← All articles

How to run an effective phishing simulation program

GottaPhish Team · March 18, 2026

A phishing simulation program is not a "gotcha" exercise — it is a measurement and training system. Run it badly and you erode trust and learn nothing; run it well and you get a defensible, improving metric for one of your largest attack surfaces.

Define the goal before the first send

Decide what you are actually measuring. Common objectives:

The single most useful metric is often not click rate but report rate, because a workforce that reports quickly gives your SOC the signal it needs to contain a real attack in minutes.

Get the program design right

Baseline first, then improve

Run an initial, low-difficulty baseline campaign to establish where you stand. Never publish or attach names to the baseline — its job is a starting number, not accountability.

Segment and randomise

Send to representative segments over a window rather than blasting everyone at 9:00 on a Monday. Simultaneous sends trigger hallway warnings ("watch out for the fake email") that corrupt your data.

Escalate difficulty over time

Map campaigns to a difficulty ladder:

Match difficulty to maturity. Hard lures against an untrained population just produce a demoralising click rate.

Operating rules that keep trust intact

Measure what matters

Track trends, not single numbers:

Report Rate      = reported / delivered
Click Rate       = clicked / delivered
Compromise Rate  = credentials submitted / delivered
Resilience Ratio = reporters / clickers   (target: > 1, and rising)
Median Time-to-Report
Repeat-Clicker %  (same users across campaigns)

A healthy program shows report rate climbing and time-to-report falling over successive quarters, with repeat-clickers getting focused follow-up rather than blanket retraining.

A note on technical measurement

Beware inflated numbers from security tooling that pre-clicks links (URL sandboxes, link rewriters, mail-security scanners). Allowlist your simulation sender and infrastructure in these systems, or filter their user-agents and source IPs, so a scanner isn't logged as a "click."

A simple quarterly cadence

  1. Plan — pick theme, difficulty tier, and target segments.
  2. Send — staggered over several days.
  3. Train — just-in-time content for those who click; recognition for reporters.
  4. Report — trends to leadership, focused action on lagging segments.
  5. Iterate — raise difficulty as resilience improves.

Treat simulations like fire drills, not exams. The point is a faster, calmer, better-prepared response — not a list of people to blame.

How GottaPhish helps

Run a simulation program badly — inconsistent scenarios, no measurement, no follow-through — and you erode trust while learning nothing. GottaPhish and its expert support team run the whole cycle for you: AI-personalized simulations that scale from easy baselines to targeted, context-aware lures, staggered sending, just-in-time training at the moment of the click, and dashboards tracking report rate, time-to-report, resilience ratio, and repeat-clickers by segment. Our experts work hands-on with you to design scenarios, set up and roll out campaigns (including phishing-resistant MFA when credential exposure is the real risk), and interpret the results, so each round measurably improves behaviour rather than just producing numbers.