Skip to content
Human Risk Management & Behavioral Analytics Platform

Measure the Defense.
Not Just the Click.

PhishArmory goes past pass/fail click testing to quantify how your workforce actually behaves under attack — who defended the organization, how fast, and how genuinely they engaged with the training that got them there. Real behavioral telemetry, an active-defense ratio your board can read in one number, and an append-only, tamper-resistant record of every action taken along the way.

audit_log — live tail
The HRM Advantage

Four numbers a CISO can actually stand behind

Every one of these is computed from data the platform already captures — not a survey, not a self-report, a direct measurement of behavior.

reports ÷ clicks

Resilience Index

The click-to-report ratio, as a single number: how many employees actively defended the organization for every one who fell for the lure. Above 1.0 means your workforce is net-positive defense, not just "somewhat tested."

first delivery → first report

Operational Velocity (MTTD)

Mean Time to Defend: how fast this campaign produced its first real catch, campaign-wide — the same "time to detect" instinct your SOC already applies to every other incident, now applied to the human layer.

dwell time + scroll depth

True Engagement Telemetry

The Teachable Moment page tracks how long someone actually read the training and how far they scrolled — not just whether they clicked a button. A 2-second "I understand" click and a genuine 45-second review look identical to a survey. They don't look identical here.

persona + complexity-aware generation

Role-Specific Risk Profiling

Lures are generated against a specific persona and role context, not a generic template blasted at everyone — and results roll up by department, so risk profiling reflects who someone actually is at your organization, not a one-size-fits-all pretext.

For CISOs & Security Leads

Stop tracking vanity metrics.
Start measuring real behavioral change.

A click rate alone tells you almost nothing about whether your organization is getting safer. Resilience Index, Operational Velocity, and Engagement Telemetry tell you whether people are actually defending, how fast, and whether the training is landing — the difference between a report you file and a report you can act on.

Legacy Phishing Simulators PhishArmory HRM
Click rate as the headline metric Resilience Index — active defenders vs. compromised targets
"Training completed" = button clicked True Engagement Telemetry — verified dwell time and scroll depth
No sense of response speed Mean Time to Defend — operational velocity, SOC-style
One generic template for everyone Persona- and role-aware lure generation, department-level rollups
A PDF nobody reads twice A living resilience trend line, cycle over cycle
Architecture

Backend mechanics, translated for the boardroom

Every card below names the actual internal artifact behind it — not marketing shorthand. If your team asks "how does that actually work," this is the honest answer.

Client.simulation_header_key

Tenant-Isolated Simulation Headers

Each client sets one stable, static header value their own mail security team configures once, on their own gateway. Not rotated, not a secret we invent — a fixed signal your team controls end to end.

UPDATE … SET x = GREATEST(x, :v)

Audit-Grade Atomic Telemetry

Engagement and dwell-time telemetry is computed with a single atomic SQL expression at the database layer, not read-modify-written in application code — so concurrent events can never silently overwrite a truer, larger reading.

LureDomain.domain_name

Persistent Pretext Domains

Pretext domains are a stable, named pool your team manages once — not disposable, auto-rotated infrastructure. The same domain maps to the same training scenario over time, so you can track improvement against it.

campaign.approved (audit action)

Maker-Checker Dual Approval

Every campaign can require a second, distinct approver before it launches — and the system enforces that a creator can never approve their own campaign. Segregation of duties, not a policy you have to remember to follow.

campaign.user_activity_viewed

RBAC-Gated Access Logging

Per-recipient results are visible only to Operator/Admin roles — and every time someone with access actually opens that detail view, the view itself is logged with user agent and IP. We audit reads, not just writes.

crypto_vault.py — DEK + master-key envelope

Host-Isolated Envelope Encryption

Every credential gets its own single-use data key, which encrypts that secret and is itself wrapped by a master key that lives only in this host's environment — never in the database. A stolen database dump alone is never enough to decrypt anything: defense-in-depth against exactly the database-layer exploitation a leaked backup or SQL-injection read represents. Access beyond that is exclusively via high-privilege, re-authenticated administrative break-glass interfaces, backed by append-only audit logging.

operators.mfa_secret_ciphertext

Enforced Admin MFA

Every operator account requires TOTP-based multi-factor authentication to sign in — enforced at the platform level, not an optional toggle an admin can leave off. The same envelope-encryption scheme protecting API credentials protects these MFA secrets at rest.

Reporting

One audit-grade dataset, four ways to read it

Every number below already exists in the platform today — ORI trending, vector-performance heatmaps, median TTR, and department-level breakdowns. These are the four audiences that actually read them.

CEO / Board

Executive Brief

Month-by-month Organizational Risk Index trending against a rolling baseline, plus the plain-language posture summary a board actually reads — pulled from the same Underwriting/Audit report your admins already export.

IT & SecOps

Operational Ledger

Vector-performance heatmaps, median time-to-resolution, and per-department click/report rates — the engineering-depth numbers that drive the next training cycle. Pulled from the per-campaign Executive Report.

Auditors

Regulatory Compliance Attestation

The same insert-only audit log and framework mapping described on our compliance page — packaged as an evidence export for your auditor, cross-referenced against SOC 2, HIPAA, CMMC, NERC CIP, PCI DSS, and GLBA/SEC 17a-4.

Cyber Insurance

Risk Underwriting Dossier

A structured technical-controls history — training cadence, ORI trend, remediation completion — of the kind underwriters request at renewal. We don't set your premium; we give you the defensible evidence trail to bring to that conversation.

Executive Brief and Risk Underwriting Dossier draw from our Underwriting/Audit report; Operational Ledger draws from the per-campaign Executive Report; Regulatory Compliance Attestation packages the same audit log and framework mapping shown on our Compliance page. Four views into data the platform already generates — not four separate products.
Industries

Built for the sectors where a mistake is expensive

The same architecture, pointed at four very different failure modes. Each has its own dedicated deep dive.

FSI

Financial Services

Fraud-engine isolation, by design — simulation traffic your own detection systems can tell apart from the real thing.

Read more →
HEALTHCARE

Healthcare

Zero PHI touchpoint, full audit trail — workforce training evidence without another system that touches a medical record.

Read more →
OT · ENERGY

Critical Infrastructure & Energy

Zero footprint on OT — email and human-layer testing only, never a foothold in your control-system network.

Read more →
GOV · DEFENSE

Government & Defense

Built for the audit, not just the click — architected around the CMMC 2.0 / NIST SP 800-171 control families.

Read more →
Deep dive

Compliance & framework mapping

SOC 2, HIPAA/HITRUST, CMMC 2.0 / NIST SP 800-171, NERC CIP-004-6, PCI DSS 4.0, and GLBA/FTC Safeguards — framework by framework.

View compliance mapping →
Try it live

Interactive playground

Run the exact organizational-risk formula our reports use, and click through a simulated inbox to see the telemetry it generates.

Open the playground →
Get started

Ready to see it against your own domain?

We'll walk through the architecture, the audit trail, and exactly what your security team would see in week one.

Request a briefing