Skip to content
NewAutopilot — continuous training that runs itself

Phishing simulation & security awareness

Find who clicks —
train them before it’s real.

PhishSpot runs realistic phishing simulations, delivers a training course the moment someone clicks, and shows human risk falling — campaign over campaign, in English and Polish.

  • Free trial
  • English + Polish
  • Built in the EU
Live

Q3 Security Awareness — Report

Recipients

2,400

Click rate

18.7%

Repeat clickers

3.1%

Sent2,400 · 100%
Delivered2,388 · 99.5%
Opened1,512 · 63.0%
Clicked449 · 18.7%
Submitted96 · 4.0%
Trained92 · 95.8% of clickers

Built for the regulated, heavily-targeted teams

FinanceHealthcareSaaSPublic sectorManufacturingLegal
One platform, the whole loop

Everything a phishing program needs — in one place

Simulate, train, and measure without stitching together five tools. Every capability shares the same contacts, domains, and reporting.

Realistic simulations

A six-step builder, 48 human-authored templates, and a live HTML editor with merge-tag personalization and test sends.

Autopilot programs

Set an intensity once. PhishSpot keeps the right people trained on a cadence, auto-enrolling new hires — hands off.

Branching sequences

Design multi-touch journeys: phish, wait, branch on who opened or clicked, then assign the right training.

Training on click

The teachable moment. Deliver a course, awareness page, or redirect the instant someone takes the bait.

Reporting that lands

The full funnel — Sent → Delivered → Opened → Clicked → Submitted → Trained — per person, per group, and over time.

Inbox deliverability

Managed sending domains with automatic SPF, DKIM and MX, plus vendor-specific whitelist exports so sims land, not spam.

How it works

From empty account to first insight in an afternoon

The same five steps every program follows — PhishSpot just removes the busywork between them.

  1. 01

    Onboard

    Set your account, industry, and phishing-report inbox. Optionally connect Microsoft Entra.

  2. 02

    Build audience

    Import contacts by CSV or sync from your directory, then organize them into groups.

  3. 03

    Run

    Launch a one-off campaign, an Autopilot program, or a branching sequence.

  4. 04

    Teach

    Anyone who clicks gets a course or awareness page — the moment it matters most.

  5. 05

    Measure

    Watch the funnel, per-person timelines, and trend lines. Export to PDF or Excel.

Autopilot

Set the intensity once. Stay trained forever.

Autopilot keeps a continuous awareness program running without a person in the loop. It picks a language-matched template, schedules on your cadence, and auto-includes every new hire.

  • Intensity you control — from one send a month to a few a week, with a hard safety cap of two per person per day.
  • AI optimizer — adapts template and timing to each recipient’s history, so training stays challenging.
  • New joiners, covered — anyone added to the audience is enrolled automatically. No campaign babysitting.
platform.phishspot.com/autopilots
Set the intensity once. Stay trained forever.
Template library

48 templates, hand-written in English and Polish

Not machine-translated. A curated, categorized library of real-world lures — deploy one as-is, quick-launch it, or fork it in the HTML editor and save your own.

  • 24 EN + 24 PL templates, organized in a three-level category tree.
  • Full HTML control — email and landing page, with a live preview and merge tags like {{first_name}}.
  • Save as template — turn any campaign your team builds into a reusable starting point.
platform.phishspot.com/templates
48 templates, hand-written in English and Polish
Integrations & API

Fits the stack you already run

Sync your directory, sign in with Microsoft, and push every event into your SIEM, SOAR, or LMS the second it happens.

Microsoft Entra sync

Import users and groups on a schedule; leavers are disabled, not deleted.

Microsoft 365 SSO

Employees sign in with their corporate account and land on a personal training portal.

Signed webhooks

HMAC-signed event push with retries, so a click becomes an alert in seconds.

REST API

Token-authenticated JSON API at /api/v1 covering campaigns, contacts, courses and more.

MCP for AI

Drive PhishSpot from Claude in natural language — build-only by design, a human presses launch.

Outlook report button

One-click phishing reporting from Outlook, feeding a per-account report inbox.

Why PhishSpot

The difference between a checkbox and a program

Most phishing tests are a once-a-year scramble. PhishSpot makes awareness a measurable, always-on habit.

The DIY / legacy way

  • A single annual test, forgotten by Q2
  • Clickers get a scary page and no follow-up
  • A spreadsheet of open rates with no context
  • Simulations quietly filtered into spam
  • Machine-translated content that reads as fake
  • Manual exports copied between tools

With PhishSpot

  • Continuous programs on Autopilot, not a yearly fire drill
  • Training delivered automatically at the moment of the click
  • The full funnel and trend lines, per person and per group
  • Managed sending domains that reliably reach the inbox
  • Genuine English + Polish, UI and templates alike
  • Drive and report on everything by API and MCP

48

Ready-to-send templates

Hand-written, 24 EN + 24 PL

2

Languages, end to end

UI, templates, reports & manual

6

Funnel stages tracked

Sent → … → Trained

10

Whitelist export formats

M365, Google, Mimecast & more

Questions

The things security teams ask first

Is this actually bilingual, or just a translated menu?

Genuinely bilingual. The interface, the 48 templates, the reports, the anonymized identities, and the full admin manual all exist in English and Polish. Polish templates are written by people, not machine-translated.

Will simulations land in the inbox or get filtered to spam?

PhishSpot provisions managed sending domains with correct SPF, DKIM, MX and return-path records automatically, monitors their health, and gives you vendor-specific whitelist exports for Microsoft 365, Google Workspace, Mimecast, Proofpoint and more.

What happens when an employee clicks?

That is the teachable moment. You choose the post-click action per campaign: deliver a training course, show an awareness page, or redirect. Most teams use the non-punitive awareness approach.

Is the "AI" writing phishing emails for us?

No. Autopilot is automation: it selects a language-matched template from your library and schedules it, with an optimizer that tunes timing and difficulty. You keep full control of every template and every launch.

Can we run this across many client organizations?

Yes. PhishSpot is multi-tenant, with per-account isolation, three roles, and a full REST API plus MCP server — a fit for MSPs and MSSPs running programs at scale.

How do we get real phishing reported back?

Employees report suspicious mail with a one-click Outlook add-in or by forwarding to your per-account inbox. Reports open in a security-conscious safe preview and tie back to contact records.

See your first click rate this week

Book a 30-minute demo and we’ll build a live campaign against a test group with you. Or start a free trial and explore the platform yourself.

No pushy sales — just a working campaign and your numbers.