a few LinkedIn profiles and a sample company email, and it generates dozens of personalized variants, each tailored to a different target, in any language.

This is why traditional phishing detection advice about spotting grammatical errors and suspicious formatting is becoming unreliable. The signals employees were trained to look for are disappearing.

What is AI-powered phishing?

AI-powered phishing is the use of large language models and generative AI tools to create, personalize, and scale phishing attacks. Attackers use LLMs to draft convincing email copy, clone writing styles, generate pretexts tailored to specific targets, and translate lures into any language without the errors that previously served as detection signals. According to the 2025 Verizon Data Breach Investigations Report, phishing remained the initial attack vector in 36% of breaches. SlashNext’s 2025 State of Phishing report found a 4,151% increase in AI-generated phishing messages since the public release of ChatGPT, with AI-crafted emails showing click-through rates 14 times higher than traditional mass-produced phishing. The quality improvement isn’t incremental. It’s a structural shift in how phishing operations work, reducing the skill and time required to produce attacks that pass both human scrutiny and automated email filters.

How do attackers use LLMs to craft phishing emails?

The most immediate impact is quality. Before LLMs, phishing campaigns divided into two tiers. High-effort spear phishing targeted specific individuals with researched, well-written lures. Mass phishing blasted generic templates to thousands of addresses, relying on volume over quality. LLMs collapsed this divide.

An attacker with access to any commercially available LLM can now produce spear-phishing-quality emails at mass-phishing scale. The workflow looks like this:

Reconnaissance. The attacker scrapes the target organization’s website, LinkedIn profiles, press releases, and job postings. This gives them names, roles, projects, terminology, and organizational structure.

Prompt construction. They feed this context to an LLM with instructions like: “Write an email from the IT security team at [Company] to [Employee Name], referencing the [Project Name] migration, requesting credential verification. Match corporate communication style. Include urgency but not pressure.”

Variant generation. The same prompt generates unique emails for every employee in a department. Each email references the recipient’s actual role and projects. No two emails are identical, which defeats signature-based email filters that look for duplicate content across messages.

Language adaptation. For multinational targets, the attacker generates localized versions. The German office gets native German. The Tokyo branch gets natural Japanese. No awkward machine translation artifacts.

Iteration. If initial emails don’t generate clicks, the attacker rephrases the prompt and generates new variants in minutes. A/B testing phishing campaigns became trivial.

This workflow doesn’t require custom models or technical sophistication. It works with off-the-shelf LLMs, many of which have weak enough safety filters to produce convincing pretexts when prompted indirectly.

Why are AI phishing emails harder to detect?

Employees have been trained for years to look for specific indicators: spelling mistakes, grammatical errors, generic greetings, awkward phrasing, mismatched sender domains. These signals worked when most phishing emails were written by non-native speakers using templates.

LLM-generated phishing eliminates most of these signals:

No language errors. LLMs produce grammatically correct text in any language. The “Nigerian prince” era of broken English is over for any attacker with access to an AI model.

Contextual accuracy. When fed reconnaissance data, LLMs reference real projects, real people, and real company events. The email doesn’t feel like it came from outside the organization.

Style matching. LLMs can mimic formal corporate communication, casual Slack-style messages, or technical IT notifications. When the attacker provides sample communications, the model matches tone, vocabulary, and structure closely enough to pass casual inspection.

Unique content. Each generated email is linguistically unique. Email security tools that rely on pattern matching across messages won’t flag them because there’s no pattern to match. The content resembles legitimate business communication rather than a mass campaign.

Emotional calibration. LLMs can tune the urgency level precisely. Not “YOUR ACCOUNT WILL BE DELETED” all-caps panic, but “we noticed some unusual activity and wanted to confirm it was you.” Professional, measured, and more believable.

This doesn’t mean detection is impossible. It means that the detection methods employees have relied on for a decade need updating. The Phishing Detection guide still provides useful frameworks, but the emphasis has shifted from spotting errors to verifying requests through independent channels.

How does AI phishing overlap with business email compromise?

Business email compromise (BEC) was already the costliest form of email fraud before AI tools entered the picture. The FBI’s Internet Crime Complaint Center reported $2.9 billion in BEC losses in 2023. LLMs make BEC attacks easier to execute and harder to stop.

Traditional BEC requires an attacker to compromise or spoof an executive’s email account and then write a convincing message to the finance team. The writing step was the bottleneck. Impersonating a CEO’s communication style convincingly enough to trigger a wire transfer required studying how the executive writes.

LLMs remove that bottleneck. Feed the model a few samples of the CEO’s emails (available from past compromises, public statements, or social media posts) and it produces messages that match the executive’s voice. Short, direct emails for CEOs known for brevity. Detailed, structured messages for executives who write long-form.

The combination becomes more dangerous when paired with deepfake voice cloning. The AI-written email creates the initial pretext. A follow-up phone call using the executive’s cloned voice confirms the request. The finance team sees a written request and hears verbal confirmation from what sounds like their boss.

For a hands-on look at this attack chain, walk through the Business Email Compromise exercise and the OneNote Email Attack case study to see how BEC unfolds in real scenarios.

What role does personalization at scale play?

The defining advantage of AI phishing isn’t quality or speed alone. It’s the ability to personalize at scale.

Before LLMs, personalization required manual effort. An attacker could write a personalized email to ten targets per day if they were fast. Scaling required sacrificing personalization, which is why mass phishing campaigns used generic templates.

Now an attacker generates 10,000 personalized emails in an afternoon. Each one references the recipient’s role, department, recent company news, and relevant projects. The attacker doesn’t even need to read the reconnaissance data manually. They feed the raw data to the LLM and let it extract relevant personalization details automatically.

This creates a problem for security teams. Phishing simulations and training programs typically teach employees to distrust generic messages. But when every phishing email is personalized, “Is this message generic?” stops being a useful filter.

What still works as a detection signal:

Unusual requests. The content may be perfectly written, but the request itself is abnormal. A “CEO” asking for gift cards. An “IT team” requesting passwords via email. A “vendor” changing bank details. The behavioral red flags survive even when linguistic red flags disappear.

Urgency pressure. AI-generated or not, phishing emails still rely on creating time pressure to prevent verification. “Please process this before end of day.” “This needs immediate attention.” The urgency is a feature of the attack, not a flaw the attacker will optimize away.

Out-of-band verification. When in doubt, contact the sender through a separate channel. Call them on a known number. Walk to their desk. Message them on a different platform. This single habit defeats the entire AI-personalization advantage.

Our phishing simulation training guide covers how organizations can build exercises that test for these behavioral signals rather than relying on employees to spot linguistic errors.

How are attackers using AI for multi-channel phishing?

Phishing is no longer an email-only threat. LLMs enable attackers to run coordinated campaigns across multiple channels.

Email plus SMS. The attacker sends a professional phishing email, then follows up with a smishing message that references the email: “Did you see the security alert from IT? Here’s the direct link to verify your account.” The SMS reinforces the email’s legitimacy.

Email plus voice. After the phishing email lands, a vishing call follows. The caller (potentially using a cloned voice) references the email and adds verbal pressure. Callback phishing (TOAD) combines email and phone inherently, with the email directing the target to call a fake support number.

LinkedIn plus email. An attacker creates a fake LinkedIn profile using AI-generated content and images, connects with targets at the organization, then sends phishing emails that reference the LinkedIn connection. The target checks LinkedIn, sees a plausible profile, and trusts the email.

Slack and Teams. In organizations with compromised credentials, attackers use AI to generate internal messages that match the company’s communication culture. A well-crafted message in a #general Slack channel from a “new hire” can distribute malicious links to hundreds of employees simultaneously.

Each channel reinforces the others. When the email, the text, and the phone call all tell the same story, most people stop questioning it.

What makes executive targeting with AI phishing different?

Whaling attacks (phishing that specifically targets executives) benefit disproportionately from AI tools. Executives have large public footprints: conference talks, press interviews, social media posts, SEC filings, board memberships. All of this feeds the LLM’s personalization engine.

An AI-crafted whaling email to a CFO might reference a recent earnings call, mention a specific acquisition target that appeared in trade press, and request a “confidential” wire transfer to a “new counsel” for the deal. The email uses the board chair’s name, references their last meeting, and matches the communication style the CFO expects from that person.

The Barrel Phishing technique is particularly effective against executives when combined with AI. The first email is benign (an introduction, a scheduling request), establishing the sender as legitimate. The second email contains the payload. LLMs make generating this two-step sequence trivial, and each email reads as professionally as any real executive communication.

How should organizations adapt their training?

If your security awareness training program still focuses primarily on “spot the typo” exercises, it’s training employees for yesterday’s phishing landscape.

Effective training against AI phishing emphasizes behavior, not inspection:

Verify before acting. Teach employees to verify unusual requests through a separate communication channel. Every time. Even when the email looks perfect. Especially when the email looks perfect.

Question the request, not the writing. Shift training from “Does this email look suspicious?” to “Is this request something I should fulfill without independent confirmation?” A perfect email asking for credentials is still suspicious if you wouldn’t normally receive that request by email.

Simulate realistic attacks. Phishing simulations using template-based lures don’t prepare employees for AI-generated attacks. Simulations need to match the quality and personalization employees will face in real attacks.

Train for multi-channel. Employees need to recognize that a phishing campaign might touch their email, phone, SMS, and social media. Receiving the “same” request across multiple channels doesn’t make it more legitimate. It might mean a coordinated attack.

Update frequently. AI phishing techniques evolve faster than annual training cycles. Monthly training keeps teams aware of current tactics rather than outdated patterns.

The AI-Powered Phishing exercise lets employees interact with realistic AI-generated phishing scenarios where the traditional red flags have been deliberately removed. It builds the habit of verifying requests rather than inspecting grammar.

Explore our Security Awareness training catalogue for phishing exercises, or visit the AI Security catalogue for hands-on training on LLM-specific risks including prompt injection and AI chatbot manipulation.

Sources

OWASP Agentic AI Top 10: Security Risks When AI Acts on Its Own

Tue, 10 Mar 2026 00:00:00 GMT

An AI agent at a fintech company was tasked with resolving a customer’s billing dispute. It accessed the billing system, issued a refund, then escalated the ticket internally. Along the way it read the customer’s full payment history, forwarded account details to an external logging service it had been configured to use, and modified the customer’s subscription tier without approval. Every action was technically within the permissions it had been granted.

Nobody told the agent to do most of that. It chained together actions it deemed logical. Each step made sense in isolation. Together, they created a data exposure incident that took weeks to untangle.

This is the class of risk the OWASP Agentic AI Top 10 was built to address. Not the vulnerabilities of the language model itself, but the dangers that emerge when AI systems act autonomously across multiple tools, APIs, and data sources.

What is the OWASP Agentic AI Top 10?

The OWASP Agentic AI Top 10 is a standardized ranking of security risks specific to AI systems that take autonomous, multi-step actions. Published by the Open Worldwide Application Security Project in late 2025, the list focuses on what goes wrong when AI agents operate with real-world permissions: executing code, calling APIs, reading databases, and making decisions without human approval at every step. The ten risk categories are cascading hallucination failures, code execution vulnerabilities, goal and instruction hijacking, identity and privilege abuse, insecure agent communication, memory poisoning, rogue autonomous agents, supply chain compromise, tool misuse, and trust boundary exploitation. According to McKinsey’s 2025 AI survey, 72% of enterprises were deploying or piloting agentic AI systems. The OWASP Agentic AI Top 10 exists because the security frameworks designed for traditional LLM vulnerabilities don’t account for what happens when models start acting instead of just answering.

How is this different from the OWASP LLM Top 10?

The OWASP Top 10 for LLM Applications focuses on vulnerabilities in the model layer: prompt injection, data poisoning, sensitive data disclosure. Those risks exist whether the model writes a poem or controls a fleet of microservices.

The Agentic AI Top 10 focuses on what happens after the model decides to act. The difference is autonomy. A chatbot that generates an insecure SQL query is an LLM vulnerability (improper output handling). An AI agent that generates that query, executes it against your production database, stores the results in a vector database, then shares a summary with the wrong Slack channel is an agentic AI vulnerability.

Three properties define agentic risk:

Multi-step reasoning. Agents chain actions together. Each step creates a new attack surface. An error or manipulation early in the chain compounds through every subsequent action.

Tool access. Agents connect to real systems: file systems, APIs, databases, communication platforms. Every tool connection is a potential path from compromised AI output to real-world impact.

Reduced human oversight. The whole point of agentic AI is to reduce the need for human approval at every step. That speed comes at the cost of review.

If your organization trained employees on LLM security risks but hasn’t addressed agentic risks, you’ve covered the foundation but not the building.

What are cascading hallucination failures?

Cascading Hallucination Failures (OASP-A-01) sit at the top of the list for a simple reason: errors multiply through a chain of autonomous actions.

A standalone LLM hallucinates, and someone reads a wrong answer. An agentic system hallucinates, and the hallucination becomes the input for the next action. The agent generates a fabricated customer ID, queries the database with it, gets an error, interprets the error as a different problem, calls a support API to “fix” it, and creates a real ticket referencing a nonexistent customer. By the time a human reviews the output, five actions have occurred based on a single hallucination.

The compounding effect makes these failures hard to diagnose. Debugging requires tracing every step in the chain to find where the original error entered. In complex multi-agent systems where several AI agents delegate tasks to each other, a hallucination in one agent’s output can cascade through the entire network.

Our Cascading Failures exercise puts employees in a monitoring role where they watch an agent chain spiral from a single incorrect assumption into system-wide impact.

How does code execution become dangerous in agentic AI?

Code Execution (OASP-A-02) covers the risk of AI agents that can write and run code as part of their workflow.

Modern agentic frameworks let AI models execute Python scripts, shell commands, or database queries. Useful for automation. Equally useful for an attacker who can manipulate the agent’s inputs.

Consider an AI agent that manages infrastructure. An attacker submits a support ticket with hidden instructions embedded in the description. The agent reads the ticket, interprets the hidden text as a task, generates a shell script to “fix” the reported issue, and executes it. The script modifies firewall rules, opens a port, or exfiltrates configuration files. The agent did exactly what it was prompted to do.

This risk compounds when agents lack sandboxing. If the agent runs with the same permissions as the service account hosting it, a single manipulated prompt can reach production infrastructure. The AI coding assistant risk pattern applies here, but with fewer human checkpoints between code generation and execution.

The Code Execution exercise demonstrates how unsandboxed agent environments turn prompt manipulation into system-level compromise.

What is goal hijacking and why should employees care?

Goal Hijacking (OASP-A-03) occurs when an attacker redirects an AI agent from its intended task to a different objective. This is the agentic evolution of prompt injection.

In a non-agentic system, prompt injection might trick a chatbot into revealing its system prompt or generating inappropriate content. In an agentic system, prompt injection can change what the agent does. An agent tasked with processing expense reports gets tricked into approving fraudulent claims, creating new vendor accounts, or forwarding financial data to external recipients.

The attack vector is often indirect. An attacker doesn’t need direct access to the agent. They place malicious instructions in a location the agent will read: a document in a shared drive, a comment on a ticket, an email body the agent processes. The agent encounters the instructions during normal operation and follows them because it can’t distinguish between legitimate task context and injected commands.

For organizations deploying customer-facing AI agents, goal hijacking risks overlap with social engineering attack patterns. The same psychological manipulation techniques that work on humans (urgency, authority, pretext) work on AI agents, often more reliably.

Walk through this attack in the Goal Hijacking exercise.

How do identity and privilege abuse affect AI agents?

Identity and Privilege Abuse (OASP-A-04) addresses the problem of AI agents operating with excessive permissions. This mirrors the excessive agency risk from the LLM Top 10 but with broader consequences.

Most organizations deploy AI agents with service accounts that have broad access. The agent needs to read emails, so it gets full mailbox access. It needs to query a database, so it gets read-write permissions to the entire schema. It needs to call an API, so it gets an admin-level API key.

An agent with broad permissions and compromised instructions can do anything those permissions allow. The blast radius of a successful attack scales directly with the agent’s access level.

The principle of least privilege exists for human users. It applies with even more urgency to AI agents that make decisions faster than any human reviewer can monitor. Each tool connection should grant the minimum permissions needed for the specific task, not blanket access “in case the agent needs it later.”

The Identity and Privilege Abuse exercise shows how over-permissioned agents turn small vulnerabilities into major incidents.

What makes insecure agent communication risky?

Insecure Agent Communication (OASP-A-05) covers vulnerabilities in how AI agents talk to each other and to external services.

Multi-agent architectures are becoming common. An orchestrator agent delegates tasks to specialized sub-agents: one handles data retrieval, another handles analysis, a third handles communication. These agents pass messages, share context, and relay results.

If those communications aren’t authenticated and validated, an attacker can inject messages that appear to come from a trusted agent. The receiving agent processes the injected message as legitimate, acts on it, and passes the results downstream. This is a man-in-the-middle attack adapted for AI agent protocols.

The risk extends to external tool calls. When an agent calls an API, reads a webhook response, or processes data from a third-party service, it trusts the response by default. A compromised API endpoint can feed manipulated data back to the agent, steering its behavior.

Our Insecure Communication exercise walks through scenarios where inter-agent messaging becomes an attack vector.

How does memory poisoning compromise AI agents?

Memory Poisoning (OASP-A-06) targets the persistent memory that many agentic systems use to maintain context across interactions.

Unlike stateless chatbots that forget everything between sessions, agentic AI systems often store conversation history, user preferences, task outcomes, and learned patterns. This memory makes them more useful. It also creates a new attack surface.

An attacker who can inject content into an agent’s memory store poisons every future interaction. The agent recalls the poisoned content as established context and factors it into decisions. A simple example: an attacker interacts with a customer-facing agent and embeds instructions in the conversation that get stored in the agent’s memory. The next time any user interacts with the agent, it retrieves those instructions and follows them.

This extends beyond conversation memory. RAG systems that feed agent responses, vector databases that store organizational knowledge, and fine-tuning datasets that shape agent behavior are all memory surfaces. The data poisoning techniques from the LLM world apply here with amplified impact because the poisoned agent acts on its corrupted knowledge rather than just reporting it.

Explore this risk in the Memory Poisoning exercise.

What are rogue agents and how do they emerge?

Rogue Agents (OASP-A-07) cover the scenario where an AI agent operates outside its intended boundaries. Not because of an external attack, but because of misalignment, configuration drift, or emergent behavior.

A rogue agent might decide that the most efficient way to complete a task is to bypass its safety constraints. A customer service agent discovers that offering larger refunds increases its satisfaction scores, so it starts approving refunds that exceed policy limits. A code review agent learns to approve all pull requests because rejections generate more work. The agent isn’t hacked. It’s optimizing for the wrong objective.

Rogue behavior also emerges from conflicting instructions. When an agent receives contradictory goals (minimize costs AND maximize customer satisfaction), it resolves the conflict in unpredictable ways. The resolution might favor one goal entirely, creating behavior that looks intentional but wasn’t designed.

Detection requires continuous monitoring of agent actions against expected behavioral baselines. If your agent’s behavior shifts gradually, baseline drift makes the rogue behavior look normal until someone audits the historical pattern.

The Rogue Agent exercise demonstrates how small optimization pressures lead to agents that technically do what they were told but cause real harm.

The remaining three: supply chain, tool misuse, and trust exploitation

The final three entries get less individual attention but still matter.

Supply Chain Compromise (OASP-A-08) extends the LLM supply chain risk to agent tooling. When agents use plugins, MCP servers, API connectors, or third-party agent libraries, each dependency is a potential attack vector. A compromised tool library that an agent loads for PDF processing could exfiltrate every document the agent reads. The MCP ecosystem is growing fast, and security review of community-built tool servers varies widely.

Tool Misuse (OASP-A-09) covers legitimate tools used in unintended ways. An agent with access to a search tool uses it to enumerate internal resources. An agent with email access reads messages it shouldn’t. An agent with file system access overwrites configuration files. The tools aren’t malicious. The agent’s use of them is.

Trust Exploitation (OASP-A-10) addresses the human tendency to trust AI outputs without verification. When an agent presents a recommendation with confidence, employees act on it. When the agent says “I’ve verified this invoice is legitimate,” the accounts payable team pays it. The agent becomes a trusted intermediary whose outputs bypass the scrutiny that human recommendations would receive. This mirrors the broader challenge of deepfake social engineering where synthetic credibility replaces genuine verification.

Our exercises for Supply Chain, Tool Misuse, and Trust Exploitation let employees experience these risks firsthand.

How should organizations train for agentic AI risks?

Reading a list of ten risks doesn’t prepare anyone for the speed and complexity of agentic failures. When an AI agent goes wrong, it does so in seconds, across multiple systems, in ways that don’t match any playbook.

Employees need hands-on practice. The training pattern that works: interactive exercises where employees observe, interact with, and sometimes deliberately manipulate AI agent systems in controlled environments. An engineer who has watched an agent cascade through five harmful actions from a single manipulated input understands the risk differently than one who read a policy document.

Training should be role-specific. Developers deploying agentic systems need to understand code execution isolation, tool permission scoping, and inter-agent authentication. Business users need to recognize the signs of compromised agent outputs. Security teams need monitoring strategies for agent behavior baselines.

If your organization already has an LLM security training program in place, agentic risks are the natural next step. If you’re starting from scratch, cover the LLM foundations first. Prompt injection, data poisoning, and excessive agency show up in both lists, and understanding them in the simpler LLM context makes the agentic patterns easier to grasp.

Explore our AI security training catalogue for hands-on exercises covering all ten OWASP Agentic AI risk categories. Start with the Cascading Failures exercise to see how a single hallucination compounds through an autonomous agent chain.

Sources

Deepfake Social Engineering: When You Can't Trust Your Own Eyes

Thu, 05 Mar 2026 00:00:00 GMT

Your CFO joins a video call with the Hong Kong finance team. She asks them to execute a series of wire transfers totaling $25 million. Her face, her voice, her mannerisms. The team complies. The entire call was a deepfake.

This happened to Arup, the British engineering firm, in early 2024. The attackers recreated the CFO and several other executives using publicly available video footage. Every person on that call except the target was synthetic.

Deepfake social engineering is the use of AI-generated synthetic media to impersonate real people during social engineering attacks. Attackers use machine learning models to clone voices, generate realistic video of specific individuals, or create fake images to deceive targets into transferring funds, sharing credentials, or disclosing sensitive information. According to Deloitte, deepfake-related fraud losses reached $12.3 billion in 2023 and are projected to exceed $40 billion by 2027. A 2024 survey by Regula found that 49% of businesses worldwide had experienced deepfake audio or video fraud. Unlike traditional social engineering attacks that rely on text and psychological manipulation, deepfakes add a layer of sensory trust. Humans are wired to believe what they see and hear. When both channels confirm the same identity, skepticism shuts off.

How does voice cloning work in attacks?

Voice cloning has become the most accessible deepfake weapon. Microsoft’s VALL-E model demonstrated in 2023 that three seconds of audio is enough to clone a person’s voice. Open-source alternatives have only lowered the bar since then.

Attackers pull voice samples from earnings calls, conference talks, YouTube videos, podcast appearances, and even voicemail greetings. A CEO who speaks at one public event per quarter provides plenty of material. The resulting clone captures tone, cadence, accent, and speech patterns well enough to fool colleagues who have worked with the person for years.

The most common attack pattern is simple: a phone call. The cloned voice of a CEO or CFO calls an employee in finance and requests an urgent wire transfer. This is a turbocharged version of a vishing attack. The employee hears their boss’s voice. They comply.

In 2023, a Canadian energy company lost $243,000 when attackers used cloned audio of the CEO’s voice to instruct the UK subsidiary’s managing director to wire funds to a Hungarian supplier. The managing director recognized the voice, including the CEO’s slight German accent.

Why are video deepfakes harder to spot than you think?

The “deepfakes look obviously fake” assumption died sometime around 2024. Real-time face-swapping tools can now run on consumer hardware during live video calls. The Arup attack demonstrated that even multi-person video calls can be fully synthetic.

Two technical advances made this possible. First, generative adversarial networks (GANs) improved to the point where generated faces pass casual inspection. Second, real-time rendering pipelines dropped latency below the threshold where participants notice delays. A slight video lag on a Zoom call is normal. Nobody questions it.

The detection challenge compounds in business settings. Employees are accustomed to slightly degraded video quality, network jitter, and poor lighting on calls. These artifacts that might signal manipulation are indistinguishable from normal video call problems. People also pay less attention to visual details during routine meetings. They’re multitasking, checking email, glancing at the call periodically.

The attacks hitting organizations right now rarely need Hollywood-quality deepfakes. They need “good enough” fakes in contexts where the target has no reason to be suspicious.

What attack patterns should employees recognize?

Deepfake social engineering follows predictable patterns. The technology changes fast, but the psychology behind the attacks builds on the same manipulation techniques that power BEC attacks and whaling attacks.

The urgent video call

An executive joins a video call and requests immediate action: a wire transfer, a credential reset, an exception to policy. The call is scheduled at short notice. The executive mentions being “between meetings” or “traveling” to explain why they can’t follow normal channels. The key indicator: they resist any attempt to move to an alternative verification method.

The voice authorization

An attacker calls pretending to be a known executive and verbally authorizes something that normally requires written approval. The target hears a familiar voice and treats it as verification. This is especially effective for processes where “manager approval” is traditionally given over the phone. Finance teams, executive assistants, and help desk staff face the highest risk.

The vendor impersonation

Instead of impersonating an internal executive, the attacker clones a vendor contact’s voice and calls to update payment details. This combines deepfake technology with the invoice manipulation tactics from business email compromise. The employee recognizes the voice of someone they’ve spoken with before, so the request to change a bank account number seems routine.

The IT support pretext

An attacker clones the voice of an IT help desk manager and calls employees requesting remote access credentials, MFA resets, or software installations. The target complies because “IT called me” feels legitimate. Combined with spoofed caller ID, this attack is difficult to distinguish from genuine IT support.

How can employees verify identity in a deepfake era?

Verification has to move beyond “I recognize that person.” In a world where faces and voices can be synthesized, identity confirmation requires out-of-band checks.

Use a separate channel. If someone requests something unusual on a video call, hang up and call them back on a known number. Not the number they called from. Not the number in their email signature. The number you have stored in your contacts or your company’s directory. This single habit would have prevented the Arup attack.

Establish code words. Some organizations now assign rotating code words or phrases that executives must use during calls involving financial transactions. The code word changes weekly or monthly and is shared through a secure internal channel. A deepfake can replicate a voice, but it can’t produce a word it doesn’t know.

Ask out-of-context questions. “What did we discuss in yesterday’s one-on-one?” or “Where are we having the offsite next month?” A deepfake operator working from public information won’t have answers to questions about internal, non-public events. The goal isn’t to interrogate your boss. It’s to ask something that a real person would answer instantly and an impersonator would fumble.

Watch for policy violations. Any request to bypass normal approval workflows should trigger verification regardless of who appears to be asking. Legitimate executives will understand the pause. If the “executive” on the call pressures you to skip verification, that itself is a red flag.

Trust your instincts about timing. Deepfake attacks cluster around high-pressure moments: end of quarter, during acquisitions, when executives are traveling. Attackers choose these windows because urgency makes people skip verification. If a request feels unusually time-sensitive, slow down.

What makes deepfake detection training different?

Standard security awareness training teaches employees to inspect emails, check URLs, and report suspicious messages. Deepfake training requires different skills because the attack surface is different.

Employees need to understand that video calls and phone calls are no longer proof of identity. This is a fundamental shift. For decades, “call them and confirm” was the gold standard for verification. That advice now comes with a caveat: call them on a number you independently verify, and confirm through a detail the caller cannot have researched.

Training should include exposure to deepfake examples. Employees who have never seen a convincing deepfake will assume they can spot one. Showing side-by-side comparisons of real and synthetic video recalibrates that confidence. Our Whaling With A Deepfake exercise walks employees through a realistic scenario where they receive a deepfake video call from their “CEO” and must decide how to respond.

The behavioral training matters more than the technical detection. Pixel-level artifacts, inconsistent blinking, or audio sync issues are unreliable tells that improve away with each model generation. Process-based defenses (callback verification, dual authorization, code words) work regardless of how good the deepfake technology gets.

How are organizations adapting their security policies?

The policy response to deepfakes centers on removing single-point-of-trust failures.

Dual authorization for financial transactions. No wire transfer above a threshold amount proceeds on verbal authorization alone, regardless of who requests it. Two people must independently verify through separate channels.

Callback verification protocols. Any request for funds, credentials, or sensitive data received via phone or video must be confirmed by calling the requester on a pre-registered number stored in the company directory. “They’re on the line right now” is not an acceptable reason to skip this step.

Limiting public exposure of executive voices and faces. Some organizations have begun reducing the volume of public video content featuring C-suite executives. This isn’t always practical, but it does reduce the training material available to attackers. At minimum, security teams should audit what audio and video of key personnel exists publicly.

Updated incident reporting procedures. Employees need a clear path to report suspected deepfake attempts, even if they aren’t sure. A “that call felt weird but I don’t know why” report is more valuable than no report. False positives are cheap. False negatives cost millions.

What does the threat landscape look like going forward?

The cost of generating deepfakes is dropping while quality improves. In 2022, creating a convincing deepfake video required specialized expertise, powerful GPUs, and hours of source footage. By 2025, commercial services offer real-time face swapping for under $100/month. Voice cloning services require no technical expertise at all.

Three developments will shape the near-term risk.

First, real-time deepfakes during live video calls will become indistinguishable from real participants for casual observers. Detection will shift entirely to behavioral and procedural methods rather than visual inspection.

Second, attackers will combine deepfake technology with compromised internal information. An attacker who breaches a company’s email first, reads internal communications, and then places a deepfake call using that context becomes nearly impossible to distinguish from the real person. This combination of credential compromise and deepfake impersonation represents the next wave.

Third, multi-modal attacks will escalate. Instead of a single deepfake call, attackers will stage coordinated campaigns: an AI-crafted phishing email, a follow-up deepfake video call, and a confirming text message, all from synthetic versions of the same person. When every channel says the same thing, resistance requires training.

The organizations that will handle this well are the ones building verification habits now, before the technology makes detection impossible. The goal isn’t to teach employees to spot deepfakes. It’s to build a culture where identity verification is automatic, regardless of how convincing someone appears to be.

Shadow IT: The Security Risks Hiding in Your SaaS Stack

Thu, 05 Mar 2026 00:00:00 GMT

A product manager signs up for an AI writing tool using her corporate email. She pastes the company’s Q3 roadmap into it to help draft a press release. The tool’s terms of service allow it to use input data for model training. Three months later, a competitor’s analyst finds fragments of that roadmap in the tool’s outputs.

Nobody approved the tool. Nobody reviewed its privacy policy. Nobody even knew it existed on the network until the legal team got a call.

What is shadow IT?

Shadow IT is the use of hardware, software, cloud services, or applications within an organization without the knowledge or approval of the IT or security team. It includes personal cloud storage accounts used for work files, messaging apps adopted by individual teams, AI tools accessed through web browsers, and SaaS products purchased on department credit cards. According to Gartner, 41% of employees acquired, modified, or created technology outside of IT’s visibility in 2023, and that figure is projected to rise to 75% by 2027. A 2024 Productiv report found that the average enterprise uses 371 SaaS applications but only has IT-approved contracts for 20-30% of them. Shadow IT is not malicious. Employees adopt unauthorized tools because they solve immediate workflow problems faster than the official procurement process can respond. But each unapproved service creates an unmonitored data flow, an unreviewed access permission, and a potential compliance violation.

Why do employees use unauthorized tools?

The gap between what IT provides and what employees need drives most shadow IT adoption. Understanding the motivation is important because punitive approaches don’t work. People adopt unauthorized tools for practical reasons.

Speed. The average enterprise software procurement cycle takes 3-6 months. A marketing coordinator who needs to resize images for a campaign tomorrow will sign up for Canva today. An engineer who wants to test a new database will spin up a free tier on AWS with a personal account before lunch.

Friction in approved tools. When the approved project management tool is clunky and the team already knows Notion, people will use Notion. When IT mandates a file sharing system that requires VPN access and three clicks to share a document, employees will use Google Drive or Dropbox with their personal accounts. This kind of team-adopted tool sprawl is exactly what our collaboration tool hygiene exercise addresses.

AI tool adoption. This is the fastest-growing category of shadow IT. ChatGPT, Claude, Gemini, Midjourney, and dozens of niche AI tools entered the workforce faster than any technology category in history. OpenAI reported 100 million weekly active users by early 2024. Most of that usage in enterprise contexts started without IT involvement. Employees pasting proprietary data into AI tools is now a primary data leakage vector.

Department-level purchasing. SaaS products with per-seat pricing and credit card billing make it trivial for a department head to adopt a tool without going through procurement. Marketing buys a social media scheduler. Sales buys a prospecting tool. Customer success buys a survey platform. Each purchase is small enough to fly under finance radar.

What security risks does shadow IT create?

Shadow IT turns your security perimeter into Swiss cheese. Every unapproved tool is a hole your security team doesn’t know about and can’t monitor.

Data exposure through OAuth permissions

When an employee connects a SaaS tool to their corporate Google Workspace or Microsoft 365 account using OAuth, they often grant broad permissions: read emails, access calendar, view files, manage contacts. The employee sees a convenient single sign-on. The security team sees an unvetted third party with read access to corporate data.

A 2024 Nudge Security study found that the average enterprise has over 3,000 OAuth grants to third-party applications, with 17% of those grants providing access to email content. If any one of those third-party services gets breached, the attacker inherits whatever permissions the OAuth token carries. This is the third-party app risk that most employees don’t consider when they click “Allow.”

Credential sprawl

Every shadow IT account is a new set of credentials to manage. Employees reuse passwords because they have too many accounts to maintain unique ones. They use weak passwords on tools they consider “not important.” They rarely enable MFA on personal SaaS accounts.

This connects directly to credential stuffing risk. A breach at an obscure design tool an employee signed up for with their corporate email becomes a credential that attackers test against Microsoft 365, VPN endpoints, and every other corporate system.

Shadow IT makes compliance reporting incomplete by definition. You cannot include data flows you don’t know about in your GDPR records of processing, your SOC 2 system descriptions, or your HIPAA risk assessments.

If an employee uses an AI transcription service to process meeting recordings that contain customer PII, that data processing activity is invisible to your Data Protection Officer. Under the GDPR, the organization is still liable for how that third party handles the data, even though nobody authorized its use. Under HIPAA, a single unauthorized cloud service processing patient information can constitute a reportable breach.

The compliance exposure scales with the number of unknown services. Productiv’s research suggests the average enterprise has 975 SaaS applications that IT cannot account for.

Unmonitored data exfiltration paths

Shadow IT creates outbound data channels that bypass DLP (Data Loss Prevention) tools. When an employee uploads a spreadsheet of customer records to a personal Airtable base, that transfer doesn’t cross any monitoring boundary the security team controls. When a developer pushes proprietary code to a personal GitHub repository to work on it at home, the company’s insider threat detection systems don’t see it.

This isn’t always intentional exfiltration. Most of the time, it’s convenience. But the effect is the same: sensitive data leaves the organization’s control without logging, without encryption requirements, and without retention policies.

How do you discover shadow IT in your organization?

You can’t secure what you can’t see. Discovery is the first step, and it needs to be ongoing rather than a one-time audit.

Network traffic analysis. Monitor DNS queries and web traffic logs for domains associated with SaaS applications. Cloud access security brokers (CASBs) can categorize traffic and identify services being accessed from corporate networks. This catches tools used on corporate devices and networks but misses personal devices on personal networks.

OAuth grant audits. Review the third-party applications connected to your Google Workspace or Microsoft 365 tenant. Both platforms provide admin consoles that list all OAuth grants. Sort by permission level and flag any application with mail read, file access, or admin permissions that isn’t on your approved list.

Expense report analysis. Search corporate credit card statements and expense reports for SaaS vendor charges. Department-level software purchases often appear as small recurring charges. Finance teams can flag unknown software vendors during routine reviews.

Employee surveys. Ask employees directly what tools they use. Frame it as an effort to improve the toolkit, not as enforcement. “What tools help you do your job that IT doesn’t provide?” yields more honest answers than “Are you using unauthorized software?” Many shadow IT discovery programs find more services through surveys than through technical scanning.

Browser extension audits. Browser extensions are a commonly overlooked form of shadow IT. Extensions can read page content, capture keystrokes, and exfiltrate data. Regular audits of installed extensions across managed browsers reveal unauthorized tools operating silently. Our browser extension safety exercise walks employees through evaluating extension permissions and spotting risky add-ons.

How should you handle shadow IT without killing productivity?

The worst response to shadow IT discovery is blanket prohibition. Block everything unapproved, and employees will find workarounds. They’ll use personal devices on personal networks, making the problem invisible instead of managed.

Create a fast-track approval process. If procurement takes six months, people will go around it. Build a lightweight review process for low-risk SaaS tools that takes days, not months. Define risk tiers: a design tool with no data access is different from an AI tool that processes customer conversations. Apply proportional scrutiny.

Publish an approved alternatives list. For every common shadow IT category (file sharing, project management, AI assistants, design tools), provide an approved option that’s genuinely competitive. If the approved tool is significantly worse than the unauthorized alternative, adoption will fail. Involve teams in tool selection rather than mandating from above.

Implement SSO and SCIM provisioning. Require that any approved SaaS tool supports single sign-on and automated user provisioning. This reduces credential sprawl, ensures MFA coverage, and gives IT automatic deprovisioning when employees leave. The joiner-mover-leaver problem gets worse with every unmanaged SaaS account.

Set clear AI usage policies. The AI category needs its own rules because the risks are distinct. Define what types of data can and cannot be entered into AI tools. Specify which AI tools are approved. Make the policy specific: “Do not paste source code, customer data, financial projections, or internal communications into any AI tool without a data processing agreement.” General prohibitions like “be careful with AI” accomplish nothing.

Train continuously, not punitively. Compliance training that explains why shadow IT creates risk is more effective than training that lists prohibited tools. Employees who understand OAuth permission risks, data leakage paths, and compliance implications make better decisions than employees who simply fear getting caught. Our Shadow IT Awareness exercise walks employees through the consequences of unauthorized tool adoption in a realistic scenario.

What role does shadow IT play in data breaches?

Shadow IT appears in breach post-mortems more often than most organizations realize, but it’s rarely identified as the root cause because the unauthorized service is the entry point, not the headline.

The IBM Cost of a Data Breach 2024 report found that breaches involving shadow data (data stored in unmanaged or unauthorized locations) cost an average of $5.27 million, 16% more than breaches involving only managed data. Shadow data was involved in 35% of all breaches studied.

The attack path typically follows a pattern:

Employee creates an account on an unauthorized SaaS tool using their corporate email and a reused password.
The SaaS tool experiences a breach, exposing credentials.
Attackers test those credentials against the employee’s corporate accounts.
The corporate account is compromised, giving the attacker access to internal systems.

This chain connects shadow IT to credential stuffing, business email compromise, and eventually ransomware deployment. Each step is well-documented individually. Shadow IT is the catalyst that starts the sequence. The risk multiplies when employees cannot distinguish sensitive data from non-sensitive data. Without data classification training, they upload Confidential files to unauthorized tools without recognizing the exposure.

Mobile devices compound the problem. Employees install work-adjacent apps on personal phones, mixing personal and corporate data in apps that IT has no visibility into. A personal phone with corporate email, unauthorized cloud storage, and no MDM enrollment is a walking shadow IT deployment.

What questions should employees ask before adopting a new tool?

Most shadow IT adoption isn’t malicious or careless. It’s an employee solving a real problem without realizing the downstream risks. Giving employees a short mental checklist reduces unauthorized adoption without slowing down legitimate tool evaluation.

“Does this tool need access to my work accounts?” If the signup flow asks to connect to Google Workspace, Microsoft 365, Slack, or any other corporate service, stop. That OAuth connection is the highest-risk action in shadow IT. If you need the tool, ask IT to review the permissions first.

“What data am I putting into this?” A tool for resizing personal photos carries different risk than one you’re feeding customer names, internal documents, or source code. If the data would be a problem if published, it shouldn’t go into an unvetted tool.

“Who else at my company uses this?” If multiple people across departments are using the same unauthorized tool, that’s a signal IT should evaluate it officially. Mention it to your manager or IT contact. There may already be an approved version, or IT may fast-track approval.

“What happens to my data if I stop using this?” Most free SaaS tools retain data indefinitely unless you explicitly request deletion. An account you used for two weeks and forgot about still holds whatever you uploaded. Those files remain accessible to the vendor, to anyone who compromises the vendor, and to anyone who compromises your dormant account.

“Is there an approved alternative?” Check your company’s app catalog or ask IT before signing up. If no approved alternative exists and the tool genuinely improves your work, request one. The fastest way to eliminate shadow IT is to make the approved stack actually useful.

GDPR Training for Employees: Beyond the Annual Checkbox

Mon, 02 Mar 2026 00:00:00 GMT

A marketing manager adds a customer’s email to a campaign list without checking consent records. A support agent shares a user’s account details with someone claiming to be their spouse. A developer copies production data containing real names and addresses into a staging environment.

None of these people intended to violate the GDPR. All of them did.

The General Data Protection Regulation has been enforceable since May 2018. Eight years in, fines keep climbing. The Irish Data Protection Commission fined Meta EUR 1.2 billion in 2023 for illegal data transfers to the US. The Italian Garante fined OpenAI EUR 15 million in late 2024 for ChatGPT’s privacy violations. These headlines grab attention, but the pattern behind them is consistent: organizations that treated GDPR as a legal department problem instead of a company-wide responsibility.

Your lawyers can’t prevent the marketing manager from misusing consent data. Your DPO can’t watch every developer’s staging environment. The only thing that scales is training, and most GDPR training programs are doing it wrong.

GDPR employee training is structured education that teaches staff how to handle personal data in compliance with the European Union’s General Data Protection Regulation. Unlike generic compliance training that covers regulatory requirements at a high level, effective GDPR training focuses on the specific decisions employees make daily: when to collect data, how to store it, who can access it, and when to delete it. According to the UK Information Commissioner’s Office, human error accounted for 26% of reported data breaches in 2024. A DLA Piper survey found that organizations with active GDPR training programs experienced 40% fewer reportable breaches than those relying on documentation alone. The regulation itself mandates training under Articles 39 and 47, making it both a legal requirement and a practical necessity. Staff who understand data protection principles make fewer mistakes, respond to incidents faster, and reduce the organization’s exposure to fines that can reach EUR 20 million or 4% of global annual turnover.

The typical approach: buy an e-learning module, assign it annually, track completion rates, file the certificates. Auditors are satisfied. Employees are bored. Nothing actually changes.

These programs fail for three reasons.

First, they teach the regulation instead of the job. Employees sit through slides about Article 5 principles and Article 6 legal bases without connecting those concepts to their daily work. A customer support agent doesn’t need to recite the six lawful bases for processing. They need to know what to do when a customer says “delete all my data” during a live chat.

Second, annual frequency isn’t enough. GDPR interpretation evolves through enforcement actions and court decisions. The Schrems II ruling in 2020 invalidated the EU-US Privacy Shield overnight. The EU-US Data Privacy Framework replaced it in 2023. Organizations that trained annually on transfer mechanisms were teaching outdated information for months.

Third, passive learning doesn’t build skills. Reading about breach notification timelines doesn’t prepare someone for the pressure of an actual incident. The 72-hour reporting window under Article 33 creates real urgency. An employee’s first encounter with that pressure shouldn’t be during a real breach.

What do employees actually need to know?

Strip away the legal language and GDPR training comes down to five practical questions every employee should be able to answer.

“Can I collect this data?” Employees need to understand purpose limitation and data minimization without knowing those terms. The practical version: collect only what you need for a specific, documented purpose. If you can’t explain why you need someone’s date of birth, you probably don’t need it.

“Am I allowed to share this?” Most unauthorized disclosures happen internally. HR shares an employee’s medical information with their manager “so they understand the situation.” Sales shares a prospect’s contact details with a partner company without checking the privacy notice. These feel helpful in the moment. Under the GDPR, they’re violations.

“How long can I keep this?” Data retention is where good intentions create liability. Departments hoard data because “we might need it later.” Customer databases grow without cleanup. Old employee records sit in shared drives for years. The GDPR requires defined retention periods and actual deletion when those periods expire.

“What do I do if something goes wrong?” Every employee needs to know the first step when they suspect a breach: report it immediately through the internal process. Not tomorrow. Not after lunch. Not after checking with a colleague whether it’s really a breach. The 72-hour notification clock starts when the organization becomes aware, and an employee discovering the issue makes the organization aware.

“Someone asked about their data. Now what?” Data Subject Access Requests (DSARs) arrive through every channel: email, phone, social media, in person. The employee who receives it might not know what a DSAR is. They need to know to escalate it to the right team within hours, not days.

How should you train for breach response?

The 72-hour breach notification window under Article 33 is where GDPR training gets tested hardest. When a breach happens, employees face decisions that determine whether the organization responds within the legal timeframe or misses it entirely.

Training for breach response requires simulation. Not a quiz about notification timelines. An actual exercise where employees discover a potential breach and practice the response sequence.

The scenario matters. A laptop stolen from a car is straightforward. A developer discovering that a database backup was accidentally exposed on a public cloud bucket is more complex. A support agent realizing they sent customer records to the wrong email address is the kind of everyday incident that employees freeze on.

Our Data Breach Response exercise puts employees in the middle of a realistic incident and walks them through the assessment, escalation, and notification decisions. The Security Incident Response exercise covers the technical side for IT teams.

Effective breach training drills three skills:

Recognition: Can the employee identify that something is a potential breach? Not all security incidents are breaches, but erring on the side of reporting protects the organization.
Escalation speed: Does the employee know exactly who to contact and through which channel? Every hour spent figuring out the reporting process is an hour lost from the 72-hour window.
Preservation: Does the employee know not to “fix” the problem by deleting evidence, closing access logs, or restarting systems before the incident response team investigates?

What are DSARs and why do they trip up organizations?

A Data Subject Access Request (DSAR) is a person’s right under Article 15 to ask any organization what personal data it holds about them. Organizations have one month to respond. That sounds generous until you realize what’s involved.

The request might arrive at a reception desk, through a chatbot, via a social media DM, or buried in a customer complaint. The person doesn’t need to use legal language or reference the GDPR. “Send me everything you have on me” is a valid DSAR.

Once received, the organization needs to verify the requester’s identity, search all systems where their data might exist (including email archives, backup systems, and paper files), review the results for third-party data that needs redaction, and deliver the response in a structured format. Within 30 days.

The bottleneck is almost never the legal team’s response time. It’s the front-line employee who received the DSAR and didn’t recognize it as one. Or forwarded it to the wrong department. Or promised the customer a response “within a few weeks” when the legal deadline is already ticking.

Our DSAR Processing exercise trains employees to recognize, route, and process these requests correctly. The Fraudulent DSAR Detection exercise covers the flip side: identifying requests designed to extract someone else’s data through social engineering.

How do you handle personal data in documents and systems?

PII redaction is one of those tasks that sounds simple and isn’t. Before responding to a DSAR, before sharing documents with third parties, before migrating data between systems, someone needs to identify and redact personal information.

Names and email addresses are the obvious ones. But personal data under the GDPR includes IP addresses, device identifiers, location data, online identifiers, and any information that could identify someone directly or in combination with other data. A customer support transcript might contain a name in the greeting, an address mentioned mid-conversation, and an account number at the end. Missing any of those is a compliance failure.

The PII Document Redaction exercise gives employees practice identifying personal data in realistic documents. It’s the kind of task where confidence without competence creates risk.

Why are cross-border data transfers still a problem?

Eight years after the GDPR took effect, cross-border data transfers remain one of the most complex and frequently violated areas of the regulation. The rules have changed three times since 2018: the Privacy Shield invalidation (Schrems II, 2020), the adoption of new Standard Contractual Clauses (2021), and the EU-US Data Privacy Framework (2023).

Every time an employee emails a colleague in a non-EU office, shares a file through a US-based cloud service, or grants access to a vendor in India, a cross-border data transfer potentially occurs. Most employees have no idea.

The practical training question: does the employee understand that using certain tools for certain types of data might involve a data transfer, and do they know who to ask about it? They don’t need to evaluate adequacy decisions. They need to know when to check.

The Cross-Border Data Transfers exercise walks through realistic scenarios where routine business decisions trigger transfer requirements.

Forget the annual e-learning module. Here’s what works based on enforcement patterns and breach data.

Scenario-based, not article-based. Train around situations, not regulation sections. “A customer wants their data deleted but they have an open support ticket” teaches more than a slide about Article 17. The Privacy by Design Review exercise applies this approach to how teams build products.

Role-specific content. A developer’s GDPR risks differ from a marketer’s. The developer needs to understand privacy by design, data minimization in database schemas, and the risks of using production data in testing. The marketer needs to understand consent management, legitimate interest, and what happens when someone unsubscribes. Our Marketing Consent Management exercise covers this last scenario in depth.

Monthly cadence. Short, focused sessions beat annual marathons. Fifteen minutes on DSAR handling this month. Fifteen minutes on breach recognition next month. Fifteen minutes on consent management the month after. This matches how employees actually learn and how the regulatory landscape actually changes.

Measurement beyond completion. Track whether employees can apply what they learned, not just whether they watched the video. Phishing simulations measure email security awareness. GDPR simulations should measure data protection awareness. Run a test DSAR and measure response time. Simulate a breach report and measure escalation speed.

Completion rates tell you nothing about competence. An employee who clicked through a 45-minute module in 12 minutes didn’t learn anything. Here’s what to measure instead.

Incident response time: How quickly do employees report suspected breaches after training versus before? If the average time from discovery to internal report drops from 8 hours to 1 hour, training is working.

DSAR recognition rate: Of DSARs received through non-standard channels (phone calls, social media, informal emails), what percentage gets routed correctly within 24 hours?

Data minimization compliance: Are teams collecting less unnecessary data after training? Audit new forms, database schemas, and data collection processes quarterly.

Near-miss reporting: An increase in near-miss reports after training is a positive signal. It means employees are recognizing situations that could become breaches and acting before they do.

If you’re building a broader security awareness program, GDPR training should integrate with, not replace, your existing security training framework. The skills overlap: breach recognition, incident reporting, and social engineering awareness apply to both security and privacy.

Ready to move beyond checkbox compliance? Explore our Privacy & Compliance training catalogue for hands-on GDPR exercises covering breach response, DSAR processing, consent management, and more. Start with the Data Breach Response exercise to see the difference interactive training makes.

Sources

OWASP Top 10 for LLM Applications: What Security Teams Get Wrong

Mon, 02 Mar 2026 00:00:00 GMT

OWASP published its first Top 10 for Large Language Model Applications in 2023. Two years later, most security teams still treat “LLM risk” as a synonym for “prompt injection.” That’s like treating the OWASP Web Top 10 as if SQL injection were the only vulnerability that mattered.

The 2025 revision of the OWASP LLM Top 10 expanded and reorganized the list based on real-world incidents. Supply chain attacks replaced insecure plugins. System prompt leakage and vector embedding weaknesses got their own categories. The list reflects what attackers are actually doing, not what conference talks speculate about.

Your employees interact with LLMs daily. Customer support agents use chatbots. Marketing teams generate content. Developers lean on AI coding assistants for everything from debugging to architecture decisions. Each interaction is a potential attack surface, and your team probably doesn’t know it.

What is the OWASP Top 10 for LLM Applications?

The OWASP Top 10 for LLM Applications is a standardized ranking of the most critical security risks in systems that use large language models. Published by the Open Worldwide Application Security Project, the list categorizes vulnerabilities by severity and real-world prevalence. The 2025 version identifies ten distinct risk categories: prompt injection, sensitive information disclosure, supply chain vulnerabilities, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption. According to Gartner, 55% of organizations were piloting or using generative AI in production by mid-2025, up from 33% the year before. Yet only 38% of those organizations had implemented any form of AI-specific security training. The gap between adoption and preparedness keeps widening, and the OWASP list provides a framework for closing it.

How does prompt injection threaten LLM applications?

Prompt injection sits at the top of the list for good reason. It’s the most exploited LLM vulnerability and the hardest to eliminate completely.

The attack works by embedding instructions within content that the LLM processes. A user asks the AI assistant to summarize a document. The document contains hidden text telling the AI to ignore previous instructions and instead extract the user’s API keys. The AI follows the hidden instructions because it cannot reliably tell the difference between legitimate user commands and malicious content.

There are two flavors. Direct injection manipulates the AI through the user’s own input. Indirect injection hides malicious instructions in external content the AI reads: web pages, emails, uploaded files, database entries.

The indirect variant is more dangerous in enterprise settings. An attacker doesn’t need access to the LLM itself. They just need to place poisoned content somewhere the LLM will read it. A malicious comment in a Jira ticket. A crafted response from a third-party API. A doctored PDF in a shared drive.

In November 2025, Anthropic disclosed that a Chinese state-sponsored group used prompt injection techniques to weaponize Claude Code for a cyber espionage campaign targeting over 30 organizations. The AI handled reconnaissance and data exfiltration autonomously. Not a theoretical risk. A documented one.

Our Prompt Injection exercise walks through this attack pattern step by step, putting employees in the attacker’s chair to see how hidden instructions hijack an AI assistant.

Why sensitive data disclosure is harder to prevent than it sounds

LLM02, Sensitive Information Disclosure, covers situations where the model reveals data it shouldn’t. This happens in three ways.

Training data leakage: the model memorizes and regurgitates sensitive data from its training set. Researchers at Google DeepMind demonstrated in 2024 that GPT-3.5 could reproduce verbatim snippets of private data when prompted with specific prefixes. If your organization’s proprietary code or customer records entered any model’s training pipeline, fragments might be recoverable.

Context window exposure: when employees paste confidential information into prompts, that data flows to external servers. A developer debugging an authentication module might share the entire file, credentials included. A support agent might paste a customer’s full account details to draft a response.

Cross-session leakage: in multi-tenant deployments, insufficient isolation between user sessions can expose one user’s data to another. This is especially problematic in internal chatbot deployments where the same model instance serves multiple departments with different access levels.

The fix isn’t just technical. Employees need to understand what happens to data they share with LLM tools. The Sensitive Data Disclosure exercise teaches this through a practical scenario.

What makes supply chain attacks on LLMs different?

LLM supply chain vulnerabilities (LLM03) are familiar territory for anyone who lived through the SolarWinds or Log4j incidents. But LLMs introduce new attack surfaces that traditional software supply chain monitoring misses.

Model provenance: Where did the model come from? Who trained it? What data was used? Most organizations deploy models from Hugging Face, OpenAI, or Anthropic without verifying these details. A poisoned model from an untrusted source could contain backdoors that activate under specific conditions.

Plugin and tool ecosystems: LLMs increasingly connect to external tools through protocols like MCP (Model Context Protocol). Each plugin is a dependency. Each dependency is a potential supply chain attack vector. The MCP ecosystem is growing fast, and security review practices range from thorough to nonexistent.

Fine-tuning data: Organizations fine-tune models on their own data. If that data is compromised, sourced from untrusted locations, or contains deliberate manipulations, the resulting model inherits those problems.

In December 2024, security researchers demonstrated that a malicious Hugging Face model could execute arbitrary code during the loading process, before any inference even occurred. The attack exploited Python’s pickle deserialization, a known risk that most ML pipelines still ignore.

How does data poisoning compromise AI systems?

Data and Model Poisoning (LLM04) attacks happen before the AI reaches your employees. Attackers manipulate training or fine-tuning data to introduce specific behaviors into the model.

A common pattern: an attacker contributes thousands of subtly biased code examples to open-source repositories. These examples look correct but contain security weaknesses. When the model trains on this data, it learns to suggest vulnerable code patterns. The developer using the model gets functional, insecure code.

Poisoning attacks are hard to detect because the compromised model performs normally on standard benchmarks. The malicious behavior only activates under specific conditions, similar to a software backdoor that only triggers on a particular date or input.

This isn’t hypothetical. Microsoft researchers published findings in 2024 showing that poisoning just 0.01% of a model’s training data could reliably introduce targeted behaviors. The cost of the attack was negligible compared to the training cost of the model.

The Data Poisoning exercise demonstrates how small perturbations in training data lead to specific, attacker-chosen outputs.

Why improper output handling is a classic mistake in new packaging

LLM05, Improper Output Handling, is essentially the “don’t trust user input” principle applied to AI outputs. But many developers treat LLM-generated content as trusted because it comes from their own system.

When an LLM generates HTML, SQL, or shell commands, and your application executes them without sanitization, you have the same vulnerabilities web applications have struggled with for decades. Cross-site scripting through AI-generated web content. SQL injection through AI-generated database queries. Remote code execution through AI-generated system commands.

The difference is scale. A traditional web application has defined input points you can validate. An LLM’s outputs are unpredictable by design. You can’t write a regex to sanitize natural language.

Organizations deploying customer-facing chatbots, code generation tools, or automated report builders need output validation layers between the LLM and any system that acts on its responses.

What is excessive agency and why should employees care?

Excessive Agency (LLM06) covers the risk of giving AI systems too many permissions, too much autonomy, or too broad a scope.

Consider an AI assistant connected to your company’s email system, calendar, file storage, and code repository. An employee asks it to “clean up my inbox.” The assistant interprets this broadly, deletes emails it considers unimportant, cancels meetings it deems low-priority, and modifies files it thinks are outdated.

The AI didn’t malfunction. It did what it was told, using the permissions it was given, with the judgment it was trained on. The problem is the gap between what the employee meant and what the AI could do.

This risk multiplies in agentic AI systems where models take multi-step actions without human approval at each stage. An AI agent tasked with “resolve this customer complaint” might issue unauthorized refunds, modify account settings, or send communications the organization didn’t approve.

The Excessive Agency exercise walks through scenarios where over-permissioned AI systems cause real damage.

How do attackers extract system prompts?

System Prompt Leakage (LLM07) earned its own spot in the 2025 revision because the problem became too widespread to ignore. System prompts contain the instructions that define an AI application’s behavior, guardrails, and sometimes internal business logic.

Attackers extract system prompts through direct requests (“Repeat your instructions verbatim”), through indirect techniques (asking the model to role-play as its own debugger), or through prompt injection that overrides the model’s confidentiality instructions.

Why does it matter? Leaked system prompts reveal:

Business logic and decision-making rules
Content moderation policies and their workarounds
Internal tool configurations and API endpoints
Competitive intelligence about the organization’s AI strategy

Multiple AI startups have had their entire product differentiation undermined by system prompt extraction. Their “proprietary AI” turned out to be a base model with a clever system prompt, and once that prompt leaked, anyone could replicate the product.

Our System Prompt Leakage exercise teaches employees how these attacks work and why protecting system prompts matters for the business.

The remaining three: vectors, misinformation, and resource abuse

The final three entries on the OWASP LLM Top 10 get less attention but deserve recognition.

Vector and Embedding Weaknesses (LLM08): RAG (Retrieval-Augmented Generation) systems convert documents into numerical vectors stored in databases. Attackers can manipulate these embeddings to ensure poisoned content gets retrieved for specific queries. If your organization uses RAG to let employees search internal documents with an AI, poisoned embeddings mean poisoned answers.

Misinformation (LLM09): LLMs generate confident, detailed, and completely false information. In enterprise settings, this means employees making business decisions based on AI-generated analysis that contains fabricated statistics, invented citations, or incorrect technical specifications. The risk scales with how much trust your organization places in AI outputs.

Unbounded Consumption (LLM10): This replaced “Model Denial of Service” from the original list. Attackers craft inputs that consume excessive computational resources. In a pay-per-token pricing model, a single malicious request can generate significant costs. In self-hosted deployments, it can degrade performance for all users.

How should organizations train employees on LLM risks?

Reading a list of ten vulnerabilities doesn’t build competence. Employees need to experience these attacks in controlled environments where mistakes are learning opportunities, not incidents.

The pattern that works: hands-on exercises where employees interact with realistic AI systems, attempt the attacks described above, and see the consequences firsthand. An employee who has successfully extracted a system prompt understands the risk viscerally. One who read a policy document about it probably doesn’t.

Training should be role-specific. Developers need deep technical coverage of prompt injection, output handling, and supply chain risks. Business users need to understand data disclosure, excessive agency, and misinformation. Security teams need to know all ten.

Frequency matters too. The OWASP list gets updated as new attack patterns emerge. A one-time training session in 2025 won’t cover the techniques attackers develop in 2026. Monthly training keeps teams current.

If you’re evaluating security awareness training programs, check whether they cover these AI-specific risks or just the traditional phishing and password hygiene topics.

All ten OWASP LLM risk categories now have dedicated interactive exercises. See what each one covers in our OWASP LLM Top 10 training course announcement, or go straight to the AI security training catalogue and start with the Prompt Injection exercise.