Blog

Insights on phishing simulation and security awareness

Practical articles on running phishing simulations, training employees, measuring human risk, and meeting NIS2, ISO 27001, and DORA requirements - written by offensive-security practitioners.

Request AccessExplore product

Latest article

Playbooks

How to Run a Phishing Test for Employees: Process, Costs, and Results

A phishing test for employees is a controlled exercise: you send a realistic but harmless fake phishing email to staff and measure who clicks, who enters credentials, and who reports it. A first baseline test takes about two weeks from setup to results. In Slovakia and Czechia, agencies charge roughly €199–1,000 per one-off test; self-service platforms charge a few euros per employee per month.

10 min readRead article

Blog

All articles

Guides, benchmarks, and compliance explainers for teams building phishing resilience.

Threat insights

Phishing Click Rate Benchmarks: European Data and What Good Looks Like

The most cited phishing click rate benchmark comes from KnowBe4's 2025 industry report: 33.1% of untrained employees fail a baseline phishing test, falling to under 5% after a year of training. European organizations start at 32.5%. This guide compiles verified benchmarks by industry, company size and region, plus the report-rate targets that separate mature programs from checkbox training.

10 min readRead article
Compliance

NIS2 Security Awareness Training Requirements: Articles 20 & 21 Explained

NIS2 security awareness training requirements come from two places: Article 20(2), which obliges members of management bodies to follow cybersecurity training, and Article 21(2)(g), which makes basic cyber hygiene practices and cybersecurity training a mandatory risk-management measure. National laws in Slovakia and Czechia turn these into concrete duties: documented training plans, initial and refresher training, and evidence regulators can inspect.

9 min readRead article
Playbooks

How to Run a Phishing Simulation: A Practitioner's Step-by-Step Playbook

Here is how to run a phishing simulation: define the goal and legal basis, pick a realistic scenario, allowlist the simulation domains in Microsoft 365 or Google Workspace, launch to a representative group, then measure click rate, report rate and time-to-report. This playbook covers each step the way an offensive-security team runs paid engagements - including the mistakes that ruin most first campaigns.

10 min readRead article
Threat insights

12 Real Phishing Email Examples for Employee Training (Annotated)

These phishing email examples reconstruct documented real-world campaigns - parcel scams, bank impersonations, Microsoft 365 login lures, CEO fraud and AI-written attacks - each annotated with the red flags employees should catch. Phishing drives roughly 60% of intrusions analysed in ENISA's latest Threat Landscape report, so teaching staff to recognize these exact patterns is the cheapest security control you can deploy.

11 min readRead article
Compliance

ISO 27001 Security Awareness Training Requirements: What Auditors Check

ISO 27001 security awareness training requirements live in two places: Clause 7.3, which makes awareness mandatory for everyone working under your control, and Control A.6.3, which describes the training program itself. Certification auditors test both - and they sample records, not promises. This guide explains what awareness must cover, how often to train, and which evidence survives an audit.

9 min readRead article

Next step

Ready to measure your phishing and training program?

Book a demo and see how PhishGun can support your simulation and training program, reporting needs, and compliance evidence.

Request AccessEmail info@phishgun.com