Awareness that changes behavior. Not just completion rates.
Annual click-through training does not stop a phish at 4pm on a Friday. A program that trains, simulates, coaches, and measures every month does — and produces the number the auditor, the insurer, and the board all now ask for: phishing failure rate, trended over time. Because the same MSSP runs your SOC, every reported phish and every simulation click feeds the same analytics engine, and coaching happens before the behaviour sets.
Four numbers that matter. All trending the right way.
Completion rate is a hygiene metric, not an outcome. The numbers that move behavior — and the ones insurers and auditors actually look at — are the ones a managed program reports monthly, not annually.
Twelve capabilities, three mandates.
Train builds the knowledge base. Simulate measures whether it sticks. Coach & Measure closes the loop — turning each click, report, and near-miss into a learning moment the program tracks over time.
Train
Content that actually teachesSecurity Awareness Training
Annual baseline plus monthly micro-modules across phishing, passwords, MFA, mobile, remote work, data handling, and physical security. Short, engaging, accessible — not a 60-minute slide deck.
Role-Based Training
Dedicated tracks for executives, finance & AP, developers, IT administrators, privileged-access users, and customer-facing staff. Different risks, different content, different depth.
Compliance-Driven Training
Curricula aligned to SOC 2, ISO 27001, PCI-DSS, HIPAA, PIPEDA, and Law 25 awareness requirements. Evidence packaged for the audit, not reconstructed the week before.
New Hire Onboarding
Day-one security onboarding integrated with HRIS: required-within-N-days tracks, manager attestation workflow, and the acceptable-use sign-off auditors look for.
Privacy & Data Handling
Role-based privacy training on PIPEDA, Law 25, PHIPA, and sector-specific rules. PIA awareness for product teams, breach-reporting protocol for everyone who touches personal data.
Simulate
Measured against real attack patternsPhishing Simulation Program
Monthly phishing simulations keyed to current attacker TTPs: credential harvesting, malicious attachments, fake Microsoft 365 pages, vendor impersonation, invoice fraud. Segmented by role and difficulty.
Vishing & Smishing Simulation
Voice-phishing and SMS-phishing campaigns against the channels attackers increasingly use to bypass email controls: help-desk impersonation, MFA-fatigue calls, smishing to mobile.
Physical & USB-Drop Testing
Physical social-engineering drills, tailgating assessments, and USB-drop campaigns for sites where physical access is a credible attack path — defense, controlled-goods facilities, critical infrastructure.
Executive & BEC Simulation
Targeted whaling and business-email-compromise simulations against executives, finance, and HR. Wire-fraud scenarios, spoofed-CEO requests, payroll-diversion attempts — where the real-money loss happens.
Coach & Measure
Close the loopJust-in-Time Coaching
When a user clicks — real or simulated — an immediate, contextual coaching moment appears, not a queued module for next quarter. The teachable moment is the moment, not the next training window.
Program Analytics & Reporting
Monthly program dashboard: click rate, report rate, repeat-offender tracking, department benchmarks, and a quarterly executive briefing board and insurers will recognize. All attestation-grade.
Security Champions Program
Peer-led champions in each department — recognized, equipped, and supported — to amplify the program beyond mandatory training. Culture, not just compliance.
Click-through training builds awareness. A rehearsed program builds muscle memory.
The organizations with the best phishing numbers do not have smarter users — they have users who have seen the same patterns, simulated, every month, with immediate coaching and a report button that is wired to a SOC that acknowledges the submission. That loop is what converts awareness into reflex. Because the SOC, the IR team, the program analytics, and the content all live under one roof, every real phish reported and every simulation click feeds the same feedback loop.
- Report button in Outlook and Teams wired directly to the SOC — users get acknowledgment, SOC triages, IR escalates if needed
- Real-world phishing telemetry from the SOC feeds next month’s simulation templates — users see the actual attacks, not stock examples
- When a simulation catches someone, just-in-time coaching happens in-line, within 60 seconds — not queued to next quarter
- The same analytics dashboard reports the number to the board, to the insurer, and to the SOC 2 auditor — one source of truth
One size does not fit. Four tracks do.
The CFO needs different training than the developer than the help-desk technician than the board director. Every role gets content calibrated to the attacks it actually sees and the access it actually holds.
Baseline & Monthly
Annual foundation plus monthly micro-modules and phishing simulations. The default track every employee is enrolled in on day one.
Whaling & BEC
Targeted content on business email compromise, wire fraud, deepfake-voice, and travel-risk scenarios. Shorter, sharper, higher-signal.
Invoice & Payroll Fraud
BEC scenarios on invoice redirection, vendor-impersonation, payroll diversion, and urgent-CFO scams. Where dollars actually leave.
Dev, IT, & Admin
Secure coding, OWASP, supply-chain, help-desk social engineering, and MFA-fatigue scenarios. For the people whose credentials are worth the most.
The human layer wired to the rest of the program.
Awareness is more useful when the report button is connected to a SOC that triages, when the vCISO owns the program metric at the board table, when the IR team knows which user clicked what, and when the GRC program pulls completion evidence directly from the training platform. Same MSSP, same data, one continuous feedback loop.
MDR & SOC
Reported phishing emails triaged by a 24/7 SOC; real attacks feed next month’s simulation templates.
Incident Response
When a click becomes an incident, IR picks up the same user context the awareness program already tracks.
Virtual CISO
Human-layer metrics owned at the board table as a first-class KPI, not a compliance checkbox.
GRC Advisory
Training completion evidence, attestation records, and program analytics feed directly into SOC 2, ISO 27001, and PCI-DSS audits.
From baseline to behavior change in four phases.
Every program follows the same sequence. Baseline first so the improvement is defensible; launch with real content, not placeholders; reinforce monthly; then measure against the industry and against yourself, year over year.
-
01Weeks 1–4
Baseline Unannounced baseline phishing simulation, maturity assessment, audience segmentation, HRIS integration, and a written program charter signed off by the exec sponsor. The starting number nobody can argue with later.
-
02Months 1–3
Launch Annual baseline training roll-out, manager enablement, report-button deployment in Outlook and Teams, first role-based tracks activated, and the first reported-phish tickets flowing to the SOC.
-
03Months 3–12
Reinforce Monthly simulations across all audiences, monthly micro-modules, just-in-time coaching, quarterly role-based deep-dives, monthly dashboard, and quarterly exec briefing. The loop running on its own cadence.
-
04Year 2+
Measure & Evolve Benchmark against sector peers, refresh content for emerging attack patterns, add role-based tracks as the org grows, and evolve the program from compliance floor into cultural differentiator.
Every program is run by a named program manager — not a ticket queue — with monthly reporting, quarterly exec briefings, and content adjustments that reflect the attacks your industry actually sees this month, not last year.
Standard deliverables: annual baseline report, monthly dashboard, quarterly executive briefing, annual program review, training attestation records, and audit-ready completion evidence mapped to every in-scope framework.
Content is bilingual (English and French) by default — which matters for Law 25 compliance, federal procurement, and any Canadian operation with Quebec-based staff.
Three shapes, same measurement discipline.
Not every organization is ready to consume a full managed program on day one. Start with what moves the needle today and expand. All three models produce audit-grade evidence; the difference is coverage, cadence, and how much of the program is run for you.
Managed Awareness Program
End-to-end program: content library, role-based tracks, monthly phishing simulations, just-in-time coaching, program analytics, executive briefings, and named program manager. The default for mid-market.
Phishing Simulation Program
Monthly phishing, vishing, and smishing simulations with just-in-time coaching and program analytics. Companion to an existing training platform or LMS — we measure, you keep the content stack.
Compliance Training Bundle
Pre-built, framework-aligned training library: SOC 2, ISO 27001, PCI-DSS, HIPAA, PIPEDA, Law 25. Deployed into the LMS, delivered annually, with attestation records packaged for audit.
Where the human layer is the attack surface.
Sectors where phishing, BEC, and social engineering account for the majority of incidents — and where the phishing-failure rate is now a metric regulators, insurers, and clients all ask about by name.
Legal Firms
Law Society awareness obligations, client-panel questionnaires, professional-liability carrier scrutiny, and wire-fraud scenarios aimed squarely at trust-account staff.
Financial Services
OSFI oversight, FINTRAC supervisory attention, and BEC scenarios that directly target wire, payments, and client-onboarding workflows.
Aerospace & Defense
Controlled Goods Program training requirements, nation-state phishing targeting cleared staff, and insider-threat scenarios where awareness is the frontline control.
Move the human-layer metric. Monthly, measurably.
A 30-minute scoping call with a senior program manager — not a sales rep. We’ll walk through your audience, the compliance drivers, the insurer questionnaire, and which engagement model actually fits. A fixed-price proposal follows inside a week.
