Best phishing simulation tools
Posted by RadiantTheology@reddit | sysadmin | View on Reddit | 68 comments
We’re reviewing our internal security stack and one of the things on the list is tightening up how we handle phishing awareness. I know everyone has different environments, user bases and tolerance levels for “gotcha” tests, so I’m curious what’s actually worked for you in the real world.
What phishing simulation tools have you had good (or terrible) experiences with?
Did any of them actually change user behavior long-term, or did they just annoy people?
How important are things like automation, reporting or integrations with M365/GSuite in your setup?
Would love to hear what you’ve run into before we commit to anything.
Fit-Hawk-421@reddit
Nosotros probamos gophish y es lo mejor si quieres total autonomía aunque requiere mucho tiempo interno.
Las herramientas con plantillas no suelen funcionar mucho ya que los usuarios se adaptan rápido y no tiene mucho que ver con lo que se ve en el mundo real.
Nosotros ahora hemos optado por un proveedor local (España), que se llama HackBlock y hacen simulacros super complejos a lo spear phishing, creemos que es mejor hacer simulacros así antes que plantillas que los usuarios ya se han acostumbrado.
Igualmente si tenéis un departamento propio de seguridad es interesante que hagan spear phishing ellos.
PeachOk54@reddit
the M365 integration question is worth prioritizing early, some tools make that way harder than it should be. we used Hoxhunt for a while (decent adaptive simulations) then switched to Riot mostly because of the breach monitoring being built in. having that all in one place instead of separate dashboards made reporting to leadership a lot less painful.
CyberHoot@reddit
Couldn't agree more with avoiding “gotcha” sims. In the real world, the programs that actually change behavior are the ones that feel like coaching: realistic tests, consistent cadence, a simple report button, and quick feedback/training when someone slips.
Here at CyberHoot we noticed this "gotcha" problem, and found that not only did it leave them feeling tricked, but also feeling shamed. Associating negative feelings with a program that is supposed to protect you is the PROBLEM!
If you’re looking for a platform built around teaching and awareness instead of “gotcha” moments, feel free to take a look at us! We’re built to make phishing training feel constructive (and actually stick) instead of stressful. Either way, we are happy to answer any questions!
Humble_Seesaw_5076@reddit
can anyone make me a steam login page phishing simulation, and show me how to use it?
ECAN2@reddit
I'd recommend fyshr.com. Fyshr has affordable monthly tiers (lowest is $49/month), easy to use, has all the features like phishing templates, click tracking, reporting, auto-training enrollment, micro learning for users that click, security posture tracking, etc. Has a 15 day free trial too
WillowNo6974@reddit
We're using CyberSentriq. Their training module integrates nicely with existing email and identity setups, sends realistic simulated phish emails and gives clear reporting on a per‑user basis. It’s easy to deploy, so you can start regularly testing and training staff without heavy admin overhead. In my experience, that kind of consistent, low‑friction testing helps build long‑term awareness rather than just irritating users
Sufficient-House1722@reddit
KnowBe4 We have used it since before I started working and it works nice, evn if it does annoy the users it makes them be careful to not click links not to avoid viruses but to avoid having to do an hour of training.
xaeriee@reddit
Another vote for KnowBe4. Big fan and their training for end users is great.
Rakajj@reddit
I thought it was decent when we first started up with it but it really had a fast fall from grace.
KB4 will get you in the door with some nice promotional pricing but once you're a customer you're put out to pasture.
They had industry-specific training that was part of their 'Diamond' package, their highest tier at the time that included everything, which we locked into a 3-year agreement on.
One year into that agreement, they pulled all of the industry-specific compliance training out of what we had licensed and spun it off into it's own 'Compliance' Add-on that wasn't included in the 'Diamond' tier content that previously included everything.
So now this product we've licensed for 3 years is going to require that we pay another 30-40% to get what we'd originally licensed from them and there was zero recognition that they were screwing us on this and no grandfathering in or reduction in cost for us as an existing customer who'd just had the rug pulled on us.
We had, I think maybe 5-6 Customer Success Managers in the three years we were with them, and every single one seemed to come into our account entirely cold with zero information about anything we'd ever done, requested, issues we had, etc.
The first three we actually spent some time with explaining how their changes were negatively impacting us, improvements we'd liked to see, etc. No positive results ever came of any of that and by the time we were handed off to the 4th, 5th and 6th CSM's we simply declined to spend the time with them.
Then the renewals came around and they wouldn't budge on a single thing. Costs were going to be 2-3x what we'd started with for less content.
We moved on and haven't looked back - there are way more good alternatives now in that space than there were ten years ago.
Sufficient-House1722@reddit
whats the new best alternative.
catherder9000@reddit
Somebody needs to ban these scientologist douchebag marketing accounts.
Sufficient-House1722@reddit
Im not marketing Im just an IT that uses it. Its very popular ive even seen the owner at cyber security conferences. Its a big player.
KnowBe4_Inc@reddit
KnowBe4 is a Vista Equity Partners company and not affiliated with any religious institution.
ConfusionFront8006@reddit
+1 for KB4.
blizardX@reddit
I think Ironscales is good.
DentistEmotional559@reddit
If you are on 365 and haven't looked at the defender attack simulation lately it's come a long way (e5/p2 licensing)
TwilightKeystroker@reddit
+1 for all of the above
Add E5, which also brings you Security Copilot, which you can further utilize to define your entire workflows, SOC direction, documentation, and more.
Salty_Move_4387@reddit
Agreed
armaghetto@reddit
Came for this. Don’t run out and buy a new tool if you have this.
turbokid@reddit
Knowbe4 is an industry standard because its fairly cheap per user and integrates well with other systems.
Happy_Kale888@reddit
Knownbe4 is a lot of things but inexpensive is not one of them..... It is a good product but depending on tier it ranges from 10 to 50 bucks a month per user. Maybe in large orgs it scales better....
Practical-Alarm1763@reddit
What the fuck? What KnowBe4 package were you looking at? We pay like under $2.20 per user for gold.
J_de_Silentio@reddit
Either Diamond with PhishER or GTFO. Don't you care about protection your users?
llDemonll@reddit
You're getting reamed if that's what you're paying. We pay ~$30/user/year for diamond. ~350 users, not a huge environment by any means.
corree@reddit
Holy shit
turbokid@reddit
We pay $3/user/month with 100 users. In my last job it was roughly the same price too. You are getting way overcharged.
RupertTomato@reddit
I think the costs you're stating are well inflated from their list MSRP let alone an amount you can negotiate to.
IFarmZombies@reddit
KnowBe4 is also the biggest money maker for those whackjobs in Scientology
KnowBe4_Inc@reddit
KnowBe4 is a Vista Equity Partners company and not affiliated with any religious institution.
RoboFalcon3x@reddit
What made the biggest difference for us wasn’t the tool itself but how it approached behavior change. We used to run really aggressive “gotcha” style campaigns and all it did was make people resent the process and ignore the training. When we shifted toward tools that focus more on repetition, realistic scenarios and positive reinforcement, the results were noticeably better. HoxHunt was one of the ones that helped with that because the simulations felt closer to the day to day weird emails people actually get, not those cartoonish fake HR blasts. It still takes time to shift user habits, but we saw fewer emotional reactions and more real reporting which IMO is the thing that matters long-term.
J_de_Silentio@reddit
Positive Reinforcement is critical.
I also found that punishing people with mandatory 5 minute refresher training if they failed didn't work. Now we have it setup so that is people click the Phish simulator email, it goes to a page that shows them what to look for next time. That's it.
Ctrl_Alt_Defend@reddit
We take a similar approach focusing on the psychology behind why people make risky decisions rather than just testing them repeatedly.
Out_Of_Paper@reddit
We signed up for security training, but we got it for free for up to 50 people (we only have 37). It's from the CIRA and it's pretty good. We setup a phishing@ email and people send all their spam to it just in case. Everyone is trying to get the best score. There isn't even any incentives like prizes. People just don't want to be the one to click on the phishing email.
doctor_klopek@reddit
My company uses KnowBe4. It definitely prompted some behavioral changes for me.
For example, I now have an Outlook rule that looks for KnowBe4's "X-PHISHTEST" email header and automatically sends them to a dedicated folder. Every so often I go through and flag them all as suspected phish attempts so that IT feels warm and happy.
lo1337@reddit
this is pure gold. never thought of that :D
Ctrl_Alt_Defend@reddit
haha this cracked me up :P
Entegy@reddit
Well damn. Never even thought of this. Now I'm going to do an inbox rule search to find sneaky tricks like this.
ITSJOEY@reddit
Wellllll we can change that and I’ll be updating my rules having just read that lol, thank you!
MidninBR@reddit
I'm currently using KB4. Is anyone using CheckPoint SAT? I'd like to have an opinion from their service.
BrentNewland@reddit
Our employees really like the CheckPoint MSAT. They send some training videos, sometimes there are simple quizzes, and phishing simulations. We require our employees to do the training.
MidninBR@reddit
Have you used KB4 for a comparison?
CP is cheaper, close to 40%.
BrentNewland@reddit
My previous employer used KnowBe4. We rarely sent out phishing tests, and I don't remember any training included.
StiffAssedBrit@reddit
We have a large customer who uses a phishing simulation tool. The problem is that we run their email and email security software, but have to whitelist the phishing test emails. The issue is that it isn't common knowledge that they are sending the fake fishing emails, so every time one hits, we get a torrential of shouty calls from certain directors complaining that it got through.
jkalber87@reddit
I've really been enjoying setting up simulations in Curricula and the end users find the trainings fun yet informative.
PurpleFlerpy@reddit
Ninjio - cutesy but the reporting is terribad. Breach Secure Now - clunky, hate the name. Huntress SAT - haven't gotten my paws fully in it yet but they say you can customize training to what people fall for (both training and actual incidents, depending on how deep in Huntress you are). KnowBe4 - honestly I forgot how it is, so I'd say forgettable.
smc0881@reddit
Huntress has a pretty decent offering.
TheJesusGuy@reddit
Same question but the answer has to be free
Thyg0d@reddit
We use Nimblr, educational for the user but good reporting for IT. You control ghost senders, language model, country adaptable to use local companies (lika shipping a package or similar phishing).
Ctrl_Alt_Defend@reddit
If you're already heavy into M365, the Defender simulation stuff has gotten decent and the integration is obviously seamless. KnowBe4 still dominates the market but can get pricey fast depending on your user count. Proofpoint has solid reporting but their interface feels like it was designed in 2015. Full disclosure since I need to be upfront about this - I actually founded a company called OutThink that takes a different approach focused on behavior change rather than just testing, but honestly for most sysadmin budgets the M365 route probably makes the most sense to start with. You can always expand later if you find the basic simulation isn't actually changing anything.
The automation and reporting stuff is nice to have but don't get too caught up in fancy dashboards if the underlying approach isn't working. I'd rather have a simple tool that actually reduces risky behavior than a beautiful one that just generates reports nobody reads.
The biggest lesson I learned over the years is that "gotcha" style testing is basically worthless for long term behavior change. You catch someone once with a fake phishing email, they get embarrassed or annoyed, maybe they're more careful for a week or two, then they're right back to clicking everything. What actually moves the needle is understanding WHY people click on stuff in the first place and addressing those underlying reasons. Are they overwhelmed? Under pressure? Not sure what legitimate emails from your company actually look like?
thehalpdesk1843@reddit
Hoxhunt has been awesome for us.
forumrabbit@reddit
caniphish worked great for us and integrates with entra's directory, plus is cheaper than knowbe4.
BeyondRAM@reddit
Pistachio, you don't have to do anything, simulation + training, multiple languages.
Entegy@reddit
Pistachio looks nice but the price was just too high.
Greenscreener@reddit
Also here for Pistachio. Smaller shop and found KnowBe4 too much overhead where Pistachio just runs all the time and works on positive reinforcement.
thortgot@reddit
Gotcha emails simply dont work.
Look at Google's results for this.
Fragrant-Hamster-325@reddit
Got any more info on this? I feel the same but it would be nice to have the data to back it up.
thortgot@reddit
https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html?m=1
Fragrant-Hamster-325@reddit
Interesting. I always felt like people are chasing the wrong thing when it comes to cybersecurity. Admins place the user at the front lines but that always felt like it’s shifting the blame. Your average user (and highly trained security experts) will never be able to spot 100% of the phishing emails and all it takes is one to slip by. Instead of focusing on the user, your time is better spent on making sure you have a secure configuration. Also users should have clear and simple procedures second. The idea is to put users on rails as much as possible.
Basically, design a system so that if phishing attack does get through and the user does interact with it nothing bad will happen.
thortgot@reddit
Phishing resistant 2 factor mitiagtes a lot of attacks.
vermyx@reddit
Policy and process is something that isn't being added. Don't make your users feel dumb. Don't talk down to them. Have consequences for clicking. Basically make it so that they are confortable that if they are questioning legitimacy they consult IT.
Acrobatic-Cod-9632@reddit
For us the problem wasn’t adoption, it was longevity. Most tools are fine for the first quarter, then the engagement tanks. HoxHunt managed to stay fresh longer just by rotating more realistic looking scenarios not just the same style that people get used to and also the click and report trends didn’t collapse like they usually did.
Dr_Gats@reddit
terrible experience? Sophos. Not even once. Not even for my worst enemy.
What we moved to? Arctic Wolf. We had them for other stuff, but their phishing awareness/training/simulation has been pretty good so far. A bit spendy iirc, but that's for the bean counters to fight over. Overall like the new experience.
TechRage_Linux@reddit
KnowBe4. Deployed it at my org. Works great, easy to setup. Support it helpful too.
Jezbod@reddit
We use the built in system in Intune, seems to work OK. People still fail them...
failureatlayer8@reddit
Mimecast, use hr and management as the test group….
barrystrawbridgess@reddit
KknowBe4 or Huntress. Attack Simulator is my least favorite.
Asleep_Spray274@reddit
Phishing simulation along side ensuring when a user eventually clicks a link, your STS is not issuing tickets to bad actors. If that's entra, you have a raft of policies to work with. Device based CA, risk based CA, phishing resistant CA. If you are only relying on users protecting your apps and data from them watching a few videos, it's already game over
desmond_koh@reddit
I am currently looking into KnowBe4 and Huntress. I'll let you know what I end of choosing.