claude

A variant of Security Awareness Training.

View the interactive variant page →

Security Awareness Training

Part of the worlds-biggest-software-project initiative.

An AI-native, open-source security awareness platform that replaces static phishing template libraries with continuously generated, multimodal simulations and per-employee behavioural risk scoring.

Security Awareness Training is a candidate project for an open-source human risk management platform. It targets IT security managers, CISOs, and HR/L&D teams who need to run phishing simulations, deliver compliance-grade micro-trainings, and report measurable risk reduction across their workforce. The core problem it solves: incumbent platforms rely on static template libraries that employees quickly learn to recognise, and most cannot simulate the AI-generated, multi-channel attacks that now dominate the threat landscape.


Why Security Awareness Training?

  • Tier-1 vendors (KnowBe4, Proofpoint) charge USD 24–60 per user per year under multi-year enterprise commitments, pricing many SMEs and mid-market organisations out of mature programmes.
  • KnowBe4's 2024 Vista Equity take-private and subsequent Egress acquisition introduced integration complexity, while Proofpoint's standalone awareness product is "less compelling" outside its email-security bundle.
  • Most platforms remain email-centric; only Adaptive Security explicitly targets AI-generated phishing, deepfakes, voice, and video impersonation, and it is early-stage with limited reference customers.
  • Industry research (2025 data cited by Adaptive Security) reports 82.6% of phishing emails are now AI-generated, and Hoxhunt observed a 14x end-of-year surge in AI-generated phishing in 2026 — a threat profile static template libraries cannot match.
  • The category is shifting from completion-rate metrics to Behavioural Risk Scores and threat-reporting rates (industry benchmark: >20% reporting rate for a mature culture), but no incumbent yet quantifies organisational security culture maturity as a composite metric.

Key Features

Phishing Simulation and Multimodal Attack Coverage

  • Email phishing simulation with customisable templates, landing pages, and per-template failure benchmarking
  • SMS phishing (SMiShing) simulations for multi-channel awareness
  • Voice phishing (vishing) and video deepfake simulations for impersonation scenarios
  • QR code phishing and other emerging attack vectors
  • AI-generated phishing templates producing unlimited novel content per campaign instead of a fixed library

Risk Scoring and Behavioural Analytics

  • Per-user risk scoring incorporating simulation performance, training completion, and behavioural signals
  • Continuous risk scoring rather than point-in-time campaign snapshots
  • Peer, departmental, and industry benchmarking for individual risk scores
  • Behavior change metrics including real threat reporting rate, not just click rate
  • Predictive risk scoring that forecasts which employees are most likely to fall for future attacks

Training Content and Remediation

  • Training content library covering NIST SP 800-50, CIS Control 14, and NIST/CIS/ISO 27001/HIPAA/GDPR compliance frameworks
  • Automated remedial training assignment that auto-enrols users who fail simulations
  • Behavioural nudges that trigger training on risky actions such as link clicks or credential entries
  • In-the-moment LLM-generated micro-training delivered at the point of click or near-miss
  • Multi-language support targeting at least 10 languages

Compliance and Governance

  • Compliance reporting for SOC 2, HIPAA, PCI-DSS, GDPR, and ISO 27001
  • Role-based access control for admin, manager, analyst, and user personas
  • Audit logging of all simulations, training events, and risk score changes
  • LDAP / Active Directory integration for user management
  • Dashboard showing programme performance, individual risk trends, and compliance progress

Engagement and Reporting

  • Real threat reporting button integration for Outlook and Gmail
  • Gamification elements such as points, badges, and leaderboards
  • Real threat intelligence integration so simulations reflect campaigns the organisation or industry actually faces
  • Cross-platform campaign orchestration across email, Slack, Teams, and Google Chat (backlog)
  • Organisational security culture maturity score as a composite KPI (backlog)

AI-Native Advantage

Generative AI produces unlimited novel, hyper-realistic phishing simulations personalised to each employee's role, recent communications, and public profile, eliminating the template fatigue that dogs static libraries. LLMs deliver contextual micro-training in the moment of a click or near-miss, and AI risk models combine click rates, report rates, training patterns, and email habits into a dynamic individual risk score that drives adaptive simulation difficulty. Multimodal AI extends coverage to vishing, smishing, QR code, and deepfake video attacks within a single platform, and AI agents can automate the full campaign lifecycle — segmentation, scheduling, results analysis, and executive reporting — reducing programme management overhead from days to minutes.


Tech Stack & Deployment

The project is in the specification phase; concrete deployment modes are still to be defined. Expected directions, drawn from the incumbent landscape, include directory integration via LDAP / Active Directory, email reporting button integrations for Outlook and Gmail, threat intelligence feed ingestion, and compliance framework mappings to NIST CSF 2.0, NIST SP 800-50, NIST SP 800-53 (AT-1 through AT-4), ISO/IEC 27001:2022, CIS Controls v8 Control 14, CMMC Level 2, and HIPAA Security Rule § 164.308(a)(5).


Market Context

The global security awareness training market is estimated at USD 6.74 billion in 2026 and is forecast to reach USD 14.66 billion by 2031 at a 16.82% CAGR. Tier-1 incumbents (KnowBe4, Proofpoint) charge USD 24–60 per user per year, with Proofpoint dropping to USD 6–12 when bundled with email security; SME platforms such as PhishingBox start near USD 150 per month. Primary buyers are IT security managers seeking compliance evidence (HIPAA, PCI DSS, CMMC), CISOs targeting measurable phishing-click reduction, HR and L&D teams co-sponsoring mandatory training, and MSPs reselling awareness training inside managed security bundles.


Project Status

An implemented first release plus the wave-2 feature set lives under target/: a TypeScript monorepo (Fastify API + Next.js dashboard, PostgreSQL + Redis) covering all eight user stories — phishing simulation, remedial training, behavioural risk scoring, compliance reporting, AI content generation, gamification, multi-channel/consent, and GDPR data rights — with SCIM/SAML, xAPI/SCORM interop, 103 automated tests, and browser end-to-end coverage. See specs/001-security-awareness-platform/ for the spec, plan, and tasks, and user-docs/ to get started. Contributions, feedback, and domain expertise are welcome.


Contributing

We welcome contributions from developers, domain experts, and potential users. See CONTRIBUTING.md for guidelines.

Important: All contributions must be your own original work or clearly attributed open-source material with a compatible licence. Copyright infringement and licence violations will not be tolerated and will result in immediate removal of the offending contribution. If you are unsure whether a piece of code, text, or other material is safe to contribute, open an issue and ask before submitting.


Licence

Licence to be determined. See discussion for context.