Why Security Awareness Training Is a Core Defense Layer
Technical security controls — firewalls, EDR, email security, SIEM — are essential, but they cannot address every attack path. Phishing, social engineering, and business email compromise rely on human judgment as the final control. When a CFO assistant wires $400,000 after receiving a convincing email from what appears to be their CEO's address, no technical control in the email security stack failed — the human in the loop made a judgment call that turned out to be wrong.
Security awareness training (SAT) programs exist to improve that human judgment at scale. The evidence for their effectiveness is consistent across the industry: organizations that run regular phishing simulations and training programs see meaningful reductions in click rates on simulated phishing tests over 12–24 month programs. KnowBe4's 2025 Phishing by Industry Benchmarking report found that average baseline phishing click rates across industries drop from 34.3% to 4.6% after 12 months of continuous training — a data point sourced directly from KnowBe4's anonymized customer dataset.
This guide evaluates the three leading SAT platforms: KnowBe4 (market leader), Proofpoint Security Awareness Training (threat-intelligence-integrated), and SANS Security Awareness (research-institution quality).
Quick Comparison
| KnowBe4 | Proofpoint SAT | SANS Security Awareness | |
|---|---|---|---|
| Starting Price | $18/user/yr (Silver) | Custom (enterprise) | ~$18/user/yr |
| Phishing Templates | 35,000+ | Threat-intelligence-driven | Comprehensive library |
| AI Targeting | Yes (Phishing Risk Score) | Yes (VAP-based) | Growing |
| Compliance Modules | GDPR, HIPAA, PCI DSS | GDPR, HIPAA, PCI DSS | GDPR, HIPAA, PCI, NIST |
| Content Quality | Good — volume-focused | Good — threat-intel-driven | Excellent — practitioner-written |
| Best For | Maximum simulation volume | Proofpoint email customers | Regulated industries, credibility |
KnowBe4 — The Market Leader in Phishing Simulation Volume
KnowBe4 is the dominant vendor in the SAT market, with over 60,000 customers as of their most recent reporting. The platform's market position is built on two foundations: the largest phishing simulation template library in the industry (35,000+ templates) and an AI engine that uses historical response data to identify and target the users most likely to click.
Simulated Phishing Campaigns
KnowBe4's phishing simulator supports three attack modalities: email phishing (the primary channel), SMS phishing (smishing), and voice phishing (vishing — simulated phone calls). The template library covers every threat type and lure category: CEO fraud, invoice phishing, IT helpdesk impersonation, package delivery notifications, shared document alerts, and hundreds more. Templates are updated continuously as new attack campaigns emerge in the wild, typically within days of a campaign becoming widely observed.
Campaign automation allows administrators to schedule ongoing phishing tests at randomized intervals across user populations, eliminating the predictability of monthly scheduled phishing tests that users learn to anticipate. When a user clicks a simulated phishing link, they're immediately shown a "you were phished" education moment and automatically enrolled in a relevant training module.
AI-Powered Phishing Risk Score
The Phishing Risk Score (PRS) is KnowBe4's AI targeting engine. It analyzes each user's click history on simulated phishing emails, factors in demographic and role information, and produces a numerical risk score. Administrators can use PRS to automatically route high-risk users into more frequent or more sophisticated simulations — a 30-day intensive simulation cycle for users who scored in the top risk quartile, for example — while reducing simulation frequency for low-risk users who consistently avoid phishing.
Training Content Library
The training library includes 35,000+ training items: short modules (3–5 minutes), longer courses (15–30 minutes), games, assessments, screensavers, and posters. Topics extend beyond phishing: ransomware awareness, physical security (tailgating, clean desk), social engineering, USB drop attacks, password hygiene, mobile security, and compliance-specific content (GDPR, HIPAA, PCI DSS, SOX). The library includes content in over 35 languages, making it viable for global organizations.
Pricing
Per KnowBe4's published pricing (Q1 2026):
- Silver: ~$18/user/year (basic simulations, core training library)
- Gold: ~$24/user/year (adds AI Risk Score, advanced reporting, vishing)
- Platinum: ~$29/user/year (adds physical security, USB simulation, deep links)
- Diamond: ~$34/user/year (adds PhishER incident response, AI-driven training paths)
For organizations with 500+ users, volume pricing typically brings rates down by 10–20%. Annual multi-year commitments reduce pricing further.
Proofpoint Security Awareness Training — Threat Intelligence Integration
Proofpoint's SAT platform differentiates through its integration with the world's largest commercial email security infrastructure. Because Proofpoint processes 2.8+ billion emails daily through its email security platform, its SAT system has access to real-time threat intelligence about which attack campaigns are actively targeting organizations in the same vertical.
Threat-Intelligence-Driven Simulations
Where KnowBe4 offers 35,000+ generic templates, Proofpoint SAT builds simulations based on attack campaigns actively observed in Proofpoint's email threat data. If financial services organizations are being targeted with a specific invoice fraud lure this month, Proofpoint SAT can surface that exact lure type to financial services customers for simulation. This means simulations reflect the actual threat landscape facing the customer's industry rather than generic phishing patterns.
Very Attacked People (VAP) Targeting
The VAP metric is Proofpoint's most distinctive capability: it identifies specific users within an organization who are receiving disproportionate threat actor attention — based on actual email attack data, not just simulated responses. A financial analyst who is regularly targeted by wire transfer fraud campaigns is a higher real-world risk than their click rate on simulated phishing would indicate. VAP-driven training focuses on actual threat exposure rather than behavioral proxies.
Content and Training
Proofpoint's content is produced in-house and through licensed partnerships, with a focus on short, engaging modules (3–7 minutes). The content covers standard awareness topics as well as compliance-specific modules for regulated industries. Branching simulations — where the simulation adapts based on the user's responses — are available in the enterprise tier and represent a more sophisticated training methodology than static click-and-show approaches.
Pricing
Proofpoint SAT is enterprise-only, custom-priced. It's most cost-effective as a bundle with Proofpoint's email security platform — organizations already paying for Proofpoint Email Protection can add SAT at a lower incremental rate than purchasing it standalone. As a standalone purchase, KnowBe4 and SANS Security Awareness typically offer better value at comparable price points.
SANS Security Awareness — Practitioner-Built Training Quality
SANS Security Awareness is the enterprise SAT offering from SANS Institute — the organization that trains over 100,000 security professionals annually through its GIAC certification program and technical courses. The key differentiator: training content is developed by cybersecurity practitioners who also write technical security courses, rather than by instructional designers with security subject matter experts in a consulting role.
Research-Backed Content Quality
SANS Security Awareness training modules are developed by practitioners who understand how attacks actually work at a technical level, making the awareness content more accurate and grounded in real attack scenarios. The modules use a learning science approach — spaced repetition, micro-learning formats (3–5 minutes), and scenario-based learning — rather than the traditional annual compliance training dumps that employees tune out.
The SANS Brand and Compliance Credibility
For organizations in regulated industries — financial services, government, healthcare — the SANS brand carries meaningful weight with compliance auditors. An organization that can demonstrate its employees are trained through SANS Institute content (rather than a commercial vendor's internally-produced library) often has an easier time satisfying compliance reviewers who recognize the SANS certification ecosystem.
Phishing Simulations and Reporting
SANS Security Awareness includes phishing simulations (email, SMS, vishing) with automated remedial training. Reporting aligns to NIST Cybersecurity Framework, GDPR, HIPAA, PCI DSS, and ISO 27001 compliance requirements, providing the audit-ready documentation that compliance teams need.
Pricing
- Essentials: ~$18/user/year (core training modules, phishing simulations, basic reporting)
- Enterprise: Custom pricing (full library, compliance reporting, API integration, dedicated support)
How to Build an Effective Security Awareness Program
Start with a phishing baseline: Before deploying training, run a simulated phishing campaign with no prior notice to establish your organization's baseline click rate. This gives you a measurement point to track improvement over time.
Automate ongoing simulations: Schedule phishing tests at randomized monthly intervals rather than one annual test. Continuous exposure builds long-term behavioral change rather than short-term awareness peaks.
Focus training on context: Generic "don't click suspicious links" training is less effective than simulations that explain why the specific attack worked — what indicators the user missed and how real attackers construct lures.
Target high-risk users: Use PRS (KnowBe4) or VAP data (Proofpoint) to identify users who need more intensive training. A paralegal handling wire transfers is a different risk profile than a software developer.
Include executive buy-in: Executives are frequent BEC targets and are often exempted from training by overzealous admins. Include leadership in phishing simulations — their click rates are often worse than average, and the organizational signal of executive participation improves overall program credibility.
Expert Take
Security awareness training's critics often cite the limited evidence that training changes behavior in real attacks, as opposed to simulated phishing clicks. The criticism has merit: click rate improvement on simulations does not necessarily translate to correct decisions when confronted with a genuinely sophisticated attack by a motivated threat actor. The realistic value of SAT is in raising the floor — reducing the population of users who will fall for obvious, template-based attacks — rather than creating users who are immune to sophisticated social engineering. For most threat models facing SMBs and mid-market organizations, raising that floor has meaningful risk reduction impact.
Building a Culture of Security: Beyond Click Rates
The click rate on phishing simulations is the most common metric for security awareness programs, but it's a proxy metric at best. Organizations that optimize solely for click rate reduction can inadvertently create perverse incentives — users who forward every email to IT without reading it, or who refuse to click legitimate links in vendor emails, creating operational friction.
The more meaningful goal is building organizational security intuition: a workforce that applies appropriate skepticism to suspicious requests without becoming paralyzed by paranoia about legitimate communications.
Psychological safety around reporting: The single most impactful cultural change an organization can make is making it genuinely safe to report security mistakes. Employees who accidentally click phishing links, forward sensitive data to the wrong recipient, or fall for social engineering need to report these immediately without fear of punishment. Delayed reporting because employees fear consequences dramatically worsens incident response timelines. Security awareness programs should explicitly train employees that reporting mistakes quickly is always better than covering them up.
Role-based training tracks: Generic training treats the accounts payable clerk who processes wire transfers the same as the software developer who never handles financial transactions. Purpose-built role-based tracks — finance team gets wire fraud simulation, developers get supply chain compromise and code repository security, HR gets data privacy scenarios — are more engaging and more relevant than one-size-fits-all content.
Leadership visibility: Security awareness program success correlates with visible leadership support. When the CEO participates in phishing simulation campaigns (and isn't exempt when they click), it signals that security is a serious organizational priority rather than a compliance checkbox. Leaders who publicly share their own learning moments from security training create psychological permission for others to acknowledge their gaps.
Measuring Program Effectiveness Beyond Click Rates
Metrics that matter:
| Metric | What it measures | Target |
|---|---|---|
| Phishing simulation click rate | Susceptibility to template-based attacks | <5% after 12 months |
| Reporting rate (simulations) | Active security participation | >20% should report suspicious emails |
| Time to report (real incidents) | Security response speed | Decreasing trend over time |
| Training completion rate | Program engagement | >95% within defined deadline |
| Compliance certification pass rate | Knowledge retention | >90% on compliance assessments |
Cohort analysis: Track click rates by department, tenure, and role to identify segments that need additional attention. New employees typically have higher click rates — an onboarding phishing simulation program specific to the first 90 days addresses this elevated risk period.
Incident correlation: If your SIEM records real phishing delivery events and your SAT platform records simulation click rates, correlating these datasets can reveal whether users who click simulated phishing are also more likely to interact with real phishing deliveries. This validates (or challenges) the assumption that simulation performance predicts real-world behavior.
Compliance Requirement Mapping
Security awareness training is required or strongly recommended by multiple frameworks and regulations:
| Regulation/Framework | Specific Requirement | Frequency |
|---|---|---|
| HIPAA Security Rule | Workforce security training and awareness program | Ongoing, with periodic updates |
| PCI DSS v4.0 (12.6) | Formal security awareness program | Annual minimum |
| GDPR Article 39 | Data protection training for staff | Role-appropriate, ongoing |
| NIST Cybersecurity Framework | PR.AT-1: Users aware of security risks | Ongoing |
| SOC 2 (CC2.2) | Security policies communicated to workforce | Annual |
| ISO 27001 (A.7.2.2) | Information security awareness training | Defined intervals |
| Cyber Insurance | Documented SAT program | Typically annual, increasingly quarterly |
All three platforms in this guide — KnowBe4, Proofpoint SAT, and SANS Security Awareness — provide compliance reporting that maps training completion and simulation results to these frameworks. This reporting is often directly submitted to auditors or insurance underwriters as evidence of a functioning security awareness program.