Phishing simulation & security awareness
Find who clicks —
train them before it’s real.
PhishSpot runs realistic phishing simulations, delivers a training course the moment someone clicks, and shows human risk falling — campaign over campaign, in English and Polish.
- Free trial
- English + Polish
- Built in the EU
Q3 Security Awareness — Report
Recipients
2,400
Click rate
18.7%
Repeat clickers
3.1%
Built for the regulated, heavily-targeted teams
Everything a phishing program needs — in one place
Simulate, train, and measure without stitching together five tools. Every capability shares the same contacts, domains, and reporting.
Realistic simulations
A six-step builder, 48 human-authored templates, and a live HTML editor with merge-tag personalization and test sends.
Autopilot programs
Set an intensity once. PhishSpot keeps the right people trained on a cadence, auto-enrolling new hires — hands off.
Branching sequences
Design multi-touch journeys: phish, wait, branch on who opened or clicked, then assign the right training.
Training on click
The teachable moment. Deliver a course, awareness page, or redirect the instant someone takes the bait.
Reporting that lands
The full funnel — Sent → Delivered → Opened → Clicked → Submitted → Trained — per person, per group, and over time.
Inbox deliverability
Managed sending domains with automatic SPF, DKIM and MX, plus vendor-specific whitelist exports so sims land, not spam.
From empty account to first insight in an afternoon
The same five steps every program follows — PhishSpot just removes the busywork between them.
- 01
Onboard
Set your account, industry, and phishing-report inbox. Optionally connect Microsoft Entra.
- 02
Build audience
Import contacts by CSV or sync from your directory, then organize them into groups.
- 03
Run
Launch a one-off campaign, an Autopilot program, or a branching sequence.
- 04
Teach
Anyone who clicks gets a course or awareness page — the moment it matters most.
- 05
Measure
Watch the funnel, per-person timelines, and trend lines. Export to PDF or Excel.
Set the intensity once. Stay trained forever.
Autopilot keeps a continuous awareness program running without a person in the loop. It picks a language-matched template, schedules on your cadence, and auto-includes every new hire.
- Intensity you control — from one send a month to a few a week, with a hard safety cap of two per person per day.
- AI optimizer — adapts template and timing to each recipient’s history, so training stays challenging.
- New joiners, covered — anyone added to the audience is enrolled automatically. No campaign babysitting.

48 templates, hand-written in English and Polish
Not machine-translated. A curated, categorized library of real-world lures — deploy one as-is, quick-launch it, or fork it in the HTML editor and save your own.
- 24 EN + 24 PL templates, organized in a three-level category tree.
- Full HTML control — email and landing page, with a live preview and merge tags like {{first_name}}.
- Save as template — turn any campaign your team builds into a reusable starting point.

Fits the stack you already run
Sync your directory, sign in with Microsoft, and push every event into your SIEM, SOAR, or LMS the second it happens.
Microsoft Entra sync
Import users and groups on a schedule; leavers are disabled, not deleted.
Microsoft 365 SSO
Employees sign in with their corporate account and land on a personal training portal.
Signed webhooks
HMAC-signed event push with retries, so a click becomes an alert in seconds.
REST API
Token-authenticated JSON API at /api/v1 covering campaigns, contacts, courses and more.
MCP for AI
Drive PhishSpot from Claude in natural language — build-only by design, a human presses launch.
Outlook report button
One-click phishing reporting from Outlook, feeding a per-account report inbox.
The difference between a checkbox and a program
Most phishing tests are a once-a-year scramble. PhishSpot makes awareness a measurable, always-on habit.
The DIY / legacy way
- A single annual test, forgotten by Q2
- Clickers get a scary page and no follow-up
- A spreadsheet of open rates with no context
- Simulations quietly filtered into spam
- Machine-translated content that reads as fake
- Manual exports copied between tools
With PhishSpot
- Continuous programs on Autopilot, not a yearly fire drill
- Training delivered automatically at the moment of the click
- The full funnel and trend lines, per person and per group
- Managed sending domains that reliably reach the inbox
- Genuine English + Polish, UI and templates alike
- Drive and report on everything by API and MCP
48
Ready-to-send templates
Hand-written, 24 EN + 24 PL
2
Languages, end to end
UI, templates, reports & manual
6
Funnel stages tracked
Sent → … → Trained
10
Whitelist export formats
M365, Google, Mimecast & more
The things security teams ask first
Is this actually bilingual, or just a translated menu?
Genuinely bilingual. The interface, the 48 templates, the reports, the anonymized identities, and the full admin manual all exist in English and Polish. Polish templates are written by people, not machine-translated.
Will simulations land in the inbox or get filtered to spam?
PhishSpot provisions managed sending domains with correct SPF, DKIM, MX and return-path records automatically, monitors their health, and gives you vendor-specific whitelist exports for Microsoft 365, Google Workspace, Mimecast, Proofpoint and more.
What happens when an employee clicks?
That is the teachable moment. You choose the post-click action per campaign: deliver a training course, show an awareness page, or redirect. Most teams use the non-punitive awareness approach.
Is the "AI" writing phishing emails for us?
No. Autopilot is automation: it selects a language-matched template from your library and schedules it, with an optimizer that tunes timing and difficulty. You keep full control of every template and every launch.
Can we run this across many client organizations?
Yes. PhishSpot is multi-tenant, with per-account isolation, three roles, and a full REST API plus MCP server — a fit for MSPs and MSSPs running programs at scale.
How do we get real phishing reported back?
Employees report suspicious mail with a one-click Outlook add-in or by forwarding to your per-account inbox. Reports open in a security-conscious safe preview and tie back to contact records.
See your first click rate this week
Book a 30-minute demo and we’ll build a live campaign against a test group with you. Or start a free trial and explore the platform yourself.
No pushy sales — just a working campaign and your numbers.

