MSSP, MSP, Managed Security Services, Breach and attack simulation

Huntress’ Awareness Training Tool Puts Users in the Hacker’s Seat

Awareness Training and CSAM

Nearly all organizations have some security awareness training (SAT) programs in place that play a critical role in their cybersecurity strategies. These play a vital role in helping employees recognize and avoid cyber threats, and practice good security hygiene.

The aim is to reduce what is considered a key weakness in cybersecurity today – the human element – which has now become the leading cause of data breaches, a result of workers falling for phishing emails and malvertising scams, using weak passwords, and sharing too much information on social media.

However, there are questions about how effective theses programs are. They often fail to cover all the possible threats – targeting mostly phishing attacks – are often boring, video-based hour-long lectures and a newsletter delivered in a one-size-fits-all fashion, according to Dima Kumets, principal product manager at cybersecurity vendor Huntress.

“These programs often fall short, wasting employees' time by covering broad topics and jargon that rarely apply to their roles, all under the guise of ‘awareness,’” Kumets told MSSP Alert. “Unsurprisingly, these infrequent and lengthy sessions fail to drive meaningful behavioral changes. After all, you wouldn’t expect excellent oral hygiene by brushing your teeth intensely just once a year.”

Attack Simulation

Huntress wants to change that. The Columbia, Maryland-based company this week launched Threat Simulator, the latest addition to its Huntress Managed SAT service that is designed to give employees a view from the other side of cyberattacks. Instead of lecturing workers about the steps they can take to be more secure, the Threat Simulator puts users into the role of hackers, letting them run simulated attacks.

“In the first simulation, we reinforce the importance of limiting the amount of information shared on public social media accounts and websites by having the learner research victims’ publicly visible data to convince IT to gain access to their account,” Kumets said. “We believe that the experience of ‘hacking’ someone just by gathering open source intelligence – OSINT – is far more impactful than a lecture about not oversharing.”

About 24,000 opted to try and complete the OSINT Huntress Managed SAT during the early access period since early April, with some who failed the first time going back to it again. In all, it took an average of 1.5 times to complete it.

The second simulation, which will be introduced this summer, uses the same approach to password hygiene, with users being able to experience the ease with which a target can be compromised and – hopefully – convince them to strengthen their defenses, he said.

Another Point of View

“Although it’s difficult to estimate the proportion of humans who primarily learn by doing, offering cybersecurity training in this way is critical for those who do and beneficial to us all,” Kumets said. “It tackles the inaccurate biases that individuals are not important enough or not wealthy enough to be targeted by showing the ease with which an attacker can target individuals for profit.”

Given how often bad actors target people as gateways into corporate networks, a more effective training program is important. According to this year’s Verizon Data Breach Investigations Report (DBIR), 60% of data breaches in 2024 included some human action, whether not recognizing a business email compromise (BEC) or inadvertently downloading malware. Similarly, a study by KnowBe4 in January found that organizations with effective awareness straining are 8.3 times less likely to appear on public data breach list.

Additonally, a survey released in May by cybersecurity company Abnormal AI found that while 99% of organizations questioned were hit with an attack in 2024 tied to human error, most said they struggled to implement effective SAT programs. About 75% require employees to complete such training at least every quarter, but many are used only to comply with regulatory or insurance requirements.

SAT is Not Always Worth the Work

While 83% said SAT tools require a lot of work to run and maintain, 53% said the results of the training didn’t measure up to the effort.

“When SAT content is one-size-fits-all and delivered against an annual or quarterly schedule to check a box, it can feel like a chore that employees are apt to tune out – and that opens the door to costly breaches,” Abnormal AI CIO Mike Britton said in a statement

A month earlier, the Las Vegas company introduced AI agents into its AI-based SAT platform. Its AI Phishing Coach tool turns real attacks stopped by Abnormal AI into simulations personalized for each user.

This comes as spending in SAT is growing, with the global market expected to expand from $19.31 billion this year to $37.84 billion by 2034. Meanwhile, investment money also is coming into the space. Startup Riot Security in February raised $30 million in Series B funding for its AI-based SAT platform, which simulates phishing attacks and detects data leaks, while also training employees with a chatbot named Albert.

A Tool for MSSPs and MSPs

As with most parts of cybersecurity, MSSPs and MSPs play an important role in SAT for organizations that don’t have enough staff. Huntress’ Kumets said analyst research found most companies have fewer than 0.5 full-time equivalents assigned to security training.

“There is simply not the time or talent available to effectively manage training in-house at most organizations,” he said. “MSPs and MSSPs are their customers’ trusted advisors but also face these challenges.”

Through Huntress’ new offering, service providers can hand over the management of training to the vendor’s threat researchers, security operations center (SOC), and adult learning experts, he said, adding that doing so ensures “an effective program while also allowing them to focus on being their customers’ trusted advisors.”

You can skip this ad in 5 seconds