Blog – EN

For years, the global cybersecurity industry has been fighting the right problem with the wrong methods. While traditional security awareness programs have focused on theoretical knowledge transfer for two decades, measurable organizational risk remains consistently high. A joint study by CYBERDISE and the Lucerne University of Applied Sciences and Arts (HSLU) scientifically confirms what practice has long shown: more knowledge does not automatically translate into secure behavior when employees are targeted by real, psychologically optimized attacks.

There are defining moments in the evolution of a company that change everything. Today is one of those days for us at CYBERDISE. We’ve been very close to the market for the past three years. Even when we started, we knew that the awareness industry was heading in a direction we didn’t fully understand back then.

We now clearly understand the market’s needs and pains and know exactly where to go next. Following intensive development and extensive market analysis, we are making a monumental shift forward: we are transitioning from traditional security awareness to Behavioral Defense Engineering (BDE).

Microsoft Defender for Office 365 includes its own phishing simulation and awareness platform called Attack Simulation Training. Because it is deeply integrated into Microsoft 365, many organizations automatically assume it is the logical choice for phishing simulations and employee awareness.
And honestly: in some areas, Microsoft Defender Attack Simulator is very good.
But there is also another side that organizations should understand before replacing specialized awareness platforms completely.
This article is intentionally balanced. There are clear advantages — but also structural limitations that become visible very quickly in larger or more mature security environments.

“Software is eating the world” is a well-known saying, and the prediction is clearly playing out. Today, though, it’s no longer primarily software that’s reshaping our economy and society — it’s artificial intelligence itself.

What happens after not only all vulnerabilities have been found – but then almost all of them have disappeared?

Two weeks ago, Anthropic made headlines with “Mythos” – a model that finds vulnerabilities like no human before it. Last week I wrote about how AI is becoming the better penetration tester.

What happens when software is no longer attacked only by humans, but by synthetic actors that think differently than we do?

Claude developer Anthropic made headlines last week with the internal release of a new model called Mythos. It is said to be exceptionally good at finding bugs and vulnerabilities in software. Due to these capabilities, Anthropic is refraining from a public release for now and instead aims to work with large tech companies and governments to prevent misuse.

It remains unclear how realistic and actually exploitable many of these vulnerabilities are… at least for humans.

Which free templates for attack simulations can I use? Which free cybersecurity courses help me train my employees?

With CYBERDISE Freemium, we offer a free tool for phishing simulations. With it, you can not only run phishing exercises, but also train your employees with cybersecurity courses. And the best part is that you can edit all templates and adapt them to your specific needs – exactly as required for genuine awareness!

A new study conducted by CIO / CSO / Computerwoche (based on 324 interviews with senior IT decision-makers across DACH, conducted November–December 2025) paints a clear picture: NIS2 is reshaping how organisations think about cybersecurity. But compliance and actual resilience are still far apart.

Below are the findings we think matter most – and what they mean for how you approach security awareness and human risk.

Nearly half of all successful cyberattacks start with a negligent employee. Why is that and what can be done about it.

If you google this question, then it answers you that it’s because of ‘Falling for Phishing and Social Engineering Scams’, ‘Poor Password Management and Credential Hygiene’ and ‘Negligent Data Handling and Unsecured Devices’. Of course, these are important reasons, but this answer is much more helpful if you take a step back and realize that nearly all statements, so to speak, are about people!

And that’s how it is today, it’s proven that at least 47% [1] of successful cyber-attacks start with a careless employee and mostly with an phishing email. Why does this happen, why do employees get caught up in it? Our experience shows that there are three main reasons why employees fall for malicious emails.

It is obvious that Microsoft offers a phishing simulation tool. Unfortunately, organizations that genuinely care about having attentive employees who are well-sensitized to cyber risks are not well served by it.

The great thing about trade show season is that you get to have personal conversations with many cybersecurity specialists. And I’ve just learned from several German and Swiss mid-sized companies that they have let their contracts with their awareness vendors expire and are instead relying on Microsoft Defender Attack Simulator. After all, this product is included with E5 licenses – so why use anything else?