claude
A variant of Security Awareness Training.
View the interactive variant page →
Security Awareness Training
Part of the worlds-biggest-software-project initiative.
An AI-native, open-source security awareness platform that replaces static phishing template libraries with continuously generated, multimodal simulations and per-employee behavioural risk scoring.
Security Awareness Training is a candidate project for an open-source human risk management platform. It targets IT security managers, CISOs, and HR/L&D teams who need to run phishing simulations, deliver compliance-grade micro-trainings, and report measurable risk reduction across their workforce. The core problem it solves: incumbent platforms rely on static template libraries that employees quickly learn to recognise, and most cannot simulate the AI-generated, multi-channel attacks that now dominate the threat landscape.
Why Security Awareness Training?
- Tier-1 vendors (KnowBe4, Proofpoint) charge USD 24–60 per user per year under multi-year enterprise commitments, pricing many SMEs and mid-market organisations out of mature programmes.
- KnowBe4's 2024 Vista Equity take-private and subsequent Egress acquisition introduced integration complexity, while Proofpoint's standalone awareness product is "less compelling" outside its email-security bundle.
- Most platforms remain email-centric; only Adaptive Security explicitly targets AI-generated phishing, deepfakes, voice, and video impersonation, and it is early-stage with limited reference customers.
- Industry research (2025 data cited by Adaptive Security) reports 82.6% of phishing emails are now AI-generated, and Hoxhunt observed a 14x end-of-year surge in AI-generated phishing in 2026 — a threat profile static template libraries cannot match.
- The category is shifting from completion-rate metrics to Behavioural Risk Scores and threat-reporting rates (industry benchmark: >20% reporting rate for a mature culture), but no incumbent yet quantifies organisational security culture maturity as a composite metric.
Key Features
Phishing Simulation and Multimodal Attack Coverage
- Email phishing simulation with customisable templates, landing pages, and per-template failure benchmarking
- SMS phishing (SMiShing) simulations for multi-channel awareness
- Voice phishing (vishing) and video deepfake simulations for impersonation scenarios
- QR code phishing and other emerging attack vectors
- AI-generated phishing templates producing unlimited novel content per campaign instead of a fixed library
Risk Scoring and Behavioural Analytics
- Per-user risk scoring incorporating simulation performance, training completion, and behavioural signals
- Continuous risk scoring rather than point-in-time campaign snapshots
- Peer, departmental, and industry benchmarking for individual risk scores
- Behavior change metrics including real threat reporting rate, not just click rate
- Predictive risk scoring that forecasts which employees are most likely to fall for future attacks
Training Content and Remediation
- Training content library covering NIST SP 800-50, CIS Control 14, and NIST/CIS/ISO 27001/HIPAA/GDPR compliance frameworks
- Automated remedial training assignment that auto-enrols users who fail simulations
- Behavioural nudges that trigger training on risky actions such as link clicks or credential entries
- In-the-moment LLM-generated micro-training delivered at the point of click or near-miss
- Multi-language support targeting at least 10 languages
Compliance and Governance
- Compliance reporting for SOC 2, HIPAA, PCI-DSS, GDPR, and ISO 27001
- Role-based access control for admin, manager, analyst, and user personas
- Audit logging of all simulations, training events, and risk score changes
- LDAP / Active Directory integration for user management
- Dashboard showing programme performance, individual risk trends, and compliance progress
Engagement and Reporting
- Real threat reporting button integration for Outlook and Gmail
- Gamification elements such as points, badges, and leaderboards
- Real threat intelligence integration so simulations reflect campaigns the organisation or industry actually faces
- Cross-platform campaign orchestration across email, Slack, Teams, and Google Chat (backlog)
- Organisational security culture maturity score as a composite KPI (backlog)
AI-Native Advantage
Generative AI produces unlimited novel, hyper-realistic phishing simulations personalised to each employee's role, recent communications, and public profile, eliminating the template fatigue that dogs static libraries. LLMs deliver contextual micro-training in the moment of a click or near-miss, and AI risk models combine click rates, report rates, training patterns, and email habits into a dynamic individual risk score that drives adaptive simulation difficulty. Multimodal AI extends coverage to vishing, smishing, QR code, and deepfake video attacks within a single platform, and AI agents can automate the full campaign lifecycle — segmentation, scheduling, results analysis, and executive reporting — reducing programme management overhead from days to minutes.
Tech Stack & Deployment
The project is in the specification phase; concrete deployment modes are still to be defined. Expected directions, drawn from the incumbent landscape, include directory integration via LDAP / Active Directory, email reporting button integrations for Outlook and Gmail, threat intelligence feed ingestion, and compliance framework mappings to NIST CSF 2.0, NIST SP 800-50, NIST SP 800-53 (AT-1 through AT-4), ISO/IEC 27001:2022, CIS Controls v8 Control 14, CMMC Level 2, and HIPAA Security Rule § 164.308(a)(5).
Market Context
The global security awareness training market is estimated at USD 6.74 billion in 2026 and is forecast to reach USD 14.66 billion by 2031 at a 16.82% CAGR. Tier-1 incumbents (KnowBe4, Proofpoint) charge USD 24–60 per user per year, with Proofpoint dropping to USD 6–12 when bundled with email security; SME platforms such as PhishingBox start near USD 150 per month. Primary buyers are IT security managers seeking compliance evidence (HIPAA, PCI DSS, CMMC), CISOs targeting measurable phishing-click reduction, HR and L&D teams co-sponsoring mandatory training, and MSPs reselling awareness training inside managed security bundles.
Project Status
An implemented first release plus the wave-2 feature set lives under
target/: a TypeScript monorepo (Fastify API + Next.js dashboard, PostgreSQL + Redis) covering all eight user stories — phishing simulation, remedial training, behavioural risk scoring, compliance reporting, AI content generation, gamification, multi-channel/consent, and GDPR data rights — with SCIM/SAML, xAPI/SCORM interop, 103 automated tests, and browser end-to-end coverage. See specs/001-security-awareness-platform/ for the spec, plan, and tasks, and user-docs/ to get started. Contributions, feedback, and domain expertise are welcome.
Contributing
We welcome contributions from developers, domain experts, and potential users. See CONTRIBUTING.md for guidelines.
Important: All contributions must be your own original work or clearly attributed open-source material with a compatible licence. Copyright infringement and licence violations will not be tolerated and will result in immediate removal of the offending contribution. If you are unsure whether a piece of code, text, or other material is safe to contribute, open an issue and ask before submitting.
Licence
Licence to be determined. See discussion for context.