There are defining moments in the evolution of a company that change everything. Today is one of those days for us at CYBERDISE. We’ve been very close to the market for the past three years. Even when we started, we knew that the awareness industry was heading in a direction we didn’t fully understand back then.

We now clearly understand the market’s needs and pains and know exactly where to go next. Following intensive development and extensive market analysis, we are making a monumental shift forward: we are transitioning from traditional security awareness to Behavioral Defense Engineering (BDE).

Microsoft Defender for Office 365 includes its own phishing simulation and awareness platform called Attack Simulation Training. Because it is deeply integrated into Microsoft 365, many organizations automatically assume it is the logical choice for phishing simulations and employee awareness.
And honestly: in some areas, Microsoft Defender Attack Simulator is very good.
But there is also another side that organizations should understand before replacing specialized awareness platforms completely.
This article is intentionally balanced. There are clear advantages — but also structural limitations that become visible very quickly in larger or more mature security environments.

“Software is eating the world” is a well-known saying, and the prediction is clearly playing out. Today, though, it’s no longer primarily software that’s reshaping our economy and society — it’s artificial intelligence itself.

What happens after not only all vulnerabilities have been found – but then almost all of them have disappeared?

Two weeks ago, Anthropic made headlines with “Mythos” – a model that finds vulnerabilities like no human before it. Last week I wrote about how AI is becoming the better penetration tester.

What happens when software is no longer attacked only by humans, but by synthetic actors that think differently than we do?

Claude developer Anthropic made headlines last week with the internal release of a new model called Mythos. It is said to be exceptionally good at finding bugs and vulnerabilities in software. Due to these capabilities, Anthropic is refraining from a public release for now and instead aims to work with large tech companies and governments to prevent misuse.

It remains unclear how realistic and actually exploitable many of these vulnerabilities are… at least for humans.

Which free templates for attack simulations can I use? Which free cybersecurity courses help me train my employees?

With CYBERDISE Freemium, we offer a free tool for phishing simulations. With it, you can not only run phishing exercises, but also train your employees with cybersecurity courses. And the best part is that you can edit all templates and adapt them to your specific needs – exactly as required for genuine awareness!

A new study conducted by CIO / CSO / Computerwoche (based on 324 interviews with senior IT decision-makers across DACH, conducted November–December 2025) paints a clear picture: NIS2 is reshaping how organisations think about cybersecurity. But compliance and actual resilience are still far apart.

Below are the findings we think matter most – and what they mean for how you approach security awareness and human risk.

Nearly half of all successful cyberattacks start with a negligent employee. Why is that and what can be done about it.

If you google this question, then it answers you that it’s because of ‘Falling for Phishing and Social Engineering Scams’, ‘Poor Password Management and Credential Hygiene’ and ‘Negligent Data Handling and Unsecured Devices’. Of course, these are important reasons, but this answer is much more helpful if you take a step back and realize that nearly all statements, so to speak, are about people!

And that’s how it is today, it’s proven that at least 47% [1] of successful cyber-attacks start with a careless employee and mostly with an phishing email. Why does this happen, why do employees get caught up in it? Our experience shows that there are three main reasons why employees fall for malicious emails.

It is obvious that Microsoft offers a phishing simulation tool. Unfortunately, organizations that genuinely care about having attentive employees who are well-sensitized to cyber risks are not well served by it.

The great thing about trade show season is that you get to have personal conversations with many cybersecurity specialists. And I’ve just learned from several German and Swiss mid-sized companies that they have let their contracts with their awareness vendors expire and are instead relying on Microsoft Defender Attack Simulator. After all, this product is included with E5 licenses – so why use anything else?

Behavior-oriented awareness means the primary success metric is observable risk behavior change, not knowledge completion, positive feedback scores, or course consumption.

An entire industry often offers customers products and services with little benefit. And they even buy into it!

Today in 2026, the cybersecurity awareness market will be worth around USD 6.7 billion [1]. Created just over 20 years ago, it is dominated by awareness or SAT providers, which I regard to be second generation. Companies such as Proofpoint, Terranova, Knowbe4, Sans, Sosafe, Hoxhundt, or whatever they are called, secure the lion’s share of this market, which is expected to grow to just under USD 15 billion in 2031. In addition, there are hundreds of other players, such as CYBERDISE | Cybersecurity Awareness .

What is CYBERDISE Freemium Edition?
It is a free phishing tool and learning environment where users can complete cybersecurity courses. Technically speaking, it is an attack simulator and a lean LMS including a content editor and user management.

What does the solution include?
The phishing simulator, learning management functionalities, two dozen attack templates, a dozen e-learning modules on information security, a content editor for customizing templates, and recipient management.

Some may wonder why CYBERDISE Awareness provides a free solution for phishing simulations and cybersecurity training at the highest level. Anyone who thinks this is purely for marketing purposes is completely wrong.

I need to give a bit of background so you can understand our motivation for offering a free phishing tool. It’s about effectiveness, the market, and our own standards – and yes, also about marketing 😉

The Human in an AI-Driven Threat Landscape – AI did overpass the human in writing phishing emails in 2024 – already two years ago[1]. It is therefore not surprising that nowadays, virtually all phishing attacks are created by AI agents. They write more convincing phishing, in a personalized way and they can process huge volumes of messages at almost no cost. There will always be malicious messages that outsmart even the best filters and end up in your mailbox. And these will be all the more dangerous.

So, organizations must empower the employees and IT-engineers and they should respond with the same level of AI-enabled automation. That’s why Cyberdise applies AI where it matters most

CYBERDISE 3.0 contains significant new functionality in AI phishing, LMS and training, threat reporting and message analysis and even architectural enhancements. That’s why it’s a great release!

Version 3.0 since early 2026. Those who want to know what’s exactly in the release, please check out the release-notes. But here I’d like to cover the three to four features we love most.

The University of Osnabrück receives the “Awareness Customer of the Year 2026” award for the exemplary implementation of CYBERDISE in an on-premise configuration. No other customer has deployed our platform productively at a comparable speed: only a few weeks elapsed between order and the first productive campaign.

We were particularly impressed by the lean, efficient, and largely independent implementation – as well as the consistently professional, proactive, and prompt communication. This combination makes the University of Osnabrück a true showcase customer. We are all the more pleased that the university has agreed to become one of our reference customers.

In CYBERDISE AWARENESS, two concepts are often used interchangeably – attitude and behavior. They are related, but they are not the same. Confusing them is one of the main reasons why many awareness programs fail to deliver lasting risk reduction.

Attitude is shaped primarily through information, communication, and training. Traditional awareness programs focus heavily on this layer: policies, videos, e-learning, and explanations of “what could go wrong.”

Research confirms that training can indeed influence attitude. Employees often report higher awareness, stronger responsibility, and better understanding after training interventions.

In CYBERDISE AWARENESS, two concepts are often used interchangeably – attitude and behavior. They are related, but they are not the same. Confusing them is one of the main reasons why many awareness programs fail to deliver lasting risk reduction.

Attitude is shaped primarily through information, communication, and training. Traditional awareness programs focus heavily on this layer: policies, videos, e-learning, and explanations of “what could go wrong.”

Research confirms that training can indeed influence attitude. Employees often report higher awareness, stronger responsibility, and better understanding after training interventions.

What features were we able to roll out? A review.

Modern attacks happen in seconds, but awareness teams often work in days or weeks. We wanted to close this gap. CYBERDISE 2025 brings together AI reconnaissance, autonomous campaign components, multi-organizational management, and a revamped content ecosystem. It’s a platform that not only trains, but also systematically scales security culture—from medium-sized businesses to MSSPs. At the end of the year, we will showcase the features developed this year that will help you achieve this goal. Which ones are you not familiar with yet? Take a look for yourself at the end of this article!

Recent discussions around the effectiveness of cybersecurity awareness have been reignited by high-profile media coverage. Most prominently, a Wall Street Journal article drawing on the study “Understanding the Efficacy of Phishing Training in Practice” questions whether phishing simulations and awareness training lead to meaningful risk reduction.

The debate itself is healthy. The conclusions drawn from it, however, require more nuance.

A growing body of empirical research shows that well-designed cybersecurity awareness programs do improve real-world cyber risk behavior. What often fails is not awareness as such, but narrow interpretations of what awareness is, how it should be embedded organizationally, and how success should be measured.

How many phishing simulations should be conducted and how frequently users should be confronted with cybersecurity eLearning is a recurring topic in consulting for awareness programs and campaigns.
This topic is far from academic – it’s highly relevant for practical application.
A sensitization effect, once achieved, begins to crumble after about three months, and after six months, maximum erosion has essentially been reached. There are solid studies on this, and our latest scientific research shows a very similar result.
However, the statements made about the quantity and timing of awareness measures must be considered with nuance. It would be dangerous to derive simple, universally applicable rules from them.

Common possible missteps on customer-side in implementing Security Awareness projects

It’s like any other project: you think it’s too easy, you don’t listen or listen to the wrong experts, you think you’ll master it, or you think you can do it alone, you don’t talk to each other enough and the goals and requirements are not as clear as they should be. If you then start with an inappropriate mindset and management fails to recognize the purpose, value and benefits of awareness, then the project can get off to a very bumpy start.

Phishing emails are becoming harder to detect, even for humans. A recent study tested various large language models (LLMs) for their ability to recognize malicious intent in emails, revealing significant differences in performance.

One standout was Claude 3.5 Sonnet, which scored over 90% at low false positive rates and even flagged suspicious emails that humans overlooked. When explicitly asked to assess suspicion, it correctly classified all phishing emails while avoiding false alarms on legitimate messages. However, it struggled with conventional phishing emails, achieving only an 81% true-positive rate in that category…

Company founders pitch investors to get funding and other help for their business idea. Reverse pitching turns the tables: the investors, business angels and VC’s apply to the startup entrepreneurs to be allowed to invest in their companies.

Is this a good idea? No and yes ☺

Over the past 15 years, I’ve had hundreds of conversations with investors – and yet, I’ve never really thought about what it would be like if an investor had to pitch to me, not the other way around.

What would I look for?

Conversely, does this mean that once you have achieved product-market fit, you can start scaling immediately and you are sure to be successful? I would say: maybe, probably not.

Yes, 9 out of 10 start-ups fail. And yes, most of them probably failed because they offered something that the market didn’t really want. But I do have some reservations about the rest becoming successful because the PMF has been reached.

In the early days, cybersecurity training was not yet fully understood. Most attempted to educate their staff through training, and the first phishing campaigns for educational purposes were conducted. And compliance wasn’t that important yet.

A company exists because the employees believe there is a way, the customers believe it solves a problem, and the investors believe it is worth something 😉

Despite comprehensive security awareness training, many organizations still continue to have cybersecurity breaches resulting from human error. We believe that it is because many people understand cybersecurity threats in theory but struggle to apply the knowledge in practice consistently to act safely.

This gap between risk attitude (knowing what is risky) and risk behavior (actually acting securely) is what today’s article will be about 😉

The IBM Cost of a Data Breach Report has been published every year for two decades.

It’s often read for the numbers: the global average breach cost (now $4.4M), the top industries, or the fines (which in the U.S. push average costs to $10M).

But look a little deeper and with your own expert-view, and this year’s report says something more fundamental about cybersecurity awareness.

Cybersecurity awareness training is a vital component of organizational defense strategies. However, many awareness providers or solutions are not able to cover the requirements of the customers. We list and summarize common weaknesses of security awareness providers and practical steps (bigger) organizations can take to address them.

The Marks & Spencer Cyber Attack shows it. Large companies with complex organizations, many languages, multiple LMS systems, heterogeneous metadata landscapes and high process variance need cybersecurity awareness solutions that are designed to meet such challenges. Otherwise, employee awareness of cyber risks will degenerate into a farce or there is a risk of group-wide failure.

The similarities and differences are impressive – in our irregular series ‘The biggest cyber heists’, we look at the biggest cyber heists in history. Today’s post analyzes the bybit, MGM and Sony hack. We summarize what happened, how it happened, who noticed it, what damage was done and what the consequences were. We then examine what measures would have been useful to counteract this and whether something could have been done with more vigilance.

In today’s hyper-connected digital world, information is power. Unfortunately, this power isn’t just in the hands of the good guys. Cybercriminals are increasingly turning to Open Source Intelligence (OSINT) to fuel their attacks, particularly phishings. By exploiting publicly available information, attackers can craft highly personalized and convincing scams that are harder to detect and resist.

A great awareness solution for complex needs – What began a year and a half ago as a business idea for AI-driven awareness tailored to more complex customer needs has truly made an impact! CYBERDISE now trains and tests over 40,000 users. With the latest version 2.5, we have demonstrated that our solution is competitive and is licensed by reputable large clients and partners.
Specialized cybersecurity service providers and larger organizations have unique requirements for their cybersecurity awareness programs. CYBERDISE effectively meets complex and specialized security awareness training needs.

The U.S. presidential election was hit with billions of cyberattacks. 6 billion, to be exact. Fake news, phishing scams, deepfakes – you name it. Somehow, though, things held up.
Now, Germany’s snap election is just weeks away, and experts are already sounding the alarm. Phishing attacks are on the rise. Disinformation is spreading. Fake news isn’t just background noise anymore – it’s being used to manipulate public opinion and mess with democracy.

While “Carry-On” primarily focuses on physical security in an airport, its themes resonate deeply with today’s cybersecurity challenges. To us, the movie serves as a stark reminder of how vulnerabilities – both technological and human – can be exploited with devastating consequences. Let’s explore key moments

GDPR vs NIS2 vs ISO 27001: Key Differences Explained. Compliance isn’t just a buzzword – it’s a cornerstone of trust, security, and resilience. But navigating the differences between GDPR, NIS2, and ISO 27001 can feel like solving a puzzle. What do you need to know, and why does it matter? Let’s break it down.

Published Date: December 5, 2024 Have you watched “The Great Hack” movie? A must-watch for insights into the psychology behind phishing attacks! Psychology and Phishing Attacks Phishing attacks rely heavily on psychological tricks, which is why understanding these tactics is …

Did you know that it-sa Expo & Congress in Nuremberg is one of Europe’s leading cybersecurity events? This year, it set new records with 25,830 trade visitors from 65 countries and 897 exhibitors.

A $25 Million Deepfake Scam: The Rise of AI-Powered Cybercrime Quishing: The Rise of QR Code Phishing Scams German company, Diehl Defense, targeted by North Korean Hackers

Why Today’s Phishing Exercises (Simulations) Are Mostly Stupid? Published Date: November 4, 2024 The “Cybersecurity Awareness” Paradox There’s something almost ironic about cybersecurity awareness: on one hand, cybersecurity is the lifeline that can make or break a company in the …

Free Phishing Simulation and Awareness Training with the Cyberdise Freemium Edition – DIY Cybersecurity Awareness. Published Date: October 21, 2024 A top-notch, free phishing simulator with cybersecurity e-learning and complete functionality: Just in time for Cybersecurity Awareness Month and it-sa …

Beware of Quishing: The Rise of QR Code Phishing Scams Published Date: September 22, 2024 Beware of Quishing – The New Phishing How scammers hide harmful links in QR codes you are scanning Have you ever scanned a QR code …

The Universal Simulation and Awareness Solution: Cyberdise 2.0 Published Date: September 10, 2024 Cybersecurity Awareness Meets AI – THE Universal Solution You Need Protect Your Organization by Empowering Your Employees Cyber threats are evolving rapidly, and your organization’s defense starts …

It is now undisputed that a Cyber Attack has become one of the biggest and most costly threats to companies. A secure technical infrastructure is often no …