Measure the Defense.
Not Just the Click.
PhishArmory goes past pass/fail click testing to quantify how your workforce actually behaves under attack — who defended the organization, how fast, and how genuinely they engaged with the training that got them there. Real behavioral telemetry, an active-defense ratio your board can read in one number, and an append-only, tamper-resistant record of every action taken along the way.
Four numbers a CISO can actually stand behind
Every one of these is computed from data the platform already captures — not a survey, not a self-report, a direct measurement of behavior.
Resilience Index
The click-to-report ratio, as a single number: how many employees actively defended the organization for every one who fell for the lure. Above 1.0 means your workforce is net-positive defense, not just "somewhat tested."
Operational Velocity (MTTD)
Mean Time to Defend: how fast this campaign produced its first real catch, campaign-wide — the same "time to detect" instinct your SOC already applies to every other incident, now applied to the human layer.
True Engagement Telemetry
The Teachable Moment page tracks how long someone actually read the training and how far they scrolled — not just whether they clicked a button. A 2-second "I understand" click and a genuine 45-second review look identical to a survey. They don't look identical here.
Role-Specific Risk Profiling
Lures are generated against a specific persona and role context, not a generic template blasted at everyone — and results roll up by department, so risk profiling reflects who someone actually is at your organization, not a one-size-fits-all pretext.
Stop tracking vanity metrics.
Start measuring real behavioral change.
A click rate alone tells you almost nothing about whether your organization is getting safer. Resilience Index, Operational Velocity, and Engagement Telemetry tell you whether people are actually defending, how fast, and whether the training is landing — the difference between a report you file and a report you can act on.
| Legacy Phishing Simulators | PhishArmory HRM |
|---|---|
| Click rate as the headline metric | Resilience Index — active defenders vs. compromised targets |
| "Training completed" = button clicked | True Engagement Telemetry — verified dwell time and scroll depth |
| No sense of response speed | Mean Time to Defend — operational velocity, SOC-style |
| One generic template for everyone | Persona- and role-aware lure generation, department-level rollups |
| A PDF nobody reads twice | A living resilience trend line, cycle over cycle |
Backend mechanics, translated for the boardroom
Every card below names the actual internal artifact behind it — not marketing shorthand. If your team asks "how does that actually work," this is the honest answer.
Tenant-Isolated Simulation Headers
Each client sets one stable, static header value their own mail security team configures once, on their own gateway. Not rotated, not a secret we invent — a fixed signal your team controls end to end.
Audit-Grade Atomic Telemetry
Engagement and dwell-time telemetry is computed with a single atomic SQL expression at the database layer, not read-modify-written in application code — so concurrent events can never silently overwrite a truer, larger reading.
Persistent Pretext Domains
Pretext domains are a stable, named pool your team manages once — not disposable, auto-rotated infrastructure. The same domain maps to the same training scenario over time, so you can track improvement against it.
Maker-Checker Dual Approval
Every campaign can require a second, distinct approver before it launches — and the system enforces that a creator can never approve their own campaign. Segregation of duties, not a policy you have to remember to follow.
RBAC-Gated Access Logging
Per-recipient results are visible only to Operator/Admin roles — and every time someone with access actually opens that detail view, the view itself is logged with user agent and IP. We audit reads, not just writes.
Host-Isolated Envelope Encryption
Every credential gets its own single-use data key, which encrypts that secret and is itself wrapped by a master key that lives only in this host's environment — never in the database. A stolen database dump alone is never enough to decrypt anything: defense-in-depth against exactly the database-layer exploitation a leaked backup or SQL-injection read represents. Access beyond that is exclusively via high-privilege, re-authenticated administrative break-glass interfaces, backed by append-only audit logging.
Enforced Admin MFA
Every operator account requires TOTP-based multi-factor authentication to sign in — enforced at the platform level, not an optional toggle an admin can leave off. The same envelope-encryption scheme protecting API credentials protects these MFA secrets at rest.
One audit-grade dataset, four ways to read it
Every number below already exists in the platform today — ORI trending, vector-performance heatmaps, median TTR, and department-level breakdowns. These are the four audiences that actually read them.
Executive Brief
Month-by-month Organizational Risk Index trending against a rolling baseline, plus the plain-language posture summary a board actually reads — pulled from the same Underwriting/Audit report your admins already export.
Operational Ledger
Vector-performance heatmaps, median time-to-resolution, and per-department click/report rates — the engineering-depth numbers that drive the next training cycle. Pulled from the per-campaign Executive Report.
Regulatory Compliance Attestation
The same insert-only audit log and framework mapping described on our compliance page — packaged as an evidence export for your auditor, cross-referenced against SOC 2, HIPAA, CMMC, NERC CIP, PCI DSS, and GLBA/SEC 17a-4.
Risk Underwriting Dossier
A structured technical-controls history — training cadence, ORI trend, remediation completion — of the kind underwriters request at renewal. We don't set your premium; we give you the defensible evidence trail to bring to that conversation.
Built for the sectors where a mistake is expensive
The same architecture, pointed at four very different failure modes. Each has its own dedicated deep dive.
Financial Services
Fraud-engine isolation, by design — simulation traffic your own detection systems can tell apart from the real thing.
Read more →Healthcare
Zero PHI touchpoint, full audit trail — workforce training evidence without another system that touches a medical record.
Read more →Critical Infrastructure & Energy
Zero footprint on OT — email and human-layer testing only, never a foothold in your control-system network.
Read more →Government & Defense
Built for the audit, not just the click — architected around the CMMC 2.0 / NIST SP 800-171 control families.
Read more →Compliance & framework mapping
SOC 2, HIPAA/HITRUST, CMMC 2.0 / NIST SP 800-171, NERC CIP-004-6, PCI DSS 4.0, and GLBA/FTC Safeguards — framework by framework.
View compliance mapping →Interactive playground
Run the exact organizational-risk formula our reports use, and click through a simulated inbox to see the telemetry it generates.
Open the playground →Ready to see it against your own domain?
We'll walk through the architecture, the audit trail, and exactly what your security team would see in week one.
Request a briefing