Target deployment
Mid-market to enterprise organizations wanting the broadest security awareness…
content library, mature phishing simulation, and AI-driven personalization (AIDA) — particularly strong fit when regulated industries need built-in compliance modules
Penetration testers, red teams, small security teams, and security researchers…
wanting full control over phishing simulation infrastructure and data — willing to build their own training content layer
Mid-market organizations and MSPs wanting fully-automated, AI-driven phishing…
simulation and training with minimal admin workload — particularly strong fit for European deployments and NIS2-driven training mandates
Strengths cited
World's largest security awareness content library (training modules in 35+…
languages, frequently updated), thousands of phishing simulation templates, AIDA (AI-Driven Agent) for personalized phishing and training in Diamond tier, SmartRisk Engine for quantified human risk scoring (0-100 scale), Industry Benchmarking for comparing Phish-prone percentage against peers, 60+ built-in reports, Compliance Plus add-on for 100+ regulatory frameworks, PhishER Plus for inbox threat reporting and remediation, SecurityCoach for real-time behavioral coaching, broad integrations with IdPs and email security
Free under MIT License with active community, single static binary makes…
deployment trivial (download and run), built-in REST API enables automation, full HTML template editor in web UI for crafting pixel-perfect phishing emails and landing pages, real-time campaign tracking (email opens, clicks, credential submissions), Python client library, scheduled campaigns, Docker container available, full data sovereignty (your infrastructure, your data, your sending domains)
Fully-automated platform requiring minimal IT involvement after initial…
configuration, AI-driven personalization adjusts difficulty based on individual user skill level and behavior, content available in 18+ languages with native localization, Phished Behavioral Risk Score (BRS) for organization-wide cyber resilience measurement, Zero Incident Mail (ZIM) creates a secure sandbox training environment when employees click test links, Phished Academy with 360 cybersecurity topics via gamified science-based curriculum, real-time threat alerts from in-house cyber defense team, EU-headquartered (Belgian) with strong GDPR and NIS2 alignment, 4.6/5 G2 rating from 108+ reviews
Where it fits less well
Tiered pricing with feature gating
many advanced capabilities (AIDA, SmartRisk Engine, API access, Smart Groups, callback phishing) only in higher tiers (Platinum/Diamond); content quality varies by tier (newest training and video content often Diamond-only); some buyers report Microsoft Defender integration friction with the PAB reporting button; per-user pricing can creep up with organizational growth; KnowBe4 acquired by Vista Equity Partners in 2023 (privatized) — long-term roadmap visibility shifted
Phishing simulation framework only
no built-in training content (you create or source training separately), no SSO/multi-tenancy in the upstream project, no automated user provisioning, limited reporting compared to commercial platforms, no built-in compliance modules, community-maintained (no commercial SLA; last upstream release was v0.12.1 in September 2022, with low release cadence since, though community forks remain active), running phishing simulations requires careful legal authorization (unauthorized testing may violate computer fraud statutes), spam-list management and deliverability are operational responsibilities you take on
Custom pricing means no public price benchmark
buyers should reference enterprise comparisons; some users report training email frequency feels heavy if not tuned; reporting depth and dashboard interactivity have room to grow per reviews; less name recognition than KnowBe4 in North American markets; product evolved through acquisition by Pleo's parent company and growth phase ($16M+ ARR, 6,000 customers as of Q1 2026); offline / non-digital phishing simulation (USB drops, in-person social engineering) not the primary focus