Wire training into your security stack
Every training and phishing-simulation event can flow into the tools your security team already runs. Connect over a token-authenticated REST API, signed webhooks, Slack, Microsoft Teams, your SIEM, and compliance platforms like Vanta.
How RansomLeak connects to your stack
Four steps from a training event to your tools, with the wiring handled for you.
Choose a destination
Point training events at a webhook, a Slack or Teams channel, your SIEM, the REST API, or Vanta. Each destination is configured in the same integrations console, per tenant.
Pick the events
Subscribe to what you care about: exercise and course completions, badges, certificate renewals, learning-path milestones, and campaign deadlines. Eleven event types in all.
Secure the connection
Webhooks are signed with HMAC-SHA256 and a per-endpoint secret. The REST API uses per-tenant bearer tokens with scoped access, so a key only reaches what you grant it.
Watch it flow
Send a test event, read the response, and review a full delivery log. Failed deliveries retry on a backoff schedule, so a brief outage does not drop the event.
Build on a real API and signed webhooks
The same building blocks our own partners use, documented and available to your team.
Token-authenticated REST API
Manage users, teams, campaigns, and assignments, and pull analytics over a documented REST API. Per-tenant tokens carry scoped access, and the endpoint reference ships with OpenAPI docs.
Signed, reliable webhooks
Eleven events, from exercise and course completions to badge, certificate, learning-path, and campaign milestones, each signed with HMAC-SHA256 and retried with exponential backoff.
Delivery logs and test sends
Fire a test event, watch the response, and review every delivery with its status and body. A misconfigured endpoint is obvious before it matters.
Notify people where they already work
Training updates reach your team in the channels and calendars they check every day.
Slack and Microsoft Teams
Post completion alerts, overdue nudges, and campaign milestones into a Slack or Teams channel through an incoming webhook. Setup is pasting one URL, with a test message to confirm it.
Calendar deadlines
Each employee can subscribe to a personal calendar feed, so training deadlines appear in whatever app they already use, with a reminder the day before each one.
One console for every destination
Webhooks, Slack, Teams, and the API are all managed in the same place, per tenant, each with its own test button and on or off switch.
Feed your SIEM and prove compliance automatically
Awareness data belongs next to your other security signals, and your evidence should write itself.
Security-event export for your SIEM
Pull training and security events as JSON or CSV from a dedicated export endpoint, filtered by event type and date, so your SIEM can ingest awareness data alongside everything else it polls.
Live Vanta evidence
Connect Vanta over OAuth, and training completions and user-account status post automatically as evidence for SOC 2, ISO 27001, and HIPAA controls, on an hourly sync and on every completion.
More destinations on the way
Additional compliance and observability integrations, including Datadog, are in active development and will join the console as they ship.
Frequently Asked Questions
Does RansomLeak have an API?
Yes. RansomLeak exposes a REST API secured with per-tenant bearer tokens and scoped access. You can manage users, teams, campaigns, and assignments, and pull analytics, and the endpoint reference ships with OpenAPI documentation.
Tokens are generated in the admin console, and a key only reaches the scopes you grant it.
What events can trigger a webhook?
Eleven event types, including exercise and course completions, badge awards, certificate renewals and expirations, learning-path assignment and completion, and campaign assignment, deadline, and completion milestones.
Every webhook is signed with HMAC-SHA256 using a per-endpoint secret, retried with exponential backoff if your endpoint is briefly unavailable, and recorded in a delivery log you can inspect.
Can I get training notifications in Slack or Microsoft Teams?
Yes. Post completion alerts, overdue reminders, and campaign milestones into a Slack or Microsoft Teams channel. Setup is creating an incoming webhook in your workspace and pasting the URL, then sending a test message.
This is an incoming-webhook integration, not a Slack or Teams app you install, so there is nothing to approve in an app store.
Can I send training data to my SIEM?
Yes. A dedicated export endpoint returns training and security events as JSON or CSV, filterable by event type and date range, so your SIEM can poll it on a schedule and ingest awareness data alongside its other sources.
It is a pull-based export API rather than a CEF or syslog connector, which keeps the data on a path your team controls.
Does RansomLeak integrate with Vanta?
Yes, and it is live. Connect Vanta over OAuth, and training completions and user-account status flow in automatically as evidence for SOC 2, ISO 27001, and HIPAA controls, synced hourly and on every completion.
Additional compliance and observability integrations, including Datadog, are in active development.
How do single sign-on and user provisioning work?
RansomLeak supports SAML 2.0 single sign-on and SCIM 2.0 provisioning, which work with Okta, Microsoft Entra ID, and any standards-compliant identity provider.
Because they govern access to the platform itself, those live with the Cloud LMS rather than here.
See RansomLeak in Action
Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.