Skip to content
NewAutopilot — the program that runs itself

Phishing simulation & security awareness

Realistic phishing simulations.
A measurably more resilient team.

PhishSpot recreates today’s phishing tactics, delivers a short lesson at the moment of the click, and shows how your team improves over time — in English and Polish.

  • Free trial
  • English + Polish
  • Built in the EU

Designed for regulated industries

FinanceHealthcareSaaSPublic sectorManufacturingLegal
One platform, the whole loop

Everything a phishing program needs, in one place

Simulations and training run in one system, where every feature shares the same contacts, sending domains, and reports.

Realistic simulations

A six-step builder, 48 human-written templates, and a live HTML editor with merge-tag personalization and test sends.

Autopilot programs

Set the intensity once. PhishSpot keeps people trained on your cadence and brings every new hire into the program by itself.

Branching sequences

A campaign that unfolds in stages: who opened or clicked decides what arrives next, and what training follows.

Training on click

A course, an awareness page, or a redirect delivered the moment someone clicks a simulated message.

The full funnel

Sent → Delivered → Opened → Clicked → Submitted → Trained, with team trends and authorized detail.

Inbox deliverability

Managed sending domains with automatic SPF, DKIM and MX, plus allowlist exports for major mail platforms.

How it works

From a new account to your first insight in an afternoon

Five steps, the same ones every program follows. PhishSpot removes the busywork between them.

  1. 01

    Onboard

    Set up your account, industry, and phishing-report inbox. Connect Microsoft Entra if you use it.

  2. 02

    Add people

    Import contacts from CSV or sync your directory, then organize them into groups.

  3. 03

    Run

    Launch a one-off campaign, an Autopilot program, or a branching sequence.

  4. 04

    Teach

    Whoever clicks gets a course or an awareness page, right when the lesson sticks.

  5. 05

    Measure

    Follow the funnel and team trends, with recipient detail for authorized users. Export to PDF or Excel.

Autopilot

Set it once. Keep the program moving.

Autopilot runs a continuous awareness program without anyone watching over it. It picks templates in the right language and keeps your cadence — new hires join automatically.

  • Intensity you control — from one send a month to a few a week, with a hard cap of two per person per day.
  • An AI optimizer adapts template and timing to each recipient’s history, so the training never gets predictable.
  • New joiners are covered from day one. Anyone added to the audience joins the program on their own.
platform.phishspot.com/autopilots
Set it once. Keep the program moving.
Template library

48 templates, written by people — in English and Polish

Written natively in English and Polish. Choose a curated real-world scenario, adapt it in the HTML editor, or save your own.

  • 24 EN + 24 PL, each written for its language and local habits, not translated word for word.
  • Full HTML control over the email and the landing page, with a live preview and merge tags like {{first_name}}.
  • Save as template — a campaign that worked becomes the starting point for the next one.
platform.phishspot.com/templates
48 templates, written by people — in English and Polish
Integrations & API

Fits the tools you already use

Sync your directory and sign in with Microsoft, then push every event to your SIEM, SOAR, or LMS as it happens.

Microsoft Entra sync

Users and groups import on a schedule; leavers are disabled, never deleted.

Microsoft 365 SSO

Employees sign in with their work account and land in a personal training portal.

Signed webhooks

HMAC-signed events with retries — a click turns into an alert within seconds.

REST API

A token-authenticated JSON API at /api/v1 for campaigns, contacts, courses, and more.

MCP for AI

Drive PhishSpot from Claude in plain language. MCP only prepares; a person presses launch.

Outlook report button

One-click phishing reporting, feeding your per-account report inbox.

Why PhishSpot

Move from a point-in-time test to a continuous program

A yearly test provides a snapshot. PhishSpot adds regular practice, timely training, and trends that show progress over time.

Point-in-time testing

  • A snapshot from one moment in the year
  • General guidance delivered after the campaign
  • Campaign metrics viewed without a long-term trend
  • Deliverability managed separately
  • One language or directly translated content
  • Results moved between systems by hand

With PhishSpot

  • A continuous program on Autopilot, running all year
  • Training reaches people at the moment of the click
  • The full funnel, team trends, and authorized detail
  • Managed sending domains that reach the inbox
  • English and Polish throughout — interface and templates
  • Everything scriptable over API and MCP

48

Ready-to-send templates

Written by people, 24 EN + 24 PL

2

Languages, end to end

UI, templates, reports & manual

6

Funnel stages tracked

Sent → … → Trained

10

Allowlist export formats

M365, Google, Mimecast & more

Questions

The things security teams ask first

Is this actually bilingual, or just a translated menu?

Actually bilingual. The interface, all 48 templates, the reports, and the full admin manual exist in English and Polish. The Polish templates were written by people who write Polish, not by a translation engine.

Will simulations land in the inbox or get filtered to spam?

PhishSpot sets up managed sending domains with correct SPF, DKIM, MX and return-path records, monitors their health, and gives you allowlist exports for Microsoft 365, Google Workspace, Mimecast, Proofpoint and more.

What happens when an employee clicks?

That click becomes a teachable moment. You choose the follow-up per campaign: a training course, an awareness page, or a redirect. No blame, no naming — most teams keep it purely educational.

Is the “AI” writing phishing emails for us?

No. Autopilot is automation: it picks a language-matched template from your library and schedules it, and an optimizer tunes the timing and difficulty. Every template and every launch stays under your control.

Can we run this across many client organizations?

Yes. Each client lives on its own isolated account, with three admin roles, a full REST API, and an MCP server — built with MSPs and MSSPs in mind.

How do we get real phishing reported back?

Employees report suspicious mail with the one-click Outlook add-in or by forwarding it to your report inbox. Each report opens in a safe preview and links back to the contact’s record.

Establish your first baseline this week

Book a 30-minute working session and we’ll build a live campaign with you for a test group. Prefer to explore first? Start a free trial.

A focused session, a working campaign, and a clear next step.