Skip to content

Glossary

The phishing & awareness glossary.

Plain-language definitions of the terms you'll meet across PhishSpot — and across security awareness in general.

Phishing simulation
A safe, authorized fake phishing email sent to your own employees to measure and build their ability to spot real attacks.
Landing page
The page a recipient reaches after clicking a simulated phishing link — used to record the click and, optionally, to teach.
Merge tag
A placeholder like a recipient's first name or company that PhishSpot fills in per person, making each simulation feel personal.
Funnel
The stages a simulation moves through: Sent → Delivered → Opened → Clicked → Submitted → Trained, plus Replied — so you can see exactly where people drop off.
Click rate
The share of recipients who clicked the simulated link. One of the core signals of human risk.
Risk score
A 0–100 score (Low, Medium, High, Critical) summarizing how susceptible a person, group or account is over time.
Autopilot
PhishSpot's automation that runs continuous programs — it selects a language-matched template, schedules by intensity, and an optimizer tunes timing and difficulty.
Sequence
A branching, multi-touch phishing journey where the next step depends on what the recipient did.
Secured domain
A platform-managed domain used to host simulations and landing pages safely, separate from your production domains.
BYOD (Bring Your Own Domain)
Using your own sending domain for simulations; PhishSpot auto-provisions SPF, DKIM and MX and runs hourly health checks.
SPF / DKIM
Email authentication records that prove a message is sent from an authorized server, so simulations reach the inbox instead of spam.
Whitelist (allowlist)
Configuration that lets simulation emails bypass filters. PhishSpot exports it in 10 formats, including Microsoft 365, Google Workspace, Mimecast and Proofpoint.
Awareness page
A page shown after a click that explains the person just fell for a simulation and how to spot the next one.
Teachable moment
The instant right after someone clicks, when a short lesson lands best — PhishSpot trains people then and there.
Report inbox
Where messages employees report as suspicious are collected, so security teams can triage real threats and reward good reporting.
MCP (Model Context Protocol)
An open standard that lets AI assistants call PhishSpot directly. PhishSpot exposes around 60 MCP tools alongside its REST API.
Webhook
An HTTP callback that pushes campaign events to your systems in real time, signed with HMAC-SHA256 and retried up to five times.
Multi-tenant
Architecture that keeps every customer account fully isolated, so data is never shared across organizations.
Deliverability
How reliably simulation emails reach the inbox — driven by domain setup, authentication and reputation.
Post-click action
What happens after a click: a course, an awareness page, a redirect, a message page, or nothing.

Put the terms into practice

Book a demo or start in the platform and run your first simulation — the glossary makes a lot more sense once you've seen the funnel move.