Facebook Twitter Linkedin Instagram

SAT | Security Awareness Training

Security Awareness Training (SAT) consists of educational programs designed to increase employee awareness of cybersecurity. Users learn how to recognize and avoid threats such as phishing, malware, and social engineering, which reduces the risk of data breaches and attacks. These trainings are a key element of any security strategy.

SAT (Security Awareness Training) — turn your employees into the first line of defence

According to the annual Verizon DBIR and ENISA reports, the human element is involved in the majority of cybersecurity incidents — from phishing and account takeovers to unintentional data leaks. The classic model of “once a year, a 30-slide presentation” does nothing to change that. Effective Security Awareness Training is a repeatable education programme: controlled phishing simulations, short training modules, practical exercises, and measured effectiveness over time — not a one-off compliance campaign.

Virtline designs and runs SAT programmes for manufacturing companies, financial institutions, healthcare, energy, and public administration. We use KnowBe4, Webroot Security Awareness Training, and the proprietary scenario-based game “Mission: Cybersecurity.” We integrate the training platform with Active Directory and Microsoft 365 (SCIM) to automatically assign modules by department and role, report progress to managers, and deliver audit reports required by NIS2 Article 21, ISO/IEC 27001 A.6.3, and DORA Article 13.

We run the programme in a quarterly cycle: a short phishing campaign, targeted microtraining for those who “clicked,” measurement of click-rate and report-rate (reported suspicious emails), and then programme adjustment for the next quarter. Results are measurable — after 3–6 months we typically observe a halving of click-rate and a clear increase in reporting of suspicious messages.

Contact us — SAT programme for your organization →

What does the SAT programme at Virtline include?

We work in a quarterly cycle, combining education, simulations, and effectiveness measurement. The programme scope includes:

 Baseline maturity assessment — a controlled phishing campaign across the entire organization without prior notice, measuring click-rate, report-rate, and vulnerability by department.

 Role-tailored training modules — different content for executives exposed to whaling, different for accounting (BEC, fake invoices), different for production and OT departments.

 Recurring phishing simulations — varied scenarios (classic phishing, spear-phishing, smishing, vishing, MFA fatigue attacks) with increasing difficulty levels.

 “Mission: Cybersecurity” game — proprietary scenario-based game featuring realistic workplace situations, user decisions, and feedback after each choice.

 Just-in-time training — short 3–5 minute modules triggered immediately after clicking a simulated phishing link, without waiting for the quarterly cycle.

 Reporting and metrics — management dashboard, audit reports for NIS2/ISO 27001/DORA, executive dashboard with trends and residual risk.

Benefits of the SAT programme

 Measurable reduction in simulated phishing click-rate — typically halved within 3–6 months relative to baseline.

 Increased suspicious message reporting — employees use the “Report phishing” button in Outlook, reducing response time to real campaigns.

 NIS2, ISO 27001, and DORA compliance — documented employee education programme, on-demand audit reports.

 Fewer BEC incidents — accounting staff identify fake payment instructions and account change requests faster.

 Stronger security culture — employees understand why MFA, password policies, and data classification matter and stop bypassing procedures.

 Lower cyber insurance premiums — cyber insurers increasingly require a documented SAT programme as a policy condition and premium reduction factor.

 Better incident preparedness — employees know how and to whom to report suspicious events, reducing MTTD and MTTR.

How we run the SAT programme — 4 stages

We run the programme in a quarterly cycle, with a baseline assessment at the start and repeatable measurements throughout. Each stage has a clearly defined outcome — from the baseline report to an executive risk dashboard.

1. Baseline and risk analysis — unannounced phishing campaign, identification of most vulnerable departments and roles, mapping training needs to NIS2/ISO 27001/DORA requirements, setting programme objectives and KPIs.

2. Platform deployment and onboarding — integration with Active Directory/Azure AD (SCIM), user import, module configuration per user group, communication preparation for management, launch campaign.

3. Training and simulation cycle — regular phishing campaigns, just-in-time microtraining for those who “clicked,” themed modules (BEC, ransomware, personal data protection, OT/SCADA), “Mission: Cybersecurity” game for selected groups.

4. Measurement and optimization — quarterly report on click-rate, report-rate, frequency-rate trends, industry comparative benchmarking, programme adjustment for the next quarter, results presentation to management and audit committee.

Webroot Security Awareness Training — logo

SAT platform integrations we deploy

The training platform must live within the corporate identity and email ecosystem — otherwise it requires manual maintenance. Our standard integrations include:

  • Active Directory / Azure AD / Entra ID — automatic user, role, and department synchronization via SCIM and SSO login via SAML 2.0 or OIDC
  • Microsoft 365 — “Report phishing” button in Outlook, integration with Defender for Office 365, simulation click reporting
  • Google Workspace — Gmail and directory integration, suspicious message report tracking
  • Email Security Gateway — coordination with the mail gateway (e.g. WatchGuard, GFI MailEssentials, PhishTitan, ClearSwift) to ensure simulations reach inboxes
  • SIEM — export of events (clicks, reports, training completions) to SIEM/SOC, correlation with other signals
  • HR and LMS — completion status exchange with HR systems (Workday, SAP SuccessFactors) and corporate LMS if in use

SAT and NIS2, ISO 27001, DORA — requirement mapping

Staff awareness and training are explicitly required by current cybersecurity regulations. Auditors most commonly cite the following references:

  • NIS2 Directive (Article 21(2)(g)) — among minimum cybersecurity risk management measures, requires “basic cyber hygiene practices and cybersecurity training.” Applies to essential and important entities and their management.
  • ISO/IEC 27001:2022 — Annex A — control A.6.3 Information security awareness, education and training (awareness and training programme for all employees and contractors) and A.6.5 Responsibilities after termination or change of employment.
  • DORA Regulation (Article 13) — requires an ICT learning and training programme for all staff, including management, and key ICT service providers of the financial entity.
  • GDPR (Recital 39, Article 39(1)(b)) — training of staff involved in personal data processing operations as an element of accountability and one of the DPO’s obligations.

Frequently asked questions about SAT

How much does a SAT programme cost for a mid-sized company?

Cost depends on the number of employees, chosen platform, and additional services. Training platform licences (e.g. KnowBe4 or Webroot SAT) typically start from a few euros per employee per month, with volume discounts. This is supplemented by the implementation project, launch campaign, and quarterly managed programme costs. We prepare a specific quote after a brief conversation about user count and programme objectives.

How long does SAT programme deployment take?

The baseline assessment (phishing campaign) launches 1–2 weeks after kickoff. Platform integration with Active Directory/Azure AD and Microsoft 365 closes in 2–3 weeks. The first full quarterly cycle (baseline + training + simulation + report) takes 12–13 weeks. After the first quarter, the programme enters a steady state with subsequent cycles running in a repeatable framework.

What systems does the SAT platform integrate with?

We standardly integrate the SAT platform with Active Directory, Azure AD/Entra ID, and Microsoft 365 (SCIM synchronization, SAML 2.0/OIDC SSO, “Report phishing” button in Outlook, Defender for Office 365 integration). We also support Google Workspace, SIEM event exchange, and HR system integration (Workday, SAP SuccessFactors) and corporate LMS completion status tracking.

How often should training and phishing simulations be repeated?

Phishing simulations run monthly or quarterly depending on the organization’s maturity and risk level. Full training modules (10–15 minutes) quarterly, short microtraining (3–5 minutes) just-in-time after each simulation click. New employees complete onboarding training within the first two weeks of joining the organization.

How do we report SAT programme results?

After each campaign we provide a report with click-rate, report-rate, frequency-rate metrics and comparison with previous cycles and the industry. Quarterly we prepare an executive report for the CIO and audit committee with trends, risk map, and recommendations. All events (completions, clicks, reports) are exported to SIEM, and audit reports are prepared in the format required by NIS2, ISO 27001, and DORA.

How will we know if the SAT programme is actually working?

We measure effectiveness across three layers of metrics. First, click-rate and report-rate in phishing simulations — we expect declining click-rate and rising report-rate across consecutive quarters. Second, the number of real phishing attempts reported by employees to the helpdesk/SOC — a signal that people are applying their training. Third, independent red-team exercises once a year to verify that the organization has genuinely raised its maturity rather than just ticking a compliance box.

Why choose Virtline for your SAT programme

Virtline has been running cybersecurity awareness programmes for organizations across various sectors for many years. We combine security engineering expertise with the proprietary “Mission: Cybersecurity” scenario game and enterprise-class platforms. Clients value the fact that we do not sell “a box of licences” — we take on the entire cycle: baseline, campaigns, training, reports, and programme tuning in subsequent quarters.

Key benefits of the SAT programme with Virtline:

 Experience deploying KnowBe4, Webroot SAT, and the proprietary “Mission: Cybersecurity” game

 TÜV NORD security certificate — ISO/IEC 27001:2023

 Training modules and simulations tailored to role and departmental risk

 Integration with Active Directory, Microsoft 365, Defender for Office 365, and SIEM

 Mapping programme to NIS2 Art. 21, ISO 27001 A.6.3, and DORA Art. 13

 Quarterly executive and audit reports for CIO and audit committee

 Independent red-team exercises verifying programme maturity after one year

 Training materials in English and support for geographically distributed teams

Contact us to launch a SAT programme that genuinely changes employee behaviour rather than just fulfilling a compliance requirement.

Turn employees into the first line of defence — start with a baseline and see where the greatest risk lies.

Contact us →

 ISO/IEC 27001:2023 Certification

Virtline certified by TÜV NORD

Virtline holds the PN-EN ISO/IEC 27001:2023-08 certificate issued by TÜV NORD. Certificate number: AC090 121/2469/6137/2026, valid until 02.2029.

Talk to a Virtline expert

We will scope your project, propose an architecture and prepare a fixed quote within 5 working days. No obligations, no junior reps — you talk to engineers from day one.

Contact us →