Fraud-Engine Isolation, By Design
Simulated phishing traffic your transaction-monitoring and fraud-detection systems can reliably tell apart from the real thing — because it's tagged at the source, not filtered after the fact.
The failure mode we're built to avoid
A training campaign's clicks and "credential submissions" look, on the wire, exactly like a real credential-phishing attempt. Point a fraud engine or SOC at your own workforce without a way to distinguish the two, and you get one of two bad outcomes: simulation noise polluting your fraud models, or a real attack getting dismissed as "probably just the security team's test again."
A header your own team controls
Each client sets one stable, static header value — configured once, by your own security/fraud engineering team, on your own detection stack. PhishArmory doesn't invent it, rotate it, or manage it on your behalf. It's yours end to end.
An audit trail that survives scrutiny
Every engagement event is written with an atomic SQL update, not read-modify-written in application code — so a compliance reviewer or forensic analyst never has to wonder whether a concurrent write silently overwrote a truer reading.
What this maps to on your compliance calendar
Architectural controls, not certifications — this is the evidence our platform contributes to a program you already run.
| Framework | What we contribute |
|---|---|
| GLBA / FTC Safeguards Rule (16 CFR Part 314) |
Maker-checker dual approval on every campaign launch, plus host-isolated envelope-encrypted credential storage, support the Safeguards Rule's access-control and information-security-program documentation requirements. |
| SEC Rule 17a-4 | Our audit log is insert-only at the application layer — no code path updates or deletes a written record — which supports the spirit of Rule 17a-4's non-rewritable recordkeeping expectation. Pair with your own WORM-compliant storage backend for full retention-rule coverage; we don't claim to replace that layer. |
| FINRA cybersecurity program review | A timestamped record of every campaign, approval, and result gives your cybersecurity program exactly the training-and-testing evidence FINRA program reviews ask to see. |