Back to blog
Moving Beyond Email: Top Next-Gen Security Awareness Platforms in 2026
Written by
Brightside Team
Published on
According to Mandiant's M-Trends 2026 report, email phishing now accounts for just 6% of confirmed enterprise intrusions, down from 22% in 2022. Voice phishing (vishing) has taken its place as the second most common initial infection vector, appearing in 11% of all investigated attacks and topping the chart for cloud environment breaches at 23%.
Most security awareness programs haven't caught up. They run quarterly email phishing simulations, track click rates, report completion percentages to the board, and consider the box checked. Meanwhile, attackers are calling employees directly, cloning executive voices with three seconds of audio, and running coordinated email-then-call sequences that bypass every email security tool in the stack.
This article explains what a next-generation security awareness training (SAT) platform looks like, why the features that matter have changed, and how 12 leading platforms compare across the capabilities that address today's threats. By the end, you'll have a clear framework for evaluating whether your current platform is built for today's attacks or for the last decade's.
Quick glossary of terms used throughout this article:
SAT (Security Awareness Training): Software platforms that test and train employees to recognize and respond to social engineering, phishing, and related attacks
Vishing: Voice phishing — social engineering conducted over phone calls, increasingly using AI-generated or cloned voices
Deepfake simulation: A training scenario that uses AI-generated video or audio to impersonate a real person, typically an executive or trusted colleague
TOAD attack (Telephone-Oriented Attack Delivery): A hybrid attack where an email establishes a pretext, and a follow-up phone call completes the social engineering
Spear phishing: A personalized phishing attack tailored to a specific person using their name, role, team, or the tools they use at work
Live adaptive AI call: A vishing simulation where an AI agent holds a real-time phone conversation and adjusts its responses based on what the employee says, not a pre-recorded message or scripted menu
Email Phishing Has Fallen to 6% of Attacks — Most SAT Programs Haven't Noticed
Email phishing is no longer the dominant attack vector in enterprise breaches, yet the majority of SAT programs are still structured around it as if it were.
The Mandiant M-Trends 2026 report, published in March 2026, draws on over 450,000 hours of incident response across Mandiant's global investigations. In 2025, email phishing appeared in just 6% of confirmed intrusions, a steep drop from 14% in 2024 and 22% in 2022. Vishing climbed to 11% of all initial infection vectors and hit 23% in cloud environments specifically, making it the single most common way attackers gain entry to cloud infrastructure.
The CrowdStrike 2025 Global Threat Report tracked vishing incidents across 2024 and found a 442% surge from the first half to the second half of the year, a half-year comparison that shows how quickly the attack method scaled once generative AI made voice cloning accessible. The change happened fast. Vishing scaled within a single half-year reporting period, not over several years.
The reason attackers moved to voice is straightforward. Email security infrastructure — DMARC authentication, secure email gateways, URL sandboxing — has become effective enough that email phishing now requires significant effort for decreasing returns. A convincing phone call using a cloned voice costs an attacker almost nothing to execute and bypasses every email security control an organization has.
TOAD attacks combine both channels deliberately. An email arrives first, typically a fake invoice, security alert, or IT notification, and creates a pretext. When the employee inevitably calls the "support number" listed in the email, or receives a follow-up call from the "sender," they've already been primed to trust the conversation. The email filter saw nothing malicious. The call bypassed it entirely.
Training That Skips Voice and Deepfakes Creates a Blind Spot Attackers Exploit Immediately
A security program that only tests email gives employees no practical experience with the manipulation patterns they're most likely to encounter in a real attack today.
In January 2024, a finance employee at Arup, a major British engineering firm, transferred $25 million across 15 transactions after attending a video conference call populated entirely by deepfake versions of the company's CFO and several senior colleagues. The employee had initially been skeptical of the email that initiated the contact. Good instinct. But when the video call appeared to show familiar, trusted people asking for authorization, that skepticism evaporated. The attack didn't defeat a technical control. It manufactured social trust.
Human detection of AI-generated voices is unreliable. A peer-reviewed study published in arXiv in October 2024 found that people correctly identify an AI-cloned voice only about 60% of the time when the audio clip is short, roughly the length of an opening statement on a phone call. They perceive a synthetic voice as belonging to the real person approximately 80% of the time. An employee who has never experienced a realistic vishing simulation has no trained response when their manager's voice, or what sounds exactly like their manager's voice, tells them to approve a wire transfer before the end of business.
Help desk staff face a specific version of this problem. Threat actor groups like Scattered Spider have consistently targeted Level 1 IT staff by phone, impersonating employees or executives to reset passwords, enroll new MFA (multi-factor authentication) devices, or get staff to install remote access tools. MFA, or multi-factor authentication, is the security step that requires a second form of verification beyond just a password. Email simulation programs can't prepare someone for a high-pressure phone call where a convincing voice is invoking urgency and authority in real time.
Three Assumptions About SAT Platforms That Are No Longer True
Several beliefs about security awareness training reflect how the market worked five years ago, not how threats or platforms work now.
Assumption 1: "Any platform that includes vishing covers the threat."
The word "vishing" in a vendor's feature list can mean very different things. Some platforms deliver a pre-recorded audio file or a scripted voicemail drop. Others play a branching script where the call follows a fixed path regardless of what the employee says. Only a live adaptive AI call, where an AI agent conducts an unscripted real-time conversation and adjusts based on the employee's responses, actually trains someone to handle the pressure of live social engineering. The distinction matters enormously for training effectiveness, and it's not always visible until you ask a vendor to run a live demo.
Assumption 2: "A platform with a large market share covers modern threats."
KnowBe4 is the most widely deployed SAT platform in the world. Its email template library and compliance reporting are its strongest suits, backed by broad enterprise integrations. It's also a platform where template-based vishing simulation (outbound test calls) is available from the Gold tier upward, but no tier delivers a live adaptive AI conversation. Its Deepfake Training feature, launched in December 2025, requires an AIDA subscription or Diamond tier — and it's a content awareness module, not a simulation attack. You can't infer modern threat coverage from market penetration.
Assumption 3: "High course completion rates prove the program is working."
Completion rate measures whether employees opened the module and clicked through it. It doesn't measure whether they can identify a cloned executive voice, resist an authority-based verbal request, or know to hang up and call back on a verified number when a "vendor" asks for payment details over the phone. Effective programs track simulation failure rates trending downward over time, time-to-report on suspicious calls, and whether specific high-risk roles, such as finance, IT help desk, and executive assistants, are improving. Completion rates are an administrative metric, not a security metric.
What Separates Legacy SAT from Next-Gen: Attack Surface, Not Interface
Legacy and next-gen SAT platforms both have polished interfaces. What separates them is which attacks they can actually simulate.
Capability | Legacy SAT | Next-Gen SAT |
|---|---|---|
Email phishing simulation | ✅ Core feature | ✅ Core feature |
Live adaptive AI vishing calls | ❌ Absent or pre-recorded | ✅ Real-time AI conversation |
Custom executive voice cloning | ❌ Not available | ✅ From a 1–2 min audio recording |
Hybrid email + voice campaign | ❌ Separate manual workflows | ✅ Single coordinated campaign |
Deepfake video simulation | ❌ Not available | ✅ AI-generated video impersonation |
AI-recommended attack strategy | ❌ Admin-defined only | ✅ AI suggests tactics and explains why they work |
NIST-aligned difficulty scoring | ❌ Absent or proprietary | ✅ Mapped to the NIST Phish Scale |
Vishing-specific metrics dashboard | ❌ Email metrics only | ✅ Answer rate, call duration, failure rate |
Simulation cooling period | ❌ Manual or absent | ✅ Automated per employee |
Automatic follow-up training | ✅ Available on most platforms | ✅ Available on most platforms |
One item on this table worth explaining: the simulation cooling period. Without it, the same employee can receive the same phishing scenario repeatedly. They start recognizing the test, not the attack pattern, which produces a false picture of security improvement. A cooling period prevents any given scenario or sender domain from being reused against the same employee within a defined window, keeping simulations realistic and failure rates meaningful.
6 Features That Should Be Non-Negotiable When Evaluating SAT Platforms in 2026
Not every feature in a vendor's marketing materials carries equal weight. These six distinguish platforms that will genuinely prepare employees for real attacks from those that won't.
Live adaptive AI vishing. The AI must hold an unscripted, real-time phone conversation and adapt its responses to what the employee says. A pre-recorded voicemail doesn't train social engineering resistance — it trains people to recognize a test format. If a vendor can't demonstrate a live AI call during your evaluation, the capability isn't production-ready.
Custom executive voice cloning. The highest-fidelity vishing attack uses a voice the employee already trusts, their CFO, their IT manager, their CEO. Platforms that offer custom voice cloning let admins create an executive voice replica from a short audio recording, typically one to two minutes, then deploy that clone in a simulation. This tests the exact scenario attackers are using right now.
Hybrid (email + voice) campaign support. TOAD attacks are a standard technique in 2026. A platform that can't coordinate an email pretext and a follow-up AI call in a single campaign workflow can't train employees for this specific pattern. Running them as two separate campaigns misses the point — the whole power of a TOAD attack is the sequencing.
Deepfake video simulation. Video conferencing is now a forgeable medium. Platforms that offer native deepfake simulation, not just awareness content about deepfakes but actual simulated video calls, allow organizations to test whether employees would comply with a fake executive appearing on screen. Awareness alone isn't enough.
Vishing-specific reporting metrics. Email click rates don't describe voice phishing risk. The metrics that make a vishing program measurable are answer rate (what percentage of employees pick up), failed rate (whether the attacker goal was achieved), and median call duration (how long before the employee discloses or disconnects). Without these, you can't tell whether the program is working.
Simulation cooling period. Automated, per-employee cooling prevents scenario fatigue and keeps failure rates honest. Any platform that lets the same employee receive the same attack twice in quick succession is measuring recognition of a test, not real susceptibility.
How 12 Leading SAT Platforms Compare on the Features That Matter in 2026
Most platforms cover email phishing adequately. The real differences appear across voice, deepfake, and AI automation capabilities.
Platform | Live AI Vishing | Voice Cloning | Hybrid Attack | Deepfake Sim | Vishing Metrics | Cooling Period |
|---|---|---|---|---|---|---|
Brightside AI | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Jericho Security | ✅ | ✅ | ❌ | △ Managed service only | ❌ | ❌ |
Hoxhunt | ✅ | △ No true cloning | △ Email + Teams/Slack only | △ Email + mock video call; not autonomous simulation | ❌ | ✅ |
Revel8 | ✅ | △ Executive impersonation confirmed; self-serve upload cloning not documented | △ Playlist, not unified workflow | ✅ | ❌ | ❌ |
Arsen | ✅ | △ Multilingual AI voices; no true cloning documented | △ Multi-step, not unified | ❌ | ✅ | ❌ |
Keepnet Labs | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
AP2T Labs | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
KnowBe4 | ❌ No live AI calls on any tier | ❌ | ❌ | △ Awareness module only; AIDA/Diamond tier | ❌ | △ Smart Groups workaround |
SoSafe | ❌ Limited early-access demo only | ❌ | ❌ | ❌ | ❌ | △ Randomization algorithm |
Proofpoint | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Phished | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
Infosec IQ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
△ = Partial or conditional support
Full-suite platforms: Brightside AI
Brightside AI is the only platform in this comparison that delivers all six non-negotiable features natively, in a single product.
Its vishing simulator conducts live adaptive AI calls, real-time generative AI conversations rather than scripted audio, through a five-step template builder. Admins configure the attack goal (for example, extracting a password reset link or obtaining credit card details), the caller persona (name, role, and organization, auto-fillable by AI from the attack goal), layered social engineering tactics, and voice selection, all in one workflow. The platform's AI recommends an attack strategy based on the goal, organizing tactics into three layers: Foundation (scenario building through pretexting), Approach (curiosity hooks and rapport), and Pressure (fear/threat, authority impersonation, commitment escalation). It explains the psychological rationale for each layer, which helps admins understand what they're testing and why.
Custom voice cloning is built into the platform. Admins upload a one-to-two minute audio recording, and Brightside generates an executive voice replica that can be deployed in any simulation. This means you can test whether your finance team would hand over wire transfer details to a convincing clone of your CFO's voice, the exact attack pattern used in the Arup fraud.
The hybrid attack feature coordinates a phishing email and a follow-up AI call in a single campaign workflow. Deepfake video simulation covers the third major modern attack vector. The vishing dashboard tracks answer rate, failed rate, and median call duration with trend views across 7, 30, and 90 days. The platform enforces a simulation cooling period per employee, preventing the same domain or scenario from being reused within three months. Follow-up training triggers automatically when an employee fails a simulation.
Strong alternatives with notable gaps: Jericho, Hoxhunt, Revel8
These three platforms are ahead of email-only tools. All three offer live AI calling, and Jericho includes confirmed true voice cloning.
Jericho Security offers live adaptive AI vishing and executive voice cloning, making it a credible choice for organizations focused specifically on voice attack simulation. Its deepfake capability is a managed service rather than self-serve, meaning it requires Jericho's team involvement rather than admin-driven campaign design. It doesn't offer a dedicated vishing metrics dashboard, hybrid campaigns, a cooling period, or a browser preview function before launch.
Hoxhunt is strong on gamification and employee engagement. Its voice simulation uses multilingual AI preset voices rather than true custom cloning — there's no documented capability to clone a specific executive's voice. Its deepfake feature delivers a coordinated email plus mock video call rather than an autonomous deepfake simulation, which is useful for awareness but doesn't replicate the experience of a live fake video conference. Multi-channel campaigns combine email with Teams or Slack messages, not a coordinated email-then-phone-call workflow. No dedicated vishing metrics dashboard is available.
Revel8 offers live adaptive AI calling and includes deepfake executive impersonation scenarios. Custom voice cloning via an audio upload — the capability that lets you replicate a specific person's voice — is not documented as a self-serve feature, so organizations that need to clone their own executive voices for simulations should verify this directly with the vendor before committing. Its multi-channel approach organizes attacks as a playlist of separate campaign steps rather than a single unified workflow, a practical gap for admins trying to replicate TOAD attack sequencing at scale. No vishing-specific metrics dashboard is available.
Legacy and email-first platforms: KnowBe4, Proofpoint, SoSafe, Phished, Infosec IQ
These platforms are reliable for compliance-driven email phishing programs. They carry mature template libraries, strong integration ecosystems, and well-documented reporting frameworks. They've earned their market positions by solving the email phishing training problem well.
What they haven't built is native, live generative AI voice simulation. KnowBe4 offers template-based outbound vishing test calls from its Gold tier upward, but no tier delivers a live adaptive AI conversation — the call follows a scripted path regardless of what the employee says. Its Deepfake Training module, requiring an AIDA subscription or Diamond tier, is an awareness content tool that teaches employees what deepfakes are, not a simulation that puts them in a fake call. Proofpoint doesn't list vishing as a core documented feature. SoSafe's vishing offering is a limited early-access demo that customers must request through their account representative, not a self-serve campaign tool. Phished and Infosec IQ have no documented voice or deepfake simulation.
If your primary driver is regulatory compliance checkboxes on email phishing training, these platforms are adequate. If your goal is to prepare employees for the attacks that Mandiant's incident responders are actually investigating in 2026, they leave real gaps.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 5100 5100" xmlns="http://www.w3.org/2000/svg"><path d="M 2500.024 0 C 2553.328 0 2595.834 43.879 2595.834 97.125 L 2595.834 1876.506 L 3119.201 176.066 C 3134.891 125.086 3188.553 96.12 3239.425 112.351 C 3290.111 128.521 3317.762 183.113 3302.122 233.925 L 2779.762 1931.097 L 3779.21 461.931 L 3779.21 461.931 C 3809.253 417.765 3869.112 406.54 3912.791 437.34 C 3956.212 467.961 3966.827 528.293 3936.952 572.213 L 2940.571 2036.873 L 4325.625 929.91 C 4367.382 896.541 4427.806 904.057 4460.434 946.369 C 4492.863 988.434 4485.764 1049.285 4444.263 1082.452 L 3060.321 2188.526 L 4709.544 1539.817 C 4759.253 1520.266 4814.696 1545.603 4833.629 1595.492 L 4834.055 1596.658 C 4852.106 1646.063 4827.965 1701.593 4778.86 1720.913 L 3133.595 2368.073 L 4897.112 2235.63 C 4950.287 2231.63 4995.887 2272.239 4999.739 2325.374 L 4999.739 2325.374 C 5003.591 2378.46 4964.398 2425.357 4911.272 2429.348 L 3146.284 2561.899 L 4871.594 2956.552 C 4923.482 2968.425 4955.466 3020.57 4943.999 3072.498 C 4932.513 3124.564 4881.447 3157.944 4829.411 3146.042 L 3104.198 2751.408 L 4635.446 3637.4 C 4681.451 3664.017 4697.226 3723.193 4671.331 3769.585 L 4671.331 3769.585 C 4645.308 3816.215 4586.707 3832.86 4540.454 3806.104 L 3005.937 2918.221 L 4209.67 4218.413 C 4245.476 4257.082 4244.03 4317.683 4206.57 4354.549 L 4205.679 4355.411 C 4167.427 4392.128 4107.211 4390.593 4070.811 4352.262 L 4069.949 4351.351 L 2863.424 3048.138 L 3632.211 4648.15 C 3655.046 4695.671 3636.222 4753.253 3589.443 4777.295 L 3588.334 4777.86 C 3540.507 4801.675 3483.064 4781.335 3459.942 4733.221 L 2689.559 3129.881 L 2954.004 4888.23 C 2961.916 4940.841 2926.469 4990.659 2873.852 4998.868 C 2821.132 5007.086 2772.499 4970.211 2764.574 4917.511 L 2500.003 3158.32 L 2235.433 4917.511 C 2227.506 4970.211 2178.874 5007.086 2126.154 4998.868 C 2073.538 4990.659 2038.091 4940.841 2046.004 4888.23 L 2310.449 3129.871 L 1540.054 4733.221 C 1516.934 4781.335 1459.495 4801.675 1411.666 4777.86 C 1364.085 4754.154 1344.776 4696.048 1367.789 4648.15 L 2136.531 3048.237 L 930.091 4351.351 C 893.789 4390.564 832.92 4392.415 794.361 4355.411 C 756.039 4318.634 754.286 4257.389 790.37 4218.413 L 790.37 4218.413 L 1994.186 2918.132 L 459.517 3806.104 C 413.263 3832.86 354.662 3816.215 328.639 3769.585 C 302.745 3723.193 318.529 3664.017 364.525 3637.4 L 1895.723 2751.438 L 170.629 3146.042 C 118.603 3157.944 67.537 3124.564 56.04 3072.498 C 44.584 3020.57 76.568 2968.425 128.455 2956.552 L 1853.763 2561.899 L 88.728 2429.348 C 35.602 2425.357 -3.591 2378.45 0.261 2325.364 C 4.103 2272.239 49.713 2231.63 102.888 2235.621 L 1866.342 2368.063 L 221.081 1720.903 C 171.59 1701.435 147.458 1645.18 166.322 1595.487 C 185.106 1545.988 239.826 1520.657 289.238 1539.361 L 290.397 1539.811 L 290.397 1539.812 L 1939.997 2188.674 L 555.875 1082.452 C 514.375 1049.285 507.275 988.434 539.705 946.369 C 572.333 904.057 632.766 896.541 674.514 929.91 L 2059.407 2036.744 L 1063.117 572.213 C 1033.242 528.293 1043.857 467.961 1087.279 437.34 C 1130.957 406.54 1190.816 417.766 1220.86 461.932 L 2220.177 1930.909 L 1697.876 233.925 C 1682.237 183.113 1709.887 128.521 1760.574 112.351 C 1811.446 96.12 1865.108 125.086 1880.799 176.066 L 2404.214 1876.665 L 2404.214 97.125 C 2404.214 43.879 2446.718 0 2500.024 0 Z" fill="rgb(165, 140, 255)" height="5000.014289657591px" id="KrZEL4sI2" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="bevel" stroke-width="50" stroke="rgb(165, 140, 255)" transform="translate(50 50)" width="5000px"/></svg>)
Try our vishing simulator
Experience the most advanced voice phishing simulator built for security teams. Create scenarios, test voice cloning, and explore automation features.
How to Evaluate SAT Platforms Before You Buy: A Checklist for Security Leaders
The right platform depends on your organization's actual threat exposure, your technical environment, and how you define "working" for your security awareness program.
Map your threat profile before you evaluate vendors. Do your employees receive calls from vendors, customers, or executives? Do they handle financial authorizations, IT access resets, or MFA enrollment? If yes, vishing simulation isn't a nice-to-have. It's a core requirement.
Ask for a live AI vishing call demo, not a recording. During your evaluation, ask the vendor to run a live adaptive AI call against a test number while you're on the call with them. If they demonstrate a recording instead, the live capability isn't ready for production use.
Get specific about what "hybrid" means. Ask the vendor to walk you through coordinating an email pretext and a follow-up phone call in a single campaign. If the answer involves two separate workflows that an admin connects manually, that's a real constraint — and it means your team can't efficiently simulate TOAD attacks at scale.
Ask for anonymized failure rate data from existing customers. Any platform with a genuine track record will be able to show how vishing simulation failure rates change over three to six months of deployment. If the vendor can only provide email phishing data, that's a signal.
Confirm your identity provider integration before you commit. Effective simulations require current employee data, name, role, department, seniority, tools used. Confirm the platform integrates directly with your identity provider (Google Workspace, Microsoft Active Directory, Okta, or Vanta) so employee records stay synchronized without manual maintenance.
Check which features are actually in the tier being quoted. Several platforms in this comparison restrict certain capabilities to premium tiers. Confirm that every feature described in vendor demos, especially voice simulation, voice cloning, and deepfake access, is included in the subscription level on the quote.
The Threat Has Moved On. Your SAT Platform Should Too.
The data is straightforward: email phishing has declined to 6% of intrusions, vishing is now the second most common attack entry point, and AI tools have made voice cloning something any attacker can execute with a few seconds of publicly available audio. A security awareness program that only tests email isn't a complete program. It has a growing blind spot that attackers are actively exploiting.
There's also a practical compliance and insurance dimension worth noting. Cyber insurers are increasingly reviewing voice verification controls as part of underwriting assessments. Organizations without documented vishing simulation programs, and without callback verification protocols backed by employee training, may face higher premiums or coverage exclusions as this becomes a standard evaluation criterion.
Next-gen SAT platforms do exist, and the best of them cover voice, deepfake, and email simulation in a single product. Choosing the right one comes down to asking the right questions during evaluation and refusing to accept "vishing" as a feature label without seeing what it actually means in practice.
If you want to see how Brightside AI covers all six non-negotiable features, including live adaptive AI calls, custom executive voice cloning, and hybrid email-plus-voice campaigns, [book a demo and run a live simulation against your own number].
