Security Awareness Training¶

Segment at a Glance

Market Size: ~$5.2 billion (2025) | projected ~$14.7 billion by 2031 (Mordor Intelligence) | ~16.8% CAGR Maturity: Mature (checkbox training) / Growth (human risk management) Growth: High --- driven by regulatory mandates, AI-generated phishing, and the shift from compliance training to continuous human risk management Key Trend: Evolution from annual checkbox training to integrated Human Risk Management (HRM) platforms that combine behavioral analytics, adaptive phishing simulations, and real-time intervention

What It Is¶

Security awareness training (SAT) encompasses the programs, platforms, and practices that educate employees to recognize and respond to cybersecurity threats --- primarily phishing, social engineering, business email compromise, and credential theft. The category has evolved through several distinct generations:

Checkbox Compliance Training: Annual slide decks or videos followed by a quiz, designed to satisfy regulatory requirements (HIPAA, PCI DSS, SOX). Measures completion rates, not behavior change. Still dominant by deployment volume.
Phishing Simulation Platforms: Automated campaigns that send simulated phishing emails to employees, measure click rates, and deliver "teachable moment" training when users fail. KnowBe4 popularized this model and built a $4.6B company on it.
Adaptive / Gamified Training: Platforms that personalize difficulty based on user performance, use gamification mechanics (leaderboards, points, streaks), and deliver microlearning instead of annual courses. Hoxhunt and Ninjio lead this approach.
Human Risk Management (HRM): The current frontier --- platforms that aggregate risk signals from multiple sources (phishing simulation results, email behavior, endpoint telemetry, identity anomalies) to produce a per-user risk score and deliver targeted interventions. KnowBe4 HRM+, Living Security, and Mimecast are positioning around this vision.

The fundamental tension in this segment is between compliance-driven buyers (who need to check a regulatory box) and security-driven buyers (who want to measurably reduce human risk). Most revenue still comes from the former, but innovation and competitive differentiation concentrate on the latter.

Buyer Profile¶

Attribute	Detail
Primary Buyer	CISO, Security Awareness Manager, Director of Security Operations
Influencers	Compliance officers, HR leadership, IT directors, SOC analysts (who see the phishing reports)
Org Size	All --- from SMB (25 users) to enterprise (500K+); SMB often buys through MSPs
Buying Triggers	Successful phishing incident, compliance audit finding, cyber insurance requirement, annual contract renewal, new regulation (DORA, CMMC 2.0), PE/board mandate
Budget Range	$12--$60/user/year depending on tier, vendor, and contract length (Consilien)
Sales Cycle	2--6 weeks (SMB/MSP); 2--6 months (enterprise RFP with procurement)

Market Landscape¶

Vendor Positioning¶

{
  "$schema": "https://vega.github.io/schema/vega-lite/v5.json",
  "description": "Security Awareness / HRM Vendor Positioning (2025)",
  "width": 500,
  "height": 400,
  "title": {
    "text": "Security Awareness / HRM Vendor Positioning (2025)",
    "fontSize": 16,
    "color": "#1B1F3B"
  },
  "config": {
    "background": "transparent",
    "axis": {
      "labelColor": "#3D4166",
      "titleColor": "#1B1F3B",
      "gridColor": "#e5e8ee"
    },
    "text": {
      "color": "#1B1F3B"
    }
  },
  "layer": [
    {
      "mark": {
        "type": "text",
        "fontSize": 13,
        "fontWeight": "bold",
        "opacity": 0.15
      },
      "data": {
        "values": [
          {
            "x": 0.75,
            "y": 0.75,
            "label": "HRM Leaders"
          },
          {
            "x": 0.25,
            "y": 0.75,
            "label": "Platform Players"
          },
          {
            "x": 0.25,
            "y": 0.25,
            "label": "Emerging Innovators"
          },
          {
            "x": 0.75,
            "y": 0.25,
            "label": "SAT Specialists"
          }
        ]
      },
      "encoding": {
        "x": {
          "field": "x",
          "type": "quantitative"
        },
        "y": {
          "field": "y",
          "type": "quantitative"
        },
        "text": {
          "field": "label",
          "type": "nominal"
        },
        "color": {
          "value": "#1B1F3B"
        }
      }
    },
    {
      "mark": {
        "type": "point",
        "size": 150,
        "filled": true
      },
      "data": {
        "values": [
          {
            "x": 0.75,
            "y": 0.95,
            "label": "KnowBe4 HRM+"
          },
          {
            "x": 0.6,
            "y": 0.9,
            "label": "Proofpoint ZenGuide"
          },
          {
            "x": 0.35,
            "y": 0.75,
            "label": "Cofense PhishMe"
          },
          {
            "x": 0.25,
            "y": 0.78,
            "label": "SANS SecAware"
          },
          {
            "x": 0.7,
            "y": 0.72,
            "label": "Mimecast HRM"
          },
          {
            "x": 0.55,
            "y": 0.6,
            "label": "Hoxhunt"
          },
          {
            "x": 0.8,
            "y": 0.45,
            "label": "Living Security"
          },
          {
            "x": 0.3,
            "y": 0.4,
            "label": "Ninjio"
          },
          {
            "x": 0.65,
            "y": 0.38,
            "label": "CybSafe"
          },
          {
            "x": 0.5,
            "y": 0.25,
            "label": "Adaptive Security"
          }
        ]
      },
      "encoding": {
        "x": {
          "field": "x",
          "type": "quantitative",
          "scale": {
            "domain": [
              0,
              1
            ]
          },
          "axis": {
            "title": "Pure SAT \u2192 Full HRM Platform",
            "format": ".0%"
          }
        },
        "y": {
          "field": "y",
          "type": "quantitative",
          "scale": {
            "domain": [
              0,
              1
            ]
          },
          "axis": {
            "title": "Emerging \u2192 Established",
            "format": ".0%"
          }
        },
        "color": {
          "value": "#00C9A0"
        },
        "tooltip": [
          {
            "field": "label",
            "type": "nominal",
            "title": "Vendor"
          },
          {
            "field": "x",
            "type": "quantitative",
            "title": "HRM Breadth"
          },
          {
            "field": "y",
            "type": "quantitative",
            "title": "Established"
          }
        ]
      }
    },
    {
      "mark": {
        "type": "text",
        "dy": -12,
        "fontSize": 11
      },
      "data": {
        "values": [
          {
            "x": 0.75,
            "y": 0.95,
            "label": "KnowBe4 HRM+"
          },
          {
            "x": 0.6,
            "y": 0.9,
            "label": "Proofpoint ZenGuide"
          },
          {
            "x": 0.35,
            "y": 0.75,
            "label": "Cofense PhishMe"
          },
          {
            "x": 0.25,
            "y": 0.78,
            "label": "SANS SecAware"
          },
          {
            "x": 0.7,
            "y": 0.72,
            "label": "Mimecast HRM"
          },
          {
            "x": 0.55,
            "y": 0.6,
            "label": "Hoxhunt"
          },
          {
            "x": 0.8,
            "y": 0.45,
            "label": "Living Security"
          },
          {
            "x": 0.3,
            "y": 0.4,
            "label": "Ninjio"
          },
          {
            "x": 0.65,
            "y": 0.38,
            "label": "CybSafe"
          },
          {
            "x": 0.5,
            "y": 0.25,
            "label": "Adaptive Security"
          }
        ]
      },
      "encoding": {
        "x": {
          "field": "x",
          "type": "quantitative"
        },
        "y": {
          "field": "y",
          "type": "quantitative"
        },
        "text": {
          "field": "label",
          "type": "nominal"
        },
        "color": {
          "value": "#3D4166"
        }
      }
    },
    {
      "mark": {
        "type": "rule",
        "strokeDash": [
          4,
          4
        ],
        "color": "#6B6F8D"
      },
      "data": {
        "values": [
          {
            "x": 0.5
          }
        ]
      },
      "encoding": {
        "x": {
          "field": "x",
          "type": "quantitative"
        }
      }
    },
    {
      "mark": {
        "type": "rule",
        "strokeDash": [
          4,
          4
        ],
        "color": "#6B6F8D"
      },
      "data": {
        "values": [
          {
            "y": 0.5
          }
        ]
      },
      "encoding": {
        "y": {
          "field": "y",
          "type": "quantitative"
        }
      }
    }
  ]
}

Key Vendors¶

Vendor	Strengths	Weaknesses	Notable
KnowBe4	Market leader by customer count (65K+ orgs); largest content library (1,600+ modules, 40+ languages); G2 leader for 21 consecutive quarters; HRM+ platform integrates SAT, phishing simulation, and cloud email security (Egress)	Content volume over content quality; UI can feel dated; PE ownership (Vista Equity, $4.6B) may prioritize margins; click-rate-centric metrics face criticism	Acquired Egress (July 2024) to add AI-powered cloud email security; TTM revenue ~$310M (CompaniesMarketCap); named Leader in 2025 Gartner MQ for Email Security (KnowBe4)
Proofpoint ZenGuide	Strong threat intelligence integration (real phishing data informs training content); ACE framework (Assess, Change, Evaluate); PhishAlarm + CLEAR automated response; CISO dashboard for executive reporting; Gartner SAT Leader 6 years running	Premium pricing; bolt-on feel within broader Proofpoint suite; less gamification than newer entrants; content can feel corporate/dry	Owned by Thoma Bravo ($12.3B, 2021); training content available in 40+ languages; thousands of phishing templates across 13 categories (G2)
Cofense PhishMe	Deep phishing simulation specialization; strong analytics and reporting; integrated phishing response ecosystem (Triage, Reporter, Intelligence); good enterprise penetration	Narrower content library than KnowBe4; less HRM vision; phishing-centric rather than full awareness platform	Pricing starts at ~$10/user/year (Cofense); strong in financial services and healthcare verticals
SANS Security Awareness	Highest content credibility (SANS brand); strong compliance mapping (HIPAA, PCI DSS, CMMC, GDPR); trusted in government and regulated industries	Less platform innovation; limited gamification; higher price point; less phishing simulation sophistication than dedicated platforms	Best-in-class for organizations where content authority and compliance documentation matter most
Hoxhunt	Best-in-class gamification; adaptive difficulty personalization; strong engagement metrics; employees report enjoying the training; continuous reinforcement model	Smaller content library; less brand recognition than KnowBe4/Proofpoint; limited compliance-focused content	Raised $40M Series B (2022); strong traction in Nordic and European markets; positions as "Duolingo for cybersecurity"
Living Security	Most advanced HRM vision; Livvy AI engine aggregates 200+ risk signals; behavioral science foundation; Unify platform for quantified human risk	Smaller customer base; newer platform with less track record; requires integration maturity to realize full HRM value	Founded by former CISO; positioned as the pure-play HRM platform rather than an SAT vendor that added HRM features
Mimecast	HRM narrative integrated with email security platform; March 2026 platform launch combining awareness training with email protection and AI-driven risk scoring	SAT capabilities historically weaker than pure-play vendors; transitioning brand identity from email security to HRM	Announced next-gen HRM platform launch March 2026 (Mimecast)
Ninjio	Engaging micro-learning episodes (3--4 minute animated stories); Hollywood-quality production; emotional engagement approach	Limited phishing simulation depth; smaller platform; less enterprise analytics	Uses behavioral science and storytelling to drive engagement over traditional CBT

Competitive Dynamics¶

KnowBe4 dominates by volume but faces disruption from below. With 65,000+ customers and the largest content library, KnowBe4 is the default choice for organizations that need a proven, broad SAT platform. However, its click-rate-centric approach faces growing criticism, and newer vendors (Hoxhunt, Living Security, CybSafe) argue that measuring phishing simulation click rates is a vanity metric that does not correlate with actual risk reduction.

The "checkbox to HRM" transition defines competitive positioning. Every major vendor now claims an HRM story, but the depth varies dramatically. KnowBe4 HRM+ and Living Security have the most developed platforms; Proofpoint and Mimecast are leveraging their email security telemetry to add risk signals; Cofense and SANS remain primarily simulation/content-focused.

Email security vendors are absorbing SAT. KnowBe4's Egress acquisition (email security into SAT) and Mimecast's HRM platform launch (SAT into email security) represent convergence from opposite directions. Gartner's 2025 Email Security MQ now includes SAT vendors, signaling that awareness training is increasingly viewed as a feature of email security platforms rather than a standalone category.

PE ownership shapes the top of the market. KnowBe4 (Vista Equity, $4.6B), Proofpoint (Thoma Bravo, $12.3B), and Mimecast are all PE-backed, creating pressure for margin expansion that may constrain R&D investment and innovation.

Recent M&A and Funding¶

Date	Deal	Details
Feb 2023	Vista Equity acquires KnowBe4	$4.6B take-private; 44% premium to unaffected share price (BusinessWire)
Jul 2024	KnowBe4 acquires Egress	AI-powered cloud email security; creates unified SAT + email security platform (KnowBe4)
2021	Thoma Bravo acquires Proofpoint	$12.3B take-private; includes Proofpoint SAT (formerly Wombat Security)
2020	Proofpoint acquires Wombat Security	Integrated SAT into Proofpoint's email security portfolio (rebranded as ZenGuide)
2022	Hoxhunt Series B	$40M raise to expand adaptive phishing simulation platform

Knowledge Gap

Living Security and CybSafe funding details beyond early rounds are limited in public sources. Cofense's most recent valuation and ownership structure after its 2023 restructuring are not publicly confirmed.

Pricing Models¶

Model	Typical Range	Used By
Per-user/year (standard)	$12--$36/user/yr	KnowBe4 (Silver/Gold), Cofense, Ninjio
Per-user/year (premium)	$36--$60/user/yr	KnowBe4 (Platinum/Diamond), Proofpoint, SANS
Per-user/month	$1.50--$3.25/user/mo	KnowBe4 tiered (billed annually)
MSP/channel pricing	Volume discounts at scale	KnowBe4, Proofpoint Essentials, Infima
Bundled with email security	Included in email security license	Mimecast, KnowBe4 HRM+
Free tier / freemium	$0 (limited features)	KnowBe4 (free phishing test), Hoxhunt (limited)

TCO friction points:

Content fatigue cost: Organizations that deploy quarterly or monthly training report declining engagement over time. The cost is not just licensing --- it is the opportunity cost of employees disengaging from security culture.
Simulation infrastructure: Running phishing simulations at scale requires allowlisting simulation domains in email security tools, managing exceptions, and coordinating with IT teams --- hidden operational overhead.
Multi-tool sprawl: Organizations often run a SAT platform (KnowBe4) alongside a separate compliance training tool (HR-mandated) and a separate phishing response tool (Cofense Triage), tripling administrative burden.
Measurement overhead: Proving ROI to leadership requires analytics, dashboards, and executive reporting --- features often locked behind premium tiers.

Integration & Ecosystem¶

Security awareness training platforms connect to the broader security stack at several integration points:

Email security: Phishing simulation results inform email security tuning; user-reported phishing (PhishAlarm, Cofense Reporter) feeds email security triage; KnowBe4/Egress and Mimecast HRM represent full SAT + email security convergence.
Identity / IAM: HRM platforms correlate training performance with identity risk signals (MFA adoption, password hygiene, login anomalies from Entra ID or Okta).
SIEM / XDR: Training metrics and phishing simulation results feed SIEM for human risk correlation --- high-risk users identified by SAT become watchlist candidates in SOC workflows.
HR systems (HRIS): User provisioning from Workday, BambooHR, or Active Directory; training completion data flows back to HR for compliance records.
GRC platforms: Training completion evidence maps to compliance frameworks (HIPAA, PCI DSS, CMMC, DORA) in GRC tools like ServiceNow GRC, Archer, or Drata.

Regulatory Drivers¶

Security awareness training is one of the few cybersecurity categories with explicit regulatory mandates across multiple frameworks:

Regulation / Framework	Training Requirement	Effective
HIPAA Security Rule	Mandatory security awareness training for all workforce members (SS 164.308(a)(5))	Ongoing
PCI DSS 4.0.1	Security awareness training for all personnel; annual developer training	Mar 2025
CMMC 2.0	Dedicated Awareness & Training domain; threat recognition training required	Q1 2025 (in DoD contracts)
DORA	ICT risk management training including phishing awareness for financial entities	Jan 2025
GDPR	Article 39 requires DPO to provide awareness training; Article 47 requires training for BCR	Ongoing
SOX	Security awareness training implied through IT general controls	Ongoing
NIST CSF 2.0	PR.AT (Awareness and Training) category with specific subcategories	Feb 2024
ISO 27001:2022	Clause 7.3 requires security awareness; Annex A.6.3 mandates training program	Ongoing
Cyber Insurance	Increasingly requiring evidence of SAT program for policy issuance or premium reduction	Trend

(KnowBe4 Compliance Guide) (Keepnet Compliance Guide 2026)

SWOT Analysis¶

Strengths

Universal demand: every organization with employees needs security awareness training, making the total addressable market enormous
Strong regulatory tailwinds: HIPAA, PCI DSS 4.0, CMMC 2.0, DORA, GDPR, and cyber insurance requirements all mandate or incentivize employee training
Low barrier to initial adoption: SaaS delivery, per-user pricing, and free trials make SAT accessible even to small organizations
Measurable (if imperfect) outcomes: phishing simulation click rates provide at least a directional metric, unlike many security tools

Weaknesses

Measurement crisis: Click rates are widely criticized as a vanity metric that does not correlate with actual security outcomes (Mirage Security)
User fatigue: Repetitive, mandatory training breeds resentment and disengagement; 68% of IT managers cite employee motivation as the biggest challenge (Bitwarden 2025)
Checkbox culture: Organizations celebrate 99% completion rates while employees take just 21 seconds to click malicious links (Keepnet)
Limited evidence base: ETH Zurich research found that embedded phishing training can make employees MORE susceptible, with an 18.5% increased likelihood of failing future attempts per additional static training session

Opportunities

Human risk management platforms: Aggregating risk signals from email, identity, endpoint, and behavior to produce actionable per-user risk scores --- the next evolution beyond simulation
AI-powered adaptive training: LLM-generated personalized content, real-time coaching nudges, and AI-driven difficulty adjustment
Collaboration platform coverage: Extending phishing simulation and awareness to Teams, Slack, SMS (smishing), and voice (vishing) --- currently greenfield
MSP/SMB channel: The majority of SMBs have no formal SAT program; MSP-delivered awareness training is a significant growth opportunity
Behavioral science integration: Moving beyond knowledge transfer to actual behavior change using nudge theory, habit formation, and positive reinforcement

Threats

Bundling pressure: Email security vendors (Microsoft, Proofpoint, Mimecast) bundling SAT as a feature rather than a product compresses standalone SAT vendor margins
AI-generated phishing renders simulations less effective: When real phishing emails are indistinguishable from legitimate communication, training users to "spot the red flags" becomes less viable
Regulatory backlash: Some jurisdictions are scrutinizing punitive phishing simulations; the EU's focus on employee wellbeing may constrain aggressive simulation programs
Budget scrutiny: SAT is often the first line item questioned during budget cuts because ROI is difficult to prove definitively
"Security awareness doesn't work" narrative: High-profile critics (Google's Matt Linton, Bruce Schneier) argue that training humans is less effective than fixing systems, creating headwinds for buyer investment

Pain Points & Complaints¶

Common Complaints

Sourced from Gartner Peer Insights, G2 Reviews, practitioner forums, and industry research.

The measurement problem:

Click rates are the universal metric, but they are highly variable and influenced by uncontrollable factors (current events, time of day, organizational changes). Researchers argue that focusing on click rates "misses what happens after someone clicks, which matters even more" (Hoxhunt).
A 2025 IEEE S&P study found that training effectiveness is difficult to isolate from confounding variables, and long-term retention of awareness training is poor without continuous reinforcement (IEEE S&P 2025).
Organizations struggle to connect SAT metrics to business outcomes --- "our click rate dropped from 15% to 8%" does not translate to "we prevented X dollars in losses."

User fatigue and resentment:

Mandatory quarterly training is widely described as "death by PowerPoint" by employees, who treat it as a checkbox task to complete as quickly as possible.
Phishing simulations that use bonus incentives or fear-based tactics (fake layoff notices, fake HR communications) generate employee resentment and have drawn public criticism (CyberCoach).
NIST has documented "security fatigue" as a phenomenon where employees become overwhelmed and desensitized to constant warnings, leading them to ignore security best practices entirely.

Checkbox compliance culture:

Compliance officers care about completion rates; security teams care about behavior change. These goals often conflict, with compliance winning because it is auditable.
Organizations report running two parallel programs: one for compliance (annual CBT with quiz) and one for security (phishing simulations), doubling cost and administrative burden.
SAT vendors are complicit in perpetuating checkbox culture by highlighting completion metrics in marketing rather than demonstrating actual risk reduction.

Simulation operational overhead:

Allowlisting phishing simulation domains in email security tools, firewalls, and proxy servers is a recurring pain point that requires coordination across security and IT teams.
Phishing simulations can trigger real security incident responses when SOC teams are not informed, wasting analyst time and creating "boy who cried wolf" dynamics.
Multi-language simulation campaigns require significant content localization effort that many vendors handle poorly.

The Phishing Simulation Effectiveness Debate¶

A defining controversy in this segment

The effectiveness of phishing simulations is one of the most debated topics in cybersecurity. The evidence is mixed and the debate is heated:

Arguments that simulations work:

Organizations implementing behavior-based phishing training report 50% reduction in phishing-related incidents over 12 months (Brightside AI)
Continuous, adaptive programs (monthly+) show sustained improvement vs. annual-only programs
Hoxhunt data shows organizations can reduce phishing susceptibility from ~30% to under 5% with sustained gamified simulation programs (Hoxhunt)

Arguments that simulations are counterproductive:

ETH Zurich studies (2021, 2024) found embedded training can make employees MORE susceptible, with immediate feedback creating overconfidence effects
A meta-analysis found that each additional static training session increased failure likelihood by 18.5% (Mirage Security)
Google's Matt Linton and Bruce Schneier argue there is no evidence that simulation programs reduce real phishing success rates, and that engineering controls (FIDO2, passkeys, URL filtering) are more effective
Simulations using bonus incentives or fear tactics generated backlash and psychological manipulation complaints (CyberCoach)

The emerging consensus:

Annual, static, compliance-only training is demonstrably ineffective
Continuous, adaptive, gamified programs show better outcomes but are harder to implement
Simulations are most valuable as a measurement tool (identifying high-risk users) rather than a training tool
The combination of technical controls (MFA, email security) AND human awareness is more effective than either alone
The industry is shifting from "train everyone equally" to "identify high-risk individuals and intervene specifically"

Emerging Technologies & Trends¶

timeline
    title Evolution of Security Awareness Training
    2005 : Annual CBT Courses
         : Compliance-driven
         : Completion tracking
    2011 : Phishing Simulation
         : KnowBe4 founded
         : Click-rate metrics
    2018 : Adaptive Training
         : Gamification
         : Microlearning
    2022 : Human Risk Management
         : Multi-signal risk scores
         : Behavioral analytics
    2025 : AI-Native HRM
         : LLM-powered content
         : Real-time nudges
    2027+ : Autonomous Risk Mgmt
          : Predictive intervention
          : Collaboration platform coverage

Key trends shaping 2025--2028:

Human risk management replaces security awareness training. The category is being redefined from "training" (a periodic activity) to "human risk management" (a continuous program). KnowBe4 HRM+, Living Security Unify, and Mimecast's March 2026 platform launch reflect this shift. HRM platforms aggregate signals from phishing simulations, email behavior, endpoint telemetry, and identity systems to produce per-user risk scores and trigger targeted interventions (Living Security).
AI-generated content and personalization. LLMs are enabling vendors to auto-generate training content tailored to specific industries, roles, and threat scenarios. KnowBe4 now offers AI-suggested training modules and automated scheduling. Adaptive Security and Brightside AI represent a new wave of AI-native training platforms that generate realistic, personalized phishing simulations using generative AI (Brightside AI).
Beyond email: multi-channel simulation. Phishing simulations are expanding beyond email to cover SMS (smishing), voice (vishing), QR codes (quishing), and collaboration platforms (Teams, Slack). As attackers diversify channels, simulation programs that remain email-only become less relevant.
Positive reinforcement over punishment. The industry is moving away from "gotcha" simulations and punitive approaches (naming and shaming clickers) toward positive reinforcement, gamification, and reward-based engagement. Hoxhunt's model --- where employees earn points for correctly reporting simulations --- represents this shift.
Behavioral science integration. CybSafe and Living Security are explicitly grounding their platforms in behavioral science research, applying nudge theory, habit formation loops, and cognitive bias awareness to drive behavior change rather than mere knowledge transfer.
Convergence with email security. KnowBe4's acquisition of Egress and Mimecast's HRM platform demonstrate that SAT and email security are merging. The logic is compelling: the same platform that trains users to recognize phishing should also protect their inbox from it, and user-reported phishing should feed the email security detection engine.

Gaps & Underserved Areas¶

Market Gaps

Multi-channel simulation (SMS, voice, Teams/Slack, QR code) is offered by few vendors despite attackers actively exploiting these channels
SMB without MSP --- small businesses that do not use an MSP have very few accessible, affordable SAT options
Developer-specific security training that goes beyond phishing awareness to cover secure coding, secrets management, and supply chain risks
Board and executive training that addresses whale phishing, deepfake impersonation, and AI-generated social engineering targeting leadership

Underserved

Non-English content quality: Most vendors offer translated content, but quality and cultural relevance drop significantly outside English; CJK and Arabic content is particularly weak
Neurodiversity accommodation: Training content rarely accounts for neurodiverse employees who process information differently; accessibility compliance is minimal
Measuring actual behavior change: No vendor has solved the fundamental problem of proving that training causes behavior change vs. correlation
Contractor and third-party training: Extended workforce members (contractors, temps, partners) are often excluded from SAT programs despite representing significant risk
Integration with physical security awareness: Social engineering extends beyond digital channels to physical access (tailgating, badge cloning, dumpster diving), but SAT platforms rarely address physical security

Geographic Notes¶

Region	Characteristics
North America	Largest market (~38% of revenue). KnowBe4 and Proofpoint dominate. CMMC 2.0 driving defense contractor adoption. Cyber insurance requirements increasingly mandate SAT. State-level privacy laws (CCPA, CPRA) add training requirements.
Europe	GDPR Article 39 and DORA (effective Jan 2025) mandate security awareness training for financial entities. Strong data protection culture. Hoxhunt has strong Nordic presence. Mimecast and Proofpoint compete for enterprise. EU employee wellbeing regulations may constrain aggressive phishing simulations.
APAC	Fastest-growing region (~18.6% CAGR, Mordor Intelligence). Japan, Australia, and Singapore are mature markets. India is a growth market with increasing regulatory requirements. Multi-language support is critical.
Middle East / Africa	Growing adoption driven by national cyber mandates (Saudi NCA, UAE NESA). Preference for managed SAT services. Limited local vendor presence; global vendors serve through regional partners.

Open-Source Alternatives¶

Tool	Description	Strengths	Limitations
GoPhish	The leading open-source phishing simulation framework written in Go. Simple installation, intuitive web UI, and REST API for automation.	Easiest open-source option to deploy; clean UI; active community; REST API for integration; Docker support; good documentation	No training content (simulation only); no LMS; limited reporting vs. commercial tools; no multi-channel (email only); requires infrastructure management at scale (GoPhish)
King Phisher	Python-based phishing campaign toolkit with real-time campaign monitoring, two-factor authentication, and flexible web server configurations.	Robust feature set; real-time monitoring; 2FA support; adaptable server configs; good for red team engagements	Linux-only server; steeper learning curve than GoPhish; less active development; requires Python expertise; no training content
Lucy Community Edition	Free (not open-source) community version of the Lucy Security (now ThriveDX) phishing simulation platform.	Full social engineering platform (not just phishing); awareness training content included; web-based UI	Not open source --- community edition has significant feature restrictions (no export, no scheduling, no attachment attacks); commercial upsell vehicle
Social-Engineer Toolkit (SET)	Part of TrustedSec suite; designed for penetration testing social engineering attacks including spear-phishing and credential harvesting.	Comprehensive social engineering framework; supports multiple attack vectors; well-maintained; strong pentesting community	Designed for red teaming, not ongoing awareness programs; no training content; no campaign management UI; requires security expertise
Evilginx2	Advanced man-in-the-middle phishing framework for testing MFA bypass and session hijacking attacks.	Tests sophisticated MFA-bypass attacks; realistic simulation of advanced threats; good for security team training	Offensive tool, not designed for awareness programs; ethical and legal concerns if misused; no reporting/analytics; advanced setup required

Open-Source Strategy

GoPhish is the clear starting point for organizations wanting open-source phishing simulation. It provides campaign management, email delivery, click tracking, and credential capture in a clean web UI. However, GoPhish provides zero training content --- you must pair it with internally developed or third-party training materials. For a complete open-source SAT program: deploy GoPhish for simulation, create custom training landing pages with teachable moments, and track metrics manually or via the REST API. Budget 0.5--1.0 FTE for ongoing management. This approach works for organizations with security engineering talent but lacks the analytics, adaptive difficulty, gamification, and HRM features of commercial platforms.

Sources & Further Reading¶

Glossary¶

This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.

A¶

Term	Definition
ACL	Access Control List — rules determining which users/systems can access resources
APT	Advanced Persistent Threat — a prolonged, targeted cyberattack where an intruder gains and maintains unauthorized access
ASM	Attack Surface Management — continuous discovery, inventory, and risk assessment of an organization's external-facing assets
ASPM	Application Security Posture Management — unified visibility and risk management across the application lifecycle
AV	Antivirus — software designed to detect, prevent, and remove malware

B¶

Term	Definition
BAS	Breach and Attack Simulation — automated tools that simulate real-world attacks to test security controls
BEC	Business Email Compromise — a social-engineering attack targeting employees with access to company finances or data

C¶

Term	Definition
C2	Command and Control — infrastructure used by attackers to communicate with compromised systems
CASB	Cloud Access Security Broker — a security policy enforcement point between cloud consumers and providers
CCPA	California Consumer Privacy Act — California state law granting consumers rights over their personal data
CIAM	Customer Identity and Access Management — managing and securing external customer identities and authentication
CIEM	Cloud Infrastructure Entitlement Management — managing identities and privileges in cloud environments
CTEM	Continuous Threat Exposure Management — a program for continuously assessing and prioritizing threat exposures
CNAPP	Cloud-Native Application Protection Platform — integrated security for cloud-native applications across the full lifecycle
CSPM	Cloud Security Posture Management — continuous monitoring of cloud infrastructure for misconfigurations and compliance risks
CWPP	Cloud Workload Protection Platform — security for workloads running in cloud environments (VMs, containers, serverless)
CVE	Common Vulnerabilities and Exposures — a standardized identifier for publicly known cybersecurity vulnerabilities

D¶

Term	Definition
DAST	Dynamic Application Security Testing — testing a running application for vulnerabilities by simulating attacks
DCS	Distributed Control System — a control system for managing industrial processes across multiple locations
DLP	Data Loss Prevention — tools and processes to prevent unauthorized data exfiltration or leakage
DORA	Digital Operational Resilience Act — EU regulation on ICT risk management for financial entities
DSPM	Data Security Posture Management — discovering, classifying, and protecting sensitive data across cloud environments

E¶

Term	Definition
EASM	External Attack Surface Management — discovering and monitoring internet-facing assets for exposures
EDR	Endpoint Detection and Response — tools that monitor endpoints for threats and provide investigation and response capabilities
EPP	Endpoint Protection Platform — integrated endpoint security combining prevention, detection, and response

F/G¶

Term	Definition
FAIR	Factor Analysis of Information Risk — a quantitative model for understanding, analyzing, and measuring information risk
GRC	Governance, Risk, and Compliance — integrated framework for aligning IT with business goals, managing risk, and meeting regulations
GDPR	General Data Protection Regulation — EU regulation on data protection and privacy for individuals

H¶

Term	Definition
HIPAA	Health Insurance Portability and Accountability Act — US law governing the privacy and security of health information

I¶

Term	Definition
IAB	Initial Access Broker — specialized cybercriminals who compromise networks and sell access to ransomware operators and other buyers
IAM	Identity and Access Management — framework for managing digital identities and controlling access to resources
ICS	Industrial Control System — control systems used in industrial production and critical infrastructure
IDS	Intrusion Detection System — a system that monitors network traffic for suspicious activity and alerts
ITDR	Identity Threat Detection and Response — detecting and responding to identity-based attacks and compromises
IoT	Internet of Things — network of physical devices embedded with sensors, software, and connectivity
IPS	Intrusion Prevention System — a system that monitors and actively blocks detected threats in network traffic

L¶

Term	Definition
LOTL	Living Off the Land — attack technique using legitimate, pre-installed system tools and binaries rather than custom malware to evade detection

M¶

Term	Definition
MaaS	Malware-as-a-Service — cybercrime business model where malware developers sell or rent their tools to other criminals
MDR	Managed Detection and Response — outsourced security service providing 24/7 threat monitoring, detection, and response
MITRE ATT&CK	MITRE Adversarial Tactics, Techniques, and Common Knowledge — a knowledge base of adversary behaviors and techniques
MSSP	Managed Security Service Provider — a third-party provider offering outsourced monitoring and management of security devices
MFA	Multi-Factor Authentication — requiring two or more verification factors to gain access to a resource

N¶

Term	Definition
NDR	Network Detection and Response — detecting and responding to threats by analyzing network traffic patterns
NERC CIP	North American Electric Reliability Corporation Critical Infrastructure Protection — security standards for the electric grid
NGAV	Next-Generation Antivirus — advanced antivirus using behavioral analysis, AI, and machine learning beyond signature-based detection
NIS2	Network and Information Systems Directive 2 — updated EU directive on cybersecurity for essential and important entities
NIST CSF	National Institute of Standards and Technology Cybersecurity Framework — a voluntary framework for managing cybersecurity risk

O¶

Term	Definition
OT	Operational Technology — hardware and software that monitors and controls physical devices and processes
OWASP	Open Worldwide Application Security Project — a nonprofit focused on improving software security through open-source projects and guidance

P¶

Term	Definition
PAM	Privileged Access Management — securing, managing, and monitoring privileged accounts and access
PCI DSS	Payment Card Industry Data Security Standard — security standards for organizations that handle credit card data
PII	Personally Identifiable Information — any data that could identify a specific individual
PLC	Programmable Logic Controller — an industrial computer used to control manufacturing processes

R¶

Term	Definition
RaaS	Ransomware-as-a-Service — cybercrime business model where ransomware operators provide malware and infrastructure to affiliates who conduct attacks, splitting profits
RGB	Reconnaissance General Bureau — North Korea's primary intelligence agency responsible for clandestine operations including cyber operations

S¶

Term	Definition
SASE	Secure Access Service Edge — converged network and security-as-a-service architecture delivered from the cloud
SAST	Static Application Security Testing — analyzing source code for vulnerabilities without executing the application
SBOM	Software Bill of Materials — a formal inventory of components, libraries, and dependencies in a software product
SCA	Software Composition Analysis — identifying open-source components and known vulnerabilities in a codebase
SCADA	Supervisory Control and Data Acquisition — a system for monitoring and controlling industrial processes remotely
SD-WAN	Software-Defined Wide Area Network — a virtual WAN architecture that simplifies branch networking and optimizes traffic
SEG	Secure Email Gateway — a solution that filters inbound and outbound email to block threats and enforce policies
SIEM	Security Information and Event Management — aggregating and analyzing log data for threat detection and compliance
SOAR	Security Orchestration, Automation, and Response — tools that automate and coordinate security operations workflows
SOC	Security Operations Center — a centralized team and facility for monitoring, detecting, and responding to security incidents
SOX	Sarbanes-Oxley Act — US law mandating financial reporting and internal control requirements for public companies
SSE	Security Service Edge — the security component of SASE, delivering SWG, CASB, and ZTNA as cloud services
SWG	Secure Web Gateway — a solution that filters web traffic to enforce security policies and block threats

T¶

Term	Definition
TAM	Total Addressable Market — the total revenue opportunity available for a product or service
TCO	Total Cost of Ownership — the complete cost of acquiring, deploying, and operating a solution over its lifetime
TIP	Threat Intelligence Platform — a system for aggregating, correlating, and operationalizing threat intelligence data
TLS	Transport Layer Security — a cryptographic protocol that provides secure communication over a network
TTP	Tactics, Techniques, and Procedures — the patterns of behavior and methods used by threat actors to conduct cyber operations

V¶

Term	Definition
VM	Vulnerability Management — the ongoing process of identifying, evaluating, treating, and reporting security vulnerabilities

X¶

Term	Definition
XDR	Extended Detection and Response — unified threat detection and response across endpoints, network, cloud, and email

Z¶

Term	Definition
ZTNA	Zero Trust Network Access — a security model that grants access based on identity verification and least-privilege principles