Notifications
Clear all
Topic starter
27/06/2026 1:48 pm
TL;DR: 83% of security leaders find awareness training ineffective while 99% of organisations still see human-error incidents, according to Abnormal AI, and it argues phishing defence fails when reporting, remediation, and coaching remain separate workflows. The security model needs closed-loop response, because isolated training cannot change behaviour fast enough to reduce risk.
NHIMG editorial — based on content published by Abnormal AI: key insights on closed-loop phishing defence, AI Security Mailbox, and AI Phishing Coach
By the numbers:
- AI Security Mailbox reduces user-reported email review time by up to 95%, saving thousands of SOC analyst hours annually.
Questions worth separating out
Q: How should security teams build a phishing programme that actually reduces risk?
A: They should connect reporting, triage, remediation, and coaching into a single workflow.
Q: Why do awareness campaigns often fail to change employee behaviour?
A: They fail when training is disconnected from real attacks.
Q: What breaks when phishing reporting still depends on manual analyst review?
A: The programme becomes bottlenecked by analyst capacity, and the organisation loses speed at the point where containment matters most.
Practitioner guidance
- Unify report handling with automated remediation Route user-reported emails into a classification workflow that can identify malicious messages, remove related threats across mailboxes, and preserve campaign context for analysts.
- Replace generic simulations with threat-derived coaching Use confirmed malicious emails as the input for realistic simulations and personalised coaching so awareness content tracks the threat patterns employees actually encounter.
- Measure behaviour change, not training activity Track whether reporting leads to faster containment, better user decisions, and fewer repeat exposures instead of relying on completion rates or click-rate alone.
What's in the full article
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- How AI Security Mailbox classifies reported emails into malicious, spam, safe, or simulation states
- How confirmed threats are removed across the organisation after a report is submitted
- How AI Phishing Coach converts real malicious emails into adaptive simulations and contextual feedback
- How employees receive plain-language explanations of why a message was malicious and what happened next
👉 Read Abnormal AI's analysis of closed-loop phishing defence and AI coaching →
Phishing defense workflows: can training and response finally align?
Explore further
27/06/2026 3:16 pm
Phishing defence fails when reporting, remediation, and training operate as separate workflows. The article's core claim is structural, not tactical. Organisations can have a report button, a triage queue, and an awareness platform and still fail to reduce risk if those functions do not share context and trigger one another. That fragmentation turns security work into disconnected activity. The practitioner conclusion is that programme design matters as much as tooling.
A few things that frame the scale:
- 83% of security leaders report their awareness training is ineffective, yet 99% of organizations still experience human-error incidents, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How do you know whether phishing defence is working?
A: Look for three signals: faster time from report to containment, fewer repeat exposures from the same campaign, and better quality of employee reporting over time. If the only numbers available are training completion or click rates, the programme is measuring participation, not control effectiveness.
👉 Read our full editorial: Closed-loop phishing defense is replacing fragmented awareness workflows
