Attack Simulation and Security Awareness: Complete Guide 2026

2026 is not just another year for corporate cybersecurity. It is the inflection point where regulatory compliance, threat sophistication and reputational pressure converge in a single requirement: to manage human risk with rigor, strategy and measurable results.

With the entry into force of the NIS2 Directive and the DORA framework, management teams are required to demonstrate proactive actions in cybersecurity, and not just implement reactive technologies. Staff awareness is no longer a complementary option but a critical pillar of compliance and resilience.

According to IBM, 82% of security breaches involve a human element, either through error, misuse, or credential compromise (IBM Threat Intelligence Index 2023). For its part, ENISA identifies the human factor as one of the most recurrent risk vectors in organisational cybersecurity, especially in regulated and critical infrastructure sectors.

And yet, many companies continue to delegate prevention to generic training or well-intentioned newsletters that hardly leave a trace.

"It's not just about complying. It's about reducing risk with real and sustainable impact."

– Fernando Mateus (CEO of Kymatio)

Disconnected campaigns no longer work

Many current security awareness programs fail because they focus exclusively on long, dense trainings once or twice a year. But there is no behavior change without:

• Realistic simulations adapted to each type of profile.
• Effective segmentation and continuous campaigns, not single actions.
• Accurate impact measurement, with KPIs that connect with the business.

To transform the reactive approach into an effective strategy, it is essential to review the legal basis of this type of initiative and its alignment with frameworks such as the GDPR and the NIS2 itself. You can expand on this perspective in our guide on the most relevant legal aspects of simulating attacks in regulated environments.

And if you want this transformation to permeate all levels, including the executive committee, it is key to link awareness to corporate objectives. Here's how to structure a program that gains credibility inside and outside the cybersecurity area.

Types of simulable attacks and their evolution

Threats targeting people have evolved rapidly. An effective security awareness approach  must reflect this complexity, and that starts by diversifying the types of simulations. It's not enough to just send one suspicious email a quarter: techniques have multiplied, and threat actors know how to exploit different channels, emotions, and contexts.

Phishing, Smishing, Vishing, QRishing... What to simulate in 2026?

Here are the basic variants that every organization should include in its attack simulation program:

• Phishing: The classic. Emails that impersonate known services or internal charges. In 2026, the most effective templates are personalized, contextual, and focused on apparent urgencies (Verizon DBIR 2023).
• Smishing: Simulation of malicious SMS. Used to steal credentials or induce clicks from mobile devices, where the user is more exposed.
• Vishing: Calls simulated with social engineering techniques. They can use synthetic voices or automated scripts.
• QRishing: Simulations with QR codes. In full swing after post-pandemic digitalisation, they are key to assessing physical-digital risk.

Including all these formats allows the program to be aligned with real threats and respond to what is required by regulatory frameworks such as NIS2. If you want to structure it by channel type, risk, and time of year, explore this resource with recommendations for planning campaigns by modality and calendar.

Emerging Threats: How to Simulate Without Saturating

Beyond classic techniques, the use of generative artificial intelligence and deepfakes is creating new forms of attack that directly impact organizational trust. While it's not always feasible to simulate everything, you can incorporate key aspects:

• AI-generated emails that mimic real internal patterns.
• Fake videos that impersonate managers or suppliers.
• Multi-channel simulations that connect email, phone, and messaging apps.

The complete cycle of an effective campaign

A security awareness campaign cannot be improvised. For a simulation to have a real impact, it must follow a structured cycle: from planning to analysis, each phase provides valuable data and conditions the next. Here's how to get it right, step by step.

Preparation: clear objectives and intelligent segmentation

Before you send a single template, you need to define what you want to achieve. Reduce the click-through rate? Compare apartments? Measuring the effectiveness of awareness or previous training?

Then segment. Generalist campaigns often fail because they ignore the differences between profiles, responsibilities and levels of risk exposure.

Key recommendations:

• Define operational objectives (click, credentials delivered, report).
• Segment by area, risk profile, or previous experience.
• Customize templates: an email from "Human Resources" is not the same as an "IT Security" alert.

This structured approach is captured in our resource on how to plan effective campaigns, measuring what matters.

Execution: strategic launches and immediate reinforcement

Once the campaign is ready, the timing and subsequent sequence are key to avoiding bias and maximizing learning.

Good practices:

• Choose a day and time with realistic activity (not monday first thing in the morning or friday afternoon).
• Keep the campaign active long enough to capture real responses, not just initial impulses.
• Configure the necessary whitelists (IPs, domains, URLs) to avoid blocks by security systems.
• Inform the minimum necessary team (IT, compliance or ethics committee) that a simulation will be carried out, including the key characteristics (channel, type of attack, duration).
• Perform pre-internal testing with a small group to verify deliverability, usability, and traceability of results.
• Automate reinforcements: users who fall should receive contextual educational content, ideally brief.

You can see how to structure this type of automation with content in our material on immediate reinforcement using 60-second microcontent.

Closing and analysis: data that drives action

Finishing a campaign without analysis is a missed opportunity. The essential thing is not the data itself, but what you do with it.

Recommended indicators:

• Click rate and failure rate broken down by segment.
• Reaction time (click/report) in seconds or minutes.
• Comparison with previous campaigns or with the sector.

The analysis should be used to design the following action: reinforcement, new campaign, one-off intervention or internal communication.

To structure the complete analysis with KPIs aligned to the business, access our detailed evaluation model by segmentation and return.

A solid program is not based on loose simulations. It is built on a systematic cycle that connects each phase to the next, aligned with frameworks such as NIS2 and with the real risks of each organization. You can draw inspiration from the practices gathered by the  SANS Security Awareness Planning Kit to consolidate this approach.

Impact measurement: metrics that matter (really)

A good phishing simulation campaign doesn't end with shipping. Its true value is in the data it generates and what you do with it. Measuring for the sake of measuring is useless. What is relevant is to identify the metrics that drive decisions, compliance and real improvement in people's behavior.

What should you measure? Key metrics aligned with NIS2

To be aligned with the NIS2 Directive and demonstrate continuous improvement, these are the basic metrics you should collect in each campaign:

• Click Rate: % of users who click on the simulated malicious link.
• Failure Rate: % of users who not only click, but also provide sensitive data or download attachments to the email or landing page.
• Improvement Rate: Reduction of failure compared to previous campaigns, by area or group.

These three metrics allow you to observe the evolution, identify departments with greater exposure to risk and prioritize actions.

Don't know what values are reasonable? You can compare your performance with real market data in this benchmark of average rates by sector and company size for 2026.

How are you doing with respect to your sector? Real benchmarks

Comparing yourself to yourself is fine. Comparing yourself with your sector is better.

Benchmarking with public and private benchmarks allows you to:

• Validate that your strategy is going in the right direction.
• Justify investments or changes to the steering committee.
• Avoid making reactive decisions in the face of a single failed campaign.

Check out reference sources from the Center for Internet Security and other industry reports to see how metrics are evolving in organizations similar to yours.

From data to decision: resistance thresholds by area

Not all departments have the same level of exposure nor should they be measured with the same yardstick. A 10% click-through rate on an administrative team may not have the same impact as 3% on the financial side.

That's why setting specific thresholds by profile and role is key to scaling judiciously. You can rely on our approach to define a progressive continuous improvement model per area, based on the level of inherent risk.

Practical example?

• Department A: 22% click-through in January, 11% in April, → 50% improvement.
• Department B: 5% stable for 3 campaigns → consolidated resistance.

Both cases deserve different answers: one training reinforcement, the other recognition and inclusion in advanced initiatives.

Typical barriers and how to overcome them with strategy

Implementing a well-designed security awareness program is not just a technical matter. Internal resistance—legal, cultural, and political—is as decisive as the content of the campaign. Here's how to anticipate and manage them wisely.

Legal or reputational rejection: how to minimize risk

One of the most common barriers is the fear that a simulation campaign will cause complaints, conflicts with labor representatives or even legal problems. This usually happens due to a lack of preparation, not because of the nature of the campaign.

To avoid this:

• Make sure you have a solid legal basis for running simulations, including informed consent or well-documented legitimate interest.
• Communicate the purpose, impact and limits of the initiative with transparency.
• Establish incident response protocols (e.g., mass clicks, internal reports).

You can consult the essential aspects to take into account in our analysis of the regulations that govern these simulations in European regulated environments. You can also expand with the Information Commissioner's Office guidelines  on consent and acceptable practices.

Diverse culture, different levels: adapt without simplifying

Another common obstacle is the argument that "this is not for everyone". And in part it is true. A common mistake is to apply the same approach to different profiles, countries or levels of maturity, generating noise, rejection or, worse, disinterest.

Recommendations:

• Adapt the complexity of the campaigns to the level of exposure and maturity of each group.
• Ensure that content is available in the local language.
• Create differentiated itineraries for groups with special needs (e.g. newcomers, operational roles).

This approach does not require a large operational burden if it is based on good planning. For example, you can rely on our material to structure a program that can be adapted to any level of organizational culture, including management segments.

Lack of sponsorship: how to convince from the business

Finally, many awareness-raising initiatives die before they begin due to lack of support. Without the support of the CEO, HR management, or compliance committee, any effort seems like an "optional extra."

The key is to speak the language of business:

• Align the campaign with real risks and evidence.
• Explain how it impacts audits, compliance, and reputation.
• Use KPIs linked to organizational risk and not just "clicks".

Along these lines, you can review our approach to designing a plan that connects with the strategic vision of the steering committee, not just the security team.

Final checklist: are you ready for 2026?

Regulatory requirements and operational risks force us to go beyond good intentions. Before you launch (or revamp) your security awareness program, make sure you have everything in place. This checklist helps you check if you are really aligned with the expectations of 2026.

10 Critical Points Before Launching a Campaign

Your simulation program should not start without validating the following:

• Clear objectives defined by profile or area.
• Realistic segmentation based on roles, risks and context.
• Templates designed to simulate current (non-generic) threats.
• Documented legal coverage (GDPR, NIS2, DORA).
• Planned internal communication before, during and after.
• Automated immediate reinforcement for vulnerable users.
• Dashboard with operational and business metrics.
• Coordination with HR, Compliance and Technology.
• Updated benchmarking by sector and size.
• Structured, not reactive, continuous improvement plan.

You can review the example of a company that went from 28% to 6% failure in six months in this use case of transformation with measured impact.

Rapid Supplier Assessment: What to Demand

Not all partners offer the same thing. Before contracting or renewing:

• Check if they allow advanced segmentation and custom reporting.
• Verify SLAs (Service Level Agreements) and incident response time.
• Evaluate whether they offer support for a variety of languages, formats, and channels.
• Require compatibility with your  tech stack and auditing requirements.

If you have any doubts, access this guide with key criteria for validating suppliers in this type of simulation.

Is your team improving... or does it just survive?

Here are clear signs that your social engineering simulation guide (phishing, qrishing, aishing...) needs a thorough overhaul:

• Stagnant or increasing failure rates after multiple campaigns.
• Content that does not adapt to evolving threats.
• Management profiles without real involvement or follow-up.
• Actions disconnected from the regulatory framework or continuity plan.

In that case, consider relying on good practices such as those defined by ISO/IEC 27002 to structure risk-aligned awareness initiatives.

Being ready for 2026 is not a matter of will, but of structure and follow-up. This checklist can help you identify gaps before attackers do... or auditors.