Firewalls, endpoints, and identity stacks have matured. The click has not. Every serious breach report for the last decade has put social engineering in the top-three initial-access vectors, and the Verizon DBIR still pegs the untrained industry-average phish-prone rate at roughly thirty-two percent. Our program drives that number under five percent — and hands you the quarterly evidence to prove it to your board, your carrier, and your auditor.
Awareness is not a course — it is an operating system. We run six parallel workstreams; your scope determines which run on which cadence, and the dashboard aggregates them into one story for the board.
Authored against your vendor list, your brand voice, and current attacker playbooks — never generic template traffic. Click, credential-capture, and attachment variants tracked separately. Every click triggers in-the-moment thirty-second micro-training before the employee moves on.
SMS lures mimicking MFA prompts, shipping notices, and payroll alerts. Voice drills covering help-desk impersonation and executive-assistant impersonation — including voice-cloned variants on request. Alternated with email simulations so employees learn the pattern, not just the medium.
Annual all-hands module — under twenty minutes, with a tracked quiz — plus role-based tracks for finance, executives and assistants, IT administrators, and new hires. Content is refreshed each year so the annual module is never the same module your people tuned out last cycle.
Half-day facilitated exercises with scenario injects, timed decisions, and a written hotwash. IT tabletops drill the blue-team playbook. Executive tabletops drill ransom posture, disclosure, regulator notification, and board communication. Our combined physical-plus-cyber TTX is the unique differentiator.
Acceptable Use, BYOD, Incident Response Plan, Password and credential, Data Classification and handling, Onboarding-Offboarding checklist. Drafted in board-adoptable language, structured with defined terms, scope, enforcement, and revision history — built to survive your counsel's redline.
Fifteen-minute day-one module inside the client's HRIS. Role-track content layered across weeks two through six so training competes with — not on top of — other onboarding load. Simulation begins at week four, never in week one; we have seen first-week baiting erode trust and skew baseline numbers.
Cadence is the single largest driver of phish-prone rate improvement. Below the quarterly floor the data does not move; above the monthly tier it moves fast. Choose the tier that matches your risk posture and carrier warranty.
Four phishing campaigns per year, annual required video training, published policies, and a quarterly dashboard. Satisfies most audit frameworks and the minimum we will sign our name to.
Twelve phishing campaigns per year plus rotated smishing and vishing drills. Four role-based tracks with refreshed annual video. Annual IT tabletop plus an every-other-year executive TTX.
Light simulation every two to three weeks — the cadence that produces the fastest drop in phish-prone rate and holds it there. Combined physical-plus-cyber tabletop every eighteen months. Repeat-offender coaching loop.
A program you cannot measure is a program that quietly decays. Every quarter we deliver the same four numbers in the same format, so trend is readable at a glance — and the output is built to be dropped directly into a board packet or a carrier renewal submission without reformatting.
Most cyber tabletops assume the attacker is remote and the physical environment is irrelevant. Real incidents do not respect that line. Because our leadership team owns both sides of the house, we facilitate the combined exercise without handing off between vendors — the only one of our engagements that genuinely has no competitor in our two-state footprint.
Detection, containment, evidence handling, vendor escalation. Five to seven scenario injects — ransomware detonation, credential-stuffing on a public tenant, a stolen service-account token, a misconfigured S3 bucket, and a reportable-deadline notification.
Ransom posture, disclosure obligations, regulator notification, board communication, media response, customer notification, employee messaging. The first time your executives see an incident should not be the day of an incident.
A tailgated access-control bypass leading to a malicious device drop. A stolen executive laptop during a business-travel stop. An insider with badge access exfiltrating before termination. A vendor technician inserting a rogue device during an after-hours service call. Our single most-requested engagement.
Training without policy is a talking point without a handle. We draft the documents your program has to stand on, in board-adoptable language, structured to survive your counsel's redline. Six core policies are standard; custom drafting is available on request.
Awareness is an annual program, not a one-off. Pricing signals below reflect typical engagements scoped to workforce size, cadence tier, and tabletop inclusion. Final scope comes out of the intake call — not a checkbox list on this page.
Satisfies the frameworks your auditor reviews; not always enough for the carrier warranty your CFO signed. Appropriate for sub-regulated workforces under a hundred and fifty users with no active incident exposure.
The default recommendation for regulated workforces, post-incident clients, and any organization whose cyber-insurance warranty mentions 'security awareness program' rather than 'security awareness training.' Combined physical-plus-cyber TTX available every eighteen to twenty-four months.
The ones below are the honest ones — the questions most vendors will not give you a straight answer on. If your question isn't here, the program lead who would run your engagement will take the call directly, not a sales rep.
Effective, when it is measured. The Verizon Data Breach Investigations Report puts the untrained industry-average phish-prone rate at roughly thirty-two percent — meaning about one in three employees click a realistic phishing lure on first exposure. Mature programs with monthly or continuous phishing simulation, role-based content, and a working report button move that number under five percent within twelve to eighteen months.
What does not work is once-a-year compliance-only video training with no simulation layer behind it. Auditors will accept it. Attackers will ignore it. The gap between those two outcomes is where nearly every breach tied to social engineering opens up.
Baseline testing for an untrained workforce typically lands between twenty-five and thirty-five percent — in line with the Verizon DBIR industry average. After six months of disciplined quarterly simulation the number should be under fifteen percent. After twelve to eighteen months of monthly cadence with role-based content, under five percent is achievable and is the number most cyber-insurance carriers now want to see.
A rate that refuses to move below ten percent after a year usually points to a content-quality or escalation-path problem rather than a workforce problem. It often means the simulations are too generic to train pattern recognition, or the report button does not work in the mobile client, or in-the-moment training is not firing on click.
Quarterly is the minimum we will sign our name to for a baseline program. Monthly is the standard we recommend to any organization that has had an incident, handles sensitive data, or holds a cyber-insurance policy with a training warranty. Continuous — a light touch every two to three weeks — is our top-tier cadence and the one that produces the steepest drop in phish-prone rate.
Annual video training on its own does not change behavior. It only satisfies compliance checkboxes. If that is all you can do this year, do that; but do not call it a program and do not expect the phish-prone number to move.
Both exist for good reason, and they cover different risks. An IT tabletop drills the blue-team playbook — detection, containment, evidence handling, vendor escalation. An executive tabletop drills the decision layer — ransom posture, disclosure obligations, regulator notification, board communication, media response.
If you only run one, the IT version is table-stakes. If you only ever run the IT version, the first time your executives see an incident will be the day of an incident — and our after-action reports from those incidents are consistently harder reading than the ones where the executive team had rehearsed. We recommend alternating annually with a combined physical-plus-cyber exercise every eighteen to twenty-four months.
Most cyber tabletops assume the attacker is remote and the physical environment is irrelevant. Real incidents do not respect that line. A combined exercise layers on scenarios such as a tailgated access-control bypass that leads to a malicious device drop, a stolen executive laptop during a business-travel stop, an insider with badge access exfiltrating before termination, or a vendor technician inserting a rogue device during an after-hours service call.
Because our leadership team owns both the physical-security and cyber sides of the house, we facilitate that crossover exercise without handing off between vendors — we author injects across both domains and test the cross-team handoff explicitly. It is our single most-requested engagement from clients who take resilience seriously, and the one engagement where we have no direct competitor in our two-state footprint.
We separate the repeat-offender list from the discipline process entirely. A first click triggers in-the-moment micro-training — a thirty-second contextual lesson on what the lure used and why it worked. A second click within a rolling ninety-day window triggers a scheduled ten-minute coaching call with a named instructor, not the employee's manager.
A third click triggers a conversation with the reporting manager about whether role risk exceeds the individual's training level, with options to reassign to a lower-exposure track rather than to discipline. We report counts but never names in the quarterly dashboard, and we will not author a simulation designed to humiliate a known clicker — that pattern poisons report-rate, which is the more valuable number.
For most frameworks — HIPAA, PCI-DSS, SOC 2, CMMC — yes, on paper. Auditors want to see that training was assigned, completed, and documented against a written policy. That is a floor, not a program.
Cyber insurance carriers, increasingly, want more: documented phishing simulation, a measurable phish-prone rate, and evidence of a report button with a tracked report-rate. If your policy warranty language mentions 'security awareness program' rather than 'security awareness training,' your carrier has already decided annual video alone is not enough. Read your warranty page before renewal — we have seen claims contested over exactly this distinction.
We are platform-agnostic. For most mid-market engagements we deliver on KnowBe4 or Proofpoint Security Awareness because the content libraries are deep, the reporting is mature, and clients often already license one. For higher-regulation or higher-customization engagements we deliver on a custom-built simulation stack hosted under our tenancy, which lets us author lures against the client's own brand voice and vendor list.
The choice is yours. We will recommend based on workforce size, existing tooling, and budget — and we are comfortable running on whichever platform your security team already operates. We do not take referral fees from either vendor.
Both, and they matter more each year. Smishing — SMS phishing — has overtaken email as the preferred vector for finance and executive targeting; a single Slack-MFA or DocuSign-MFA text sent during a board week is now a standard attacker play. Vishing — voice phishing, often with voice cloning — is the current favorite for help-desk and password-reset social engineering.
Our mature program cadence alternates email, SMS, and voice simulations quarterly so employees learn to recognize the pattern, not just the medium. Vectors are tracked on separate dashboards so a program that is strong on email and weak on SMS does not hide behind a single combined number.
Standard drafting covers Acceptable Use, BYOD and mobile, Incident Response Plan, Password and credential, Data Classification and handling, and an Onboarding-Offboarding security checklist. We have also drafted Remote Work, Vendor Management, and AI-Usage policies on request.
Every draft is written in board-adoptable language — structured with defined terms, scope, enforcement, and revision history. The authors are familiar with the overlays most TN and MS clients face: HIPAA, GLBA, CMMC Level 2, PCI-DSS, and state breach-notification law. We expect your counsel to redline. Our drafts are built to survive that redline.
Day-one onboarding runs a focused fifteen-minute module — phishing recognition, the report button, the password policy summary, and a short quiz — delivered inside whichever HRIS the client uses. The full role-based track is layered in across weeks two through six so training competes with other onboarding load rather than stacking on top of it.
Phishing simulation begins at week four, after the employee has had a real chance to see the program work. We do not bait brand-new hires in their first week. We have seen it erode trust and skew baseline numbers, and the data you get from a week-one click is noise rather than signal.
Four headline numbers every quarter: phish-prone percent (trended across the last four quarters), report-rate percent, training-completion percent by role track, and the size of the rolling ninety-day repeat-offender cohort. Under each headline is a short narrative explaining what moved and why — a campaign launch, a new lure family, a change in cadence, a role reorg.
The dashboard is designed to be dropped directly into a board packet or a carrier renewal submission without reformatting. About a third of our clients do exactly that. On request we also include a benchmark line comparing your trend against a redacted cohort of similarly-sized TN and MS clients in the same industry.
Tell us workforce size, regulatory overlays, and whether you are operating post-incident or building ahead of one. The program lead who would run your engagement will be on a scoping call within five business days — with a cadence recommendation and a written scope before any paperwork moves.
