Q: What are the biggest challenges facing organizations in the phishing space today, and how are threats evolving?
Mika Aalto: AI has been a game changer in cybersecurity, for better and for worse. It has produced a storm front of rapid technological and regulatory changes that are colliding with stagnant SAT models and attitudes towards managing human risk.
The phishing landscape is changing faster than many companies can adapt, especially when their people, processes, and technology aren’t harmonized. Modern attackers are using AI to create highly personalized spear phishing campaigns that slip past traditional filters more frequently and fool even alert employees. Most of these attacks come from low-cost, highly accessible phishing-as-a-service kits available online on the dark web.
And we can no longer afford to worry only about email anymore—attackers are expanding into SMS, social media, and messaging apps on personal devices, where people are more inclined to click something suspicious.
Add to that the fact that most CISOs lack visibility into the phishing threats that dodge their technical defenses, and the risk grows of undetected breaches that fester from problems into catastrophes. In cybersecurity incident response, speed is essential.
There’s also a general skepticism about phishing training because too many organizations have historically settled for SAT solutions that are rapidly becoming obsolete. Compliance-based SAT tools don’t actually change behavior and reduce risk. These low-cost tools test people on yesterday’s threats in order to tick a box.
While threat actors rake in billions, companies need to break away from this “check-the-box” mindset and invest in next-generation platforms that deliver real behavior change.
Q: How does the Hoxhunt platform help teams address these challenges, and what sets it apart?
Mika Aalto: AI can be used for good or for evil. Since our founding in 2016, we have used AI and machine learning for good by leveraging its capabilities for automation and personalization.
The Hoxhunt platform focuses on adaptive, behavior-driven training rather than static, compliance-only exercises. By combining behavioral science and AI, we tailor phishing simulations to each user’s skill level, adjusting their training path as they learn. This means we’re constantly evolving and keeping engagement high, thanks to gamification and instant feedback. The result? We actually measure and prove a drop in risk, not just compliance. Our data shows a global 6x drop in clicks and a 9x boost in reporting rates, translating into a 10x increase in real threat detection. For instance, Qualcomm deployed Hoxhunt to their highest-risk employees and saw their failure rates cut in half, eventually rolling out Hoxhunt company-wide. That’s what makes us different: clear, measurable impact that sparks genuine resilience.
Q: What are your top recommendations for CISOs looking for a phishing protection and simulation solution?
Mika Aalto: First, look beyond compliance. You want a solution that genuinely changes behavior. Make sure it comes with reporting capabilities so you can measure how well it’s working across the organization. Second, integration is key. A good solution should fit into your existing SOC tools and threat intelligence systems so that improvements in training translate directly into stronger security operations. Third, demand outcome-driven metrics. Show your leadership team real evidence of behavior change and risk reduction. Finally, pick a partner who will grow with you, update their training as threats evolve, and provide the support you need. Phishing tactics are changing rapidly, and your training approach should too.
Q: What trends do you expect to see in the phishing space in 2025?
Mika Aalto: By 2025, AI will power significantly more phishing attacks—everything from text-based impersonations to deepfake videos will become cheaper and more convincing. Attackers will automate vulnerability hunting and personalization, forcing companies to upgrade their defenses.
On the white hat side, we’ll see more human threat intelligence and risk analytics feeding into phishing prevention, allowing organizations to spot zero day attacks and vulnerable employees in advance and tailor interventions. It’s about moving from being reactive to more proactive, as high-impact human-based breaches hit unprecedented levels. Ultimately, those who embrace advanced training tools and data-driven insights will stay ahead of the curve.
Q: In your view, what should organizations’ top phishing protection planning priorities for 2025 be?
Mika Aalto: The number one priority is to shift from static, compliance-only training to adaptive programs that truly engage employees and inspire lasting behavior change. Put training and culture at the center of your security strategy, measuring success in terms of threat detection rather than just the absence of clicks. Data will guide how much you invest and where to focus your efforts. As tactics evolve—across email, messaging apps, or new channels—your training should keep pace. And above all, empower your people to embrace cybersecurity as their own responsibility. A workforce that’s both informed and motivated is the strongest defense you can have against evolving phishing threats.
Seeking practical applications of Mika's insights on AI and phishing training? Check out this free, un-gated eGuide.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt
