What is a phishing simulation vendor (e.g., KnowBe4)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine your company just got hit by a phishing attack. Someone clicked a link they shouldn't have, and now IT is scrambling. The frustrating part? A realistic fake email sent before that moment, as a drill, would have been far cheaper than the breach itself.
That's the whole premise behind phishing simulation vendors. They're platforms that let security teams send fake phishing emails to their own employees, on purpose, to test who clicks and who doesn't. The goal isn't to shame anyone. It's to create a teachable moment and build better habits over time.
The biggest name in this space is KnowBe4. It holds the largest market share and is often the first platform organizations try when they decide to formalize simulated phishing training. Other well-known players include Proofpoint Security Awareness, Cofense (formerly PhishMe), and Barracuda PhishLine.
Here's what these platforms actually do in practice. You schedule a campaign, pick a template (a fake invoice, a spoofed IT helpdesk email, a fake password reset), and the platform sends it to your employees. Anyone who clicks gets redirected to a short training module right then and there, while the lesson is fresh. The platform logs who clicked, who reported it, who ignored it, and who never opened it at all.
Beyond the simulation itself, most vendors bundle in a training content library. Short videos, interactive modules, quizzes. The idea is that one fake phishing email alone doesn't change behavior. Repeated exposure plus follow-up training does.
When comparing vendors, the things that actually matter are how realistic the simulation templates feel (a clunky fake email doesn't teach much), how granular the reporting is, how easy the dashboard is for a non-technical admin to use, and how well it integrates with whatever email environment you're running. Most platforms support Microsoft 365 and Google Workspace environments without major friction.
Now one thing worth knowing: most vendors offer managed service tiers for teams that don't have bandwidth to run campaigns themselves. You hand them the setup, they run the program and report back. Useful for smaller security teams with a lot on their plate.
If you're still figuring out how to structure the broader training program around these simulations, the question on how often to run training is a good next read. And if you want to know whether any of this is actually working, check what metrics for awareness success look like.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.