Service deep-dive
Phishing simulation and training that changes behaviour.
Bundled in every Cyber Essentials tier starting at $95/seat/mo. Standalone at $7/seat/mo with a 20-seat minimum ($140/mo floor). Monthly simulated phish, role-based training, quarterly user-risk report, named coaching plan for repeat-clickers. Powered by Hoxhunt or KnowBe4, picked to match how your team actually works.
Who this is for
Three patterns describe almost every business that books the standalone tier or asks us to turn this on inside a managed engagement.
Nothing in place today
There has never been a phishing test at the business. Staff have never been trained on what a real attack looks like. The bookkeeper would forward almost any email that looked like a vendor invoice. You know this and you know it has to change, but you do not know what good looks like.
Compliance training nobody does
There is a training platform somewhere — assigned annually, completed at 60% on a good year, mostly clicked-through on a bad one. The carrier sees a tick-box. The actual attack surface has not moved. You want the version that changes behaviour, not the version that satisfies an annual checkbox.
Carrier or auditor is asking
The cyber-insurance questionnaire asks: do you run phishing simulations, how often, and can you produce the results. The vendor-risk team at your largest customer is asking the same thing. You need a real program with documented evidence, not a screenshot of last year's all-hands.
Why this matters in the Peace
Almost every successful breach at a northern Alberta SMB in the past three years started with one person clicking one email. A bookkeeper authorizing a vendor banking change. A dispatcher logging into a fake freight portal. An owner approving a wire on what looked like a supplier email. Once the credentials are in attacker hands, the rest of the chain follows quickly.
The technical controls — MFA, Conditional Access, Defender, managed EDR — catch most of what gets past trained users. Training catches what the technical controls miss, and reduces the load on those controls so they have a shot at the truly sophisticated attacks. Neither side works alone. Both sides have to be real.
What “real” means in this context is a measured outcome. A real phishing program produces a click rate number that goes down every quarter. A compliance training program produces a completion percentage that means nothing about whether anyone is actually safer. Carriers know the difference; auditors are starting to know the difference; and the difference shows up in the data the first time the business gets targeted.
What the program includes
Six pieces that run as one operating program. The user sees the campaigns and the training. The owner sees the report. The carrier and underwriter see the evidence package.
Monthly simulated phishing campaign
One simulated phish per user per month, themed to the calendar and the business — fake vendor banking changes around month-end, fake CRA refund notices around tax time, fake DocuSign requests targeted at owners, fake supplier portal logins for ag and trucking operations. Click rate tracked, repeat-clickers flagged.
Role-based training assignments
Bookkeepers get vendor-fraud and invoice-fraud modules. Owners get CEO-impersonation and wire-fraud modules. Dispatchers get cargo-rerouting and broker-impersonation modules. Drivers, field staff, and seasonal workers get the short-and-to-the-point version. Training tracks behaviour, not job titles.
Quarterly user-risk report
A written report to the owner every three months. Overall click rate trend, comparison to industry baseline, named high-risk users (with a recommended coaching plan), departments or roles trending in the wrong direction. Owner-readable in five minutes.
Named high-risk coaching plan
When a specific user repeatedly clicks, we do not just send them more modules. We sit with the owner and design a coaching plan — extra controls (per-user MFA prompts, restricted permissions, mandatory call-back on banking changes), a one-on-one conversation, and a 90-day review. People who got caught are still on the team; we make sure they do not get caught the same way twice.
Reported-phish triage
When a user clicks the Report Phish button on a real (or simulated) email, the report routes to our queue. We triage it, take action where action is warranted, and close the loop with the reporter — thanks, that was real, we blocked it; or, that was our test, well caught. Reporting is a behaviour we want to reinforce.
Onboarding and offboarding flow
New hires are enrolled into the program automatically. Departing staff are removed without leaving orphaned licenses. The cycle keeps running without anyone in the business having to remember to maintain it.
Platform — Hoxhunt or KnowBe4
We run on either of two platforms and we pick based on your team's culture and the carrier or regulator context. Either way, the licensing is bundled into the per-seat price. You do not deal with the vendor directly.
Hoxhunt
Gamified, behaviour-first. Users earn points for reporting phish. The training experience feels like a productivity tool, not a compliance module. Best for tech-comfortable teams, professional-services firms, and businesses where the culture rewards engagement. Strong in regulated industries because the evidence package is audit-ready by default.
KnowBe4
Library-deep, content-heavy. Years of training modules covering every imaginable scenario, including industry-specific content for ag, trucking, oilfield, and healthcare. Best for traditional teams where the training has to feel like training, not a game. Strong in regulated industries because the content library is the broadest in the market.
What this program is not
Honesty about scope keeps expectations clean.
This is not annual compliance training
A 45-minute slideshow once a year, completed in a browser tab between other work, satisfies a tick-box. It does not change behaviour. We do not deliver that product. Real training is monthly, short, role-relevant, and tied to a measured outcome.
This is not punishment for users who click
Users who fall for a well-crafted phish are not stupid; they are humans whose attention was on something else. The program is built to coach, not to shame. Repeat-clickers get a coaching plan, not a public scorecard.
This is not the entire security program
Training reduces click rate by 70–90% over twelve months in the data we have seen. The remaining 10–30% still get through, which is why training pairs with Conditional Access, MFA, Defender for Office 365, and managed EDR. Training without the technical controls is the security equivalent of locking the front door but leaving the back unlocked.
This is not a one-time deliverable
The program is a subscription because the attackers are not on a one-time schedule. New techniques appear every month. New staff join every quarter. The coaching plan needs sustained attention to actually move the click rate. If you want a one-time training day, we can refer you to a Canadian provider that does that work; the standalone day is not what this service is.
Pricing — said out loud
- Bundled at no extra charge in every Cyber Essentials tier. The $95, $175, and $275 per-seat-per-month tiers all include the full phishing simulation and training program. The 5-seat tier minimum applies.
- $7/seat/mo standalone. 20-seat minimum, $140/mo floor. For businesses staying with their current IT provider but wanting a real training program with documented evidence.
- Seasonal seat flex on standalone. Annual-average 20 seats; individual months can swing up or down so seasonal ag, trucking, and fire-season operations do not pay for empty seats.
- Month-to-month after the first month. No 12-month lockup. If the program is not moving the click rate, you do not pay to leave.
Frequently asked questions
How do you pick between Hoxhunt and KnowBe4?
On the scoping call we ask a handful of questions about the team — average age, technology comfort, existing training culture, whether the carrier or regulator requires specific content libraries. Most businesses fit cleanly to one or the other within fifteen minutes. We make the call and stand behind it; if the platform is wrong six months in, we migrate at no charge.
What does a campaign actually look like?
User receives a single phishing email at an unannounced time during the month. The email is themed to their role and the calendar — bookkeepers might see a fake supplier banking-change notice in the last week of the month, owners might see a fake DocuSign about a contract renewal. If they click, they see a brief, non-judgmental landing page explaining the indicators they missed. If they report, they see thanks and a points reward. That is the whole experience for the user; the rest happens in the reporting back-end.
What is the realistic click rate after a year?
Industry baselines for SMBs that start cold are around 25–35% click rate. After twelve months of a real monthly program, most clients are between 3% and 8%. The remaining click rate is concentrated in a small number of users (the coaching-plan candidates) and in genuinely sophisticated phish that even trained users struggle with — which is exactly why we pair training with technical controls.
Do you do in-person training too?
Yes, on request. For Cyber Premium clients we deliver an annual in-person session — usually a 90-minute scenario walkthrough with the owner, leadership, and the highest-risk roles. For standalone clients we can quote an in-person session separately. Most of the program is intentionally remote because that is what is sustainable and measurable.
What about seasonal workers and short-term staff?
The 20-seat minimum on the standalone tier is annual-average. We can flex seat count up and down by month so seasonal businesses — ag operations, fire-season contractors, summer-tourism — do not pay for seats they do not have. Onboarding and offboarding flows are built for this rhythm.
Is there evidence we can show our broker?
Yes. The quarterly user-risk report is broker-ready by design — overall click rate trend, percentage of staff completing training, named-high-risk-user count and coaching status, comparison to industry baseline. We will join a call with your broker or underwriter to walk through the report at no extra charge.
Ready to make training the thing that changes behaviour?
The scoping call is free, takes 30 minutes, and tells you which platform and cadence fit the team you have today.