Skip to content
Published on

AI Phishing Simulation & Security Awareness Training 2026 Deep Dive — KnowBe4, Hoxhunt, Cofense, Proofpoint Security Awareness, Infosec IQ, Mimecast Awareness, Sophos Phish Threat, NINJIO, CybSafe, Living Security

🇰🇷KO🇺🇸EN🇯🇵JA
Split View필사 모드
Authors

Prologue — The 30-Year Thesis That Humans Are the Weakest Link

In his 1995 autobiography Kevin Mitnick wrote, "A single phone call always moved faster than any technical exploit." Thirty years later, the 2026 Verizon DBIR (Data Breach Investigations Report) still finds that roughly 68 percent of breaches involve a human element — social engineering, stolen credentials, simple mistakes.

What has changed is the cost of an attack.

  • 2018 — one phishing email — Written by an English native speaker. Hourly cost of 30-100 USD.
  • 2026 — auto-generated by GPT-4 or Claude — A single email costs about 0.001 USD. Ten thousand emails cost ten dollars.
  • Voice cloning — ElevenLabs clones a CEO voice from a three-minute sample at a 22 USD monthly subscription.
  • Deepfake video — HeyGen and Synthesia turn a static portrait into something that holds up on a video call.

In February 2024 an engineer at the Hong Kong office of British engineering firm Arup joined a video call with the head office CFO and several colleagues. Every participant was a deepfake. 25 million US dollars were wired out. The industry recognised it as a turning point.

This guide takes that turn head-on. Across 22 chapters — from KnowBe4 to GoPhish, from the NIST Phish Scale to Korean and Japanese national exercises — we tie together real tools, real incidents, and real URLs.

1. Why AI Phishing Simulation Is the 2026 Headline

Before GenAI, phishing was simple to spot. Awkward English: "Dear customer, your account has been suspended." The Korean and Japanese equivalents were even more obvious — clumsy machine translation, off-rhythm honorifics, ill-fitting Kanji.

From 2024 onward the picture changed. Reports from security research groups (SoSafe, Egress, IRONSCALES, among others) published in 2024 and 2025 consistently point to the same data.

  • Click-through rate of AI-generated phishing — 1.5 to 3 times higher than human-written lures.
  • Linguistic accuracy — Native-level English, Korean, and Japanese.
  • Personalisation — GPT summarises LinkedIn and Facebook public data into 1-to-1 bait.
  • Volume and speed — A solo attacker can comfortably write 1,000 emails a day.

This is the heart of it. The shift is not "AI now writes phishing as well as a human" but rather "one attacker can now target ten thousand people." That volumetric change pushed 2026 security awareness past a simple "watch your inbox" campaign and into a new paradigm built around behaviour change and human risk management.

[The 4 Layers of Security Awareness Training in 2026]
  1. Simulation         — Fake phishing emails, click-rate measurement (KnowBe4, Hoxhunt)
  2. Real-time learning  — Micro-learning modules at the moment of click (Hoxhunt, CybSafe)
  3. Behavioural analytics — High-risk user scoring (Living Security, Elevate)
  4. Threat intelligence  — Real campaign data feeding simulation updates (Cofense, Proofpoint)

Different tools fill different layers. KnowBe4 owns layers 1-2; Hoxhunt sits in 2-3; Cofense and Proofpoint dominate layer 4 alongside incident response.

2. KnowBe4 — Stu Sjouwerman and 40 Million Users

KnowBe4 (knowbe4.com) was founded in 2010 in Clearwater, Florida by Stu Sjouwerman. After selling Sunbelt Software, Stu built a company focused entirely on security awareness training. Kevin Mitnick joined as co-founder and Chief Hacking Officer in 2011 (he passed away in July 2023).

  • Users — Around 65,000 customers and over 40 million end users (2024 figures).
  • IPO — Listed on the NYSE in 2021 (KNBE).
  • Take-private — Acquired by Vista Equity Partners in February 2023 for approximately 4.6 billion USD.
  • Core products — KSAT (security awareness training platform), PhishER (incident response), KCM (GRC), SecurityCoach (real-time coaching).

KnowBe4 wins on content library. "The Inside Man" is a self-produced drama series, and the volume of additional video and interactive modules is hard to believe coming from one company.

Pricing, as of May 2026.

  • Silver — 12 to 18 USD per user per year. Simulation plus basic training.
  • Platinum — 28 to 40 USD per user per year. Includes PhishER and advanced reporting.
  • Diamond — 60+ USD per user per year. AIDA (AI-based lure recommendations) and every module.

Pricing varies by headcount, contract length (typically one to three years), and region. After the Vista take-private there have been some reports of price increases outside the US, but a Korean enterprise of about 1,000 employees still typically lands between 12 and 35 million KRW per year.

3. Hoxhunt — A Behavioural-Science Approach From Finland

Hoxhunt (hoxhunt.com) was founded in Helsinki, Finland in 2016 by Mika Aalto, Pyry Ahkavainen, and Ari Kesäniemi. Six years younger than KnowBe4, it arrived with a different philosophy.

  • 40 million USD Series B in August 2024 — Led by Level Equity with participation from Icebreaker.vc.
  • Customers — Nokia, Telia, Kone, AirBaltic, Qualcomm, and over 18 million users across 50 countries.
  • Core idea — Adaptive learning grounded in behavioural science. Simulation difficulty, topic, and frequency are auto-adjusted to each user risk profile.

Hoxhunt differentiators.

  • No gotcha — A user who clicks a simulation is framed as a learning event, not a moment of shame. Gamification points handle the rest.
  • Adaptive difficulty — Duolingo-style. Strong performers get harder lures; weak performers get easier ones.
  • Real reporting flow — The Hoxhunt button lets users report any suspicious email; AI then auto-classifies it. Genuine threats go to the SOC, simulations become points.

Hoxhunt outcome data is impressive. The company reports that after roughly a year, suspicious-email reporting rates reach the 50 percent range. Where KnowBe4 celebrates a low click rate, Hoxhunt celebrates a high report rate — two different behaviours.

Pricing is not publicly listed. Sources suggest 15 to 30 USD per user per year. Quote-based.

4. Cofense — Strong Incident Response Heritage

Cofense (cofense.com) was founded as PhishMe in 2007 by Aaron Higbee and Rohyt Belani. The company renamed itself Cofense in 2018.

  • March 2022 sale — Acquired by a Carlyle Group and BlackRock consortium.
  • Customers — Approximately 350,000 users, with over half of the Fortune 500.

Cofense sits in a different seat from KnowBe4 and Hoxhunt. It combines simulation, real threat intelligence, and SOC integration.

  • Cofense PhishMe — The simulation platform.
  • Cofense Reporter — Outlook, O365, and Gmail plugin. One-click suspicious-email reporting.
  • Cofense Triage — Automatically classifies and prioritises reported emails for the SOC.
  • Cofense Intelligence — Real-world phishing campaign threat intel.
  • Cofense Vision — Mailbox search and quarantine across the estate.

Cofense distinguishes itself through integration into SOC workflow. When a user reports a suspicious email it flows into a single chain — PhishER-class auto-triage, human SOC analyst review, automatic quarantine. That is why it is popular at organisations with 10,000-plus employees.

5. Proofpoint Security Awareness Training (Formerly Wombat)

Proofpoint (proofpoint.com) was founded in 2002 by Eric Hahn and started life as an email security gateway. In 2018 Proofpoint acquired Wombat Security Technologies, the Carnegie Mellon spin-out behind the "ThreatSim" simulation product.

  • April 2021 take-private — Thoma Bravo acquired Proofpoint for approximately 12.4 billion USD.
  • November 2023 — Acquired Tessian, a UK firm specialised in BEC (Business Email Compromise) detection.
  • August 2024 — Acquired Normalyze, a data security posture management (DSPM) provider.

Proofpoint Security Awareness Training is strong because of how it ties back into the email security backbone. TAP (Targeted Attack Protection) data on real threats flows into simulation content immediately. You can turn the actual campaigns that hit your company this week into the training simulations next week.

  • CLEAR (Closed-Loop Email Analysis and Response) — Auto-analyse, remove, or quarantine on user report.
  • Phish Alarm button — Outlook and Gmail plugin.
  • Targeted Attack Protection — The real email gateway.

Pricing is not publicly disclosed, but market quotes typically land at 25 to 50 USD per user per year. The bundle becomes more attractive when email gateway and awareness training are purchased together.

6. Infosec IQ — Under Cengage

Infosec IQ (infosecinstitute.com) was founded as Infosec Institute by Jack Koziol in 2004. In 2022 Cengage Group (the education publisher) acquired the company for approximately 240 million USD, splitting the brand into Infosec Skills and Infosec IQ.

  • Infosec IQ — Security awareness training and phishing simulation.
  • Infosec Skills — IT and security professional certification tracks.

Highlights.

  • PhishSim — Their own simulation engine with more than 1,000 templates.
  • AwareEd — Micro-learning modules, typically 3-5 minute videos.
  • NIST 800-50 / 800-16 mapping — Tight alignment for US federal and contractor use.

Infosec IQ has historically been strong with US federal and state government contracts. Explicit mapping to NIST 800-50 ("Building an Information Technology Security Awareness and Training Program") makes adoption easier inside FedRAMP and CMMC programmes.

7. Mimecast Awareness Training (Formerly Ataata)

Mimecast (mimecast.com) was founded in 2003 in the UK by Peter Bauer and Neil Murray, starting as an email security gateway. In 2019 the company acquired the Boston-based security awareness startup Ataata, folding it in as Mimecast Awareness Training.

  • May 2022 — Permira took Mimecast private at approximately 5.8 billion USD.

Highlights.

  • Satirical comedy content — Short, funny videos that puncture the "security must be serious" tone.
  • Mimecast Awareness Risk Score — Per-user risk grading.
  • Email gateway integration — One platform with Mimecast Email Security.

The original Ataata voice survives. Their slapstick "Tom & Jerry" style security videos are polarising but tend to drive higher employee engagement, which the data backs up.

8. Sophos Phish Threat — One Package With EDR

Sophos (sophos.com) was founded in 1985 in Oxford, England by Jan Hruska and Peter Lammer. It evolved from antivirus into EDR and then MDR (Managed Detection and Response).

  • March 2020 — Thoma Bravo took Sophos private at approximately 3.9 billion USD.
  • Late 2023 — Divested portions to ReliaQuest.

Sophos Phish Threat is a simulation module integrated into the Sophos Central console.

  • Easy setup — If you already run Sophos Central, no extra deployment is needed.
  • More than 500 templates — Some in German, French, Japanese, and partial Korean.
  • EDR integration — User clicks on simulations are logged in the Sophos EDR console.

Pricing sits at 5 to 12 USD per user per year, less than half of KnowBe4. The trade-off is a thinner content library and lighter analytics. It is a strong choice for mid-market organisations that already run Sophos EDR.

9. NINJIO — One-Man-Theatre Storytelling

NINJIO (ninjio.com) was founded in 2015 in California by Zack Schuler. While most of the industry produced "educational videos," NINJIO went for "Netflix-class mini-series."

  • Episode length — 3 to 4 minutes. One per week, 52 per year.
  • Real-incident based — Episodes dramatise real cases such as the Equifax leak, the Twitter Bitcoin hack of 2020, and Colonial Pipeline in 2021.
  • Hollywood writers — Scripts are written by working film and television writers.

NINJIO is the security training markets premium content brand. Pricing is higher than the alternatives but differentiates on quality. By 2022 it had landed ESPN, Pfizer, and Dollar Tree as large customers.

Interactive simulation, however, is thinner. The product centres on video, which is why it often appears bundled with KnowBe4 or Hoxhunt.

10. CybSafe, Living Security, and Elevate — Human Risk Management

CybSafe (cybsafe.com) was founded in 2015 in London by Oz Alashe (a former British Army officer). It takes a clear stance: turn security awareness into security behaviour.

  • SebDB (Security Behavior Database) — A public taxonomy of more than 70 security behaviours.
  • Data-driven — Measures more than click rate: password reuse, data classification, backup habits, and beyond.

Living Security (livingsecurity.com) was founded in 2017 in Texas. Its platform Unify is a human risk management (HRM) hub.

  • Risk consolidation — Simulation clicks, EDR alerts, IAM permissions, and DLP violations on one dashboard.
  • Customers — Mastercard, Verizon, AT&T, among others.

Elevate Security (elevatesecurity.com) was founded in 2017 by Robert Fly, formerly head of security at Salesforce. Mimecast acquired Elevate in 2024.

The HRM category is new — it crystallised across 2023 and 2024. Gartner formally recognised it in the 2024 Magic Quadrant for the first time.

11. AwareGO, MetaCompliance, Phriendly Phishing, Curricula

Smaller but meaningful players.

  • AwareGO (awarego.com) — Iceland. Short 60-90 second videos. Heavy on microlearning.
  • MetaCompliance (metacompliance.com) — Belfast, Northern Ireland. Strong on GDPR and ISO 27001 compliance modules. Marlin Equity Partners invested in 2024.
  • Phriendly Phishing (phriendlyphishing.com) — Australia. APAC market leader with a Hoxhunt-like adaptive approach.
  • Curricula (curricula.com) — US. Famous for the comic-style "Joe the Hacker" series. CrowdStrike acquired the company in 2022 and rebranded the product as CrowdStrike Falcon Awareness.
  • Inspired eLearning (inspiredelearning.com) — Austin, Texas. Once part of Trustwave, spun out in 2022.
  • Click Armor (clickarmor.ca) — Canada. Gamification-heavy.
  • Habitu8 (habitu8.com) — US. Short video series.
  • Terranova Security (terranovasecurity.com) — Quebec, Canada. Fortra (formerly HelpSystems) acquired it in 2022.

Each differentiates on geography, industry, or content tone. Large multinationals lean on KnowBe4 and Proofpoint; mid-market tends to land at Sophos or Mimecast; specific industries or regions pick NINJIO, MetaCompliance, or Phriendly Phishing.

12. GoPhish — The Open-Source Phishing Simulation Standard

GoPhish (getgophish.com) is an open-source phishing simulation framework created in 2015 by Jordan Wright. Written in Go, MIT licensed.

  • GitHub — github.com/gophish/gophish, over 10,000 stars.
  • Features — Campaign creation, email templates, landing pages, results dashboards.
  • Self-hosted — Single binary. Thirty minutes to install and run a first campaign.

GoPhishs value lies in red team engagements and self-driven training inside small organisations. A company below 100 employees, for which a KnowBe4 licence in the hundreds of thousands of dollars is prohibitive, can build a respectable programme on GoPhish plus self-authored content.

# Simplified GoPhish install
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
cd gophish
./gophish
# Then open https://localhost:3333/

Other open-source tools.

  • King Phisher (deprecated) — Built by Spencer McIntyre at Rapid7; development stopped in 2022.
  • Evilginx2 (github.com/kgretzky/evilginx2) — Kuba Gretzky. Advanced MITM phishing capable of 2FA bypass. Strictly a red team tool, not for general awareness training.
  • SET (Social-Engineer Toolkit) — David Kennedy. Shipped with Kali Linux by default.
  • Modlishka (github.com/drk1wi/Modlishka) — Piotr Duszyński, Poland. Similar approach to Evilginx.

Evilginx2 and Modlishka must only be used in authorised penetration testing or security research. They can capture real user credentials and bring serious legal exposure if misused.

13. NIST Phish Scale — An Objective Difficulty Measure

In 2020 the US NIST (National Institute of Standards and Technology) published the NIST Phish Scale, a framework for measuring the objective difficulty of a phishing email.

  • Cue count — Number and strength of suspicious cues in the email (awkward greeting, domain mismatch, URL manipulation, etc.).
  • Premise alignment — How well the email matches the recipient real work context.
  • Difficulty rating — Least Difficult, Moderately Difficult, or Most Difficult.

The NIST Phish Scale makes click-rate comparisons meaningful. If KnowBe4 reports a 5 percent click rate but the email tested as Least Difficult, that is a poor result. If the same 5 percent came from a Most Difficult email, the result is excellent.

Across 2024 and 2025 many companies adopted the NIST Phish Scale into their KPIs. Beyond raw click rate, they measure a difficulty-adjusted click rate.

14. Real Incidents — MGM, Caesars, Twilio, Lapsus

Practical cases make the case for training better than theory.

  • MGM Resorts (September 2023) — Scattered Spider (affiliate of ALPHV/BlackCat) called the IT help desk and convinced staff to reset employee credentials. Communications systems went dark, hotel and casino systems stopped. Estimated damage exceeded 100 million USD.
  • Caesars Entertainment (August 2023) — Same group. Reports indicated a roughly 15 million USD ransom was paid.
  • Twilio (August 2022) — Employee SMS phishing (smishing). Okta credentials were leaked. Downstream attacks reached over 100 companies including Cloudflare, Cisco, and Mailchimp.
  • Cisco (August 2022) — Personal Google credentials of an employee, then MFA fatigue plus voice vishing to bypass MFA. Internal network compromised.
  • Uber (September 2022) — An 18-year-old attacker used MFA fatigue plus stolen Slack credentials to gain wide access to internal systems.
  • Lapsus Group (January-March 2022) — Microsoft, Nvidia, Samsung, Okta, Vodafone, T-Mobile, and more. Their methods centred on vishing, SIM swapping, and bribing insiders.
  • Arup (February 2024) — UK engineering firm. Deepfake video call featuring the CFO and several colleagues. A Hong Kong employee wired 25 million USD.
  • Coinbase (May 2025) — Compromise via insider employees and contractors plus social engineering. Some customer data was leaked. Estimated damages approached 400 million USD.
  • Change Healthcare (UnitedHealth) (February 2024) — ALPHV ransomware. The starting point was a Citrix credential pair with no MFA. Wide-area paralysis of the US healthcare system followed.
  • Marks & Spencer (April 2025) — Scattered Spider. UK retail systems were paralysed.

Common ground: humans were the first entry point, MFA was bypassed, and help-desk and IT staff were prime targets. In response, 2026 awareness programmes increasingly run separate training tracks for IT and SOC operators and help-desk staff in addition to general employees.

15. Deepfake Voice and Video Simulation

After Arup the market for vishing plus deepfake video simulation moved quickly.

  • KnowBe4 Smishing and Vishing — SMS and voice simulations. AI voice generation creates CEO and CFO personas.
  • Cofense Voice — A vishing campaign module.
  • Hoxhunt — Vishing simulation entered beta in 2024.
  • Pindrop Security — Vishing detection inside contact centres (not simulation; real-time detection).
  • DeepMedia — Deepfake detection SaaS for government and enterprise.
  • Reality Defender — Deepfake detection across voice, image, and video.

Simulation ethics — Simulations that ask employees to wire money based on a fake CEO video call sit in an ethical grey zone. Some companies ban that type of simulation outright (employee trust, psychological impact). Others run them only with prior consent and a clear debrief plan.

Most security consultancies confine vishing and deepfake simulations to high-risk executives and finance functions.

16. MFA Fatigue and Push Notification Bombing

MFA fatigue (push notification fatigue) spiked from 2022 onward.

  • Attack flow — The attacker logs in with stolen credentials, triggering MFA push notifications. Dozens of notifications hit the user phone overnight. Eventually the user, exhausted or annoyed, taps "Approve."
  • Targets — Uber (2022), Cisco (2022), Microsoft (Lapsus, 2022), among others.
  • Defence — number matching — Adopted in 2022 and 2023 by Microsoft Authenticator, Okta Verify, and Duo. The user must enter a number shown on screen rather than tap to approve.
  • Defence — passkeys and FIDO2 hardware tokens — Yubico YubiKey, Google Titan Security Key. Phishing-resistant, with domain binding that prevents fake-site authentication.

The official guidance in NIST SP 800-63 Revision 4 across 2024 and 2025: gradually replace push plus password with FIDO2 or passkey. South Korea KISA points in the same direction.

In awareness terms, employees need the message reinforced repeatedly: "If you did not initiate this login, never approve it." KnowBe4 and Hoxhunt both added MFA-fatigue simulation modules in 2023 and 2024.

17. Email Security Companions — Abnormal, IRONSCALES, Material, Tessian

The email security stack often ships alongside phishing simulation.

  • Abnormal Security (abnormalsecurity.com) — Founded in 2018 by Evan Reiser. BEC detection specialist. AI behavioural modelling is the core engine. Series D in late 2023 at roughly a 5 billion USD valuation.
  • IRONSCALES (ironscales.com) — Founded in 2014 in Israel. Heavy emphasis on auto-remediation to reduce SOC load.
  • Material Security (material.security) — Founded in 2017 in the US. Mailbox quarantine and data classification. Andreessen Horowitz is an investor.
  • Tessian (tessian.com) — Founded in 2013 in the UK. Acquired by Proofpoint in November 2023. BEC and insider threat detection.
  • Avanan (avanan.com) — Founded in 2014 in Israel. Acquired by Check Point Software in 2021. API-based on top of M365 and Google Workspace.
  • INKY (inky.com) — US. Uses computer vision to spot spoofed brand logos.
  • Slashnext (slashnext.com) — URL and message protection. Acquired by ZeroFox in 2023.

These products are API-based complements to existing gateways such as Microsoft Defender for Office 365 or Proofpoint TAP. They re-inspect mail inside the mailbox after the gateway has passed it.

18. Phishing-Resistant Authentication — Passkey, FIDO2, WebAuthn

Training has limits. Technical controls have to ride alongside.

  • FIDO2 / WebAuthn — A W3C standard formalised in 2019. Domain binding guarantees that authentication cannot succeed against a phishing site.
  • Hardware keys — Yubico YubiKey, Google Titan Security Key, Feitian K9. USB-A, USB-C, NFC.
  • Passkeys — Announced jointly in 2022 by Apple, Google, and Microsoft. Device-synchronisable FIDO2 credentials stored in iCloud Keychain, Google Password Manager, and similar.
  • Platform authenticators — Windows Hello, macOS Touch ID, Android Biometric.

Major adoption moments across 2024 and 2025: Microsoft Authenticator passkeys, Apple passkeys, 1Password passkeys, Bitwarden passkeys. In Korea, KakaoTalk and Naver have begun partial passkey support.

The new awareness message is not "strengthen your password" but "stop using passwords." SMS and push-based MFA is being phased out in favour of FIDO2 and passkeys.

That said, the adoption curve has friction. Device-loss recovery, guest accounts, and legacy systems all need answers. The path forward is incremental migration, not a single cut-over.

19. Compliance — NIS2, PCI DSS 4.0, ISO 27001:2022

The compliance landscape shifted significantly across 2024 and 2026.

  • EU NIS2 Directive — Entered into force in January 2023, with member-state transposition due in October 2024. Operators of critical infrastructure must run regular security awareness training.
  • PCI DSS 4.0 — Mandatory from April 2024. Companies processing card data must run security awareness training and simulation. See section 12.6.
  • ISO 27001:2022 — Strengthened Annex A.6.3 (awareness, education, and training).
  • HIPAA (US healthcare) — Risk assessment and awareness training are required. The Office for Civil Rights tightened its guidance in late 2024.
  • GDPR (EU personal data) — Awareness training is not explicitly required, but Article 32 (security of processing) effectively encompasses it.
  • K-PIPA + ISMS-P (Korean Personal Information Protection Act + Information Security Management System) — The KISA certification criteria call out awareness training explicitly.
  • APPI (Japan Act on the Protection of Personal Information) — The 2022 April amendments emphasised employee education.
  • CCPA / CPRA (California) — Recommends employee awareness training.

These regulations do not just demand "do training." They expect you to measure training and improve it. That makes the simulation, report, and continuous improvement loop intrinsically compliance-friendly.

20. Korean Security Awareness Training

Korean market players and institutions.

  • ESTsecurity — The Alyac antivirus vendor. Consulting and simulation services.
  • AhnLab — V3 and Safe Transaction. A separate enterprise awareness training module.
  • SecureI, Secube, NSHC — Domestic simulation and consulting firms.
  • KISA (Korea Internet & Security Agency) — Runs national cybersecurity exercises every year. Free or low-cost participation for SMEs.
  • FSI (Financial Security Institute) — Dedicated simulation programmes for financial firms. Held twice a year.
  • National Intelligence Service / Ministry of National Defense — Separate exercises for public agencies and military.
[Sample Korean Exercise Calendar]
  KISA Cyber Crisis Response Exercise   — July to August each year, voluntary for general firms
  FSI Exercise                           — Twice per year, mandatory for financial firms
  Ministry of Defense Cyber Safety       — Military and defense industry
  Public agency internal exercises       — One to two per year per agency

Market characteristics: heavily compliance-driven. A large share of training in Korea exists as documentation for ISMS-P certification, Financial Supervisory Service inspection, or Personal Information Protection Commission audits. Large enterprises adopt foreign tools such as KnowBe4 or Proofpoint, while mid-market companies often rely on home-grown systems delivered by domestic SI firms.

21. Japanese Security Awareness Training

The Japanese market resembles Korea but with distinct flavours.

  • NRI Secure (nri-secure.co.jp) — Part of Nomura Research Institute. Market leader in 標的型攻撃メール訓練 (targeted-attack email training).
  • TrendMicro Japan — The Tokyo headquarters of the global Trend Micro. Phish Insight is their simulation tool.
  • GMO Cybersecurity by IERAE (gmo-cybersecurity.com) — Built around the acquisition of IERAE Security. Combines penetration testing with simulation.
  • NTT Communications WideAngle — NTT Group MSS. Awareness training is included.
  • LRM (lrm.jp) — A homegrown Japanese SaaS for awareness training, leaning on comedic video content.
  • Hitachi Solutions 標的型攻撃メール訓練サービス — Hitachi Group.
  • NEC 標的型メール訓練 — NEC.
  • Fujitsu, SoftBank Technology — SI-bundled offerings.

Japan in particular uses the term 標的型攻撃メール訓練. The framing is APT (advanced persistent threat) preparedness — there is a strong sense that the Japanese government, defence-related companies, and critical infrastructure are routinely targeted by Chinese and North Korean APT groups.

On the regulatory side, the 改正個人情報保護法 revised in April 2022 and the NISC (Cabinet Cyber Security Center) guidelines explicitly address awareness training.

22. What Comes Next — Behaviour Change Meets AI

Three trajectories define the future of security awareness training in 2026.

  • AI-generated lures — KnowBe4 AIDA, Hoxhunt AI Spear-Phishing Module. GPT-4 and Claude read corporate sites and LinkedIn, then produce personalised bait.
  • Real-time behavioural coaching — KnowBe4 SecurityCoach, Material Security Coach. When an employee performs a suspicious action (replying to an external email, clicking a questionable URL), a coaching nudge appears immediately.
  • Human risk scoring + IAM integration — Living Security, CybSafe. High-risk users face stricter MFA and tighter data access.

Academic research is also active.

  • Carnegie Mellon CyLab — Behavioural modelling for security.
  • Stanford SAIL — Social engineering with LLMs.
  • Oxford Cyber Defence — Government and defence cyber training.
  • KAIST and POSTECH cybersecurity centres — Korean academia.
  • University of Tokyo and NICT (National Institute of Information and Communications Technology) — Japan.

The fundamental limit — you cannot train humans to 100 percent. The answer is the combination of awareness training and technical controls (phishing-resistant MFA, mailbox quarantine, EDR). The goal is not to turn the weakest link into the strongest link, but to build systems that survive human error without catastrophic loss.

Epilogue — From Mitnick to GenAI, 30 Years of Lessons

In his 2002 book "The Art of Deception," Kevin Mitnick wrote:

"The weakest link in security is the human being. And the strongest line of defence is also the human being."

Thirty years on, in 2026, the thesis holds. The change is in the attackers toolkit. GPT-4 writes English-native BEC mail at 0.001 USD per piece, and ElevenLabs clones a CEO voice in three minutes. Arups 25-million-dollar incident was the inflection point.

The defenders answer is clear.

  • AI simulation — KnowBe4 AIDA, Hoxhunt adaptive, Cofense threat intel.
  • Behavioural measurement and HRM — Living Security, CybSafe.
  • Phishing-resistant authentication — Passkey and FIDO2.
  • Compliance and measurement — NIST Phish Scale, NIS2, PCI DSS 4.0.

And the most important piece — a no-blame culture. Shaming employees who clicked depresses reporting rates. That is exactly why Hoxhunt insists on its "no gotcha" framing and why NINJIO leans into cartoon-style characters.

Another Mitnick line worth keeping.

"However advanced technology becomes, a single phone call or email is still the fastest path."

It is still true in 2026. The only difference is that the phone call and the email are now generated by AI.

References

Discuss on TwitterView on GitHub