Frost & Sullivan Report: Hoxhunt Drove a 225% Spike in Phishing Reports

Independent analysts from Frost & Sullivan investigated how organizations are managing Human Risk in cybersecurity - and spotlighted Hoxhunt for transforming security awareness into measurable behavior change. One standout result: a 225% spike in phishing threat reports, alongside a 3X drop in risky click behavior.

Frost & Sullivan's findings are clear: when security awareness programs are built on behavioral science, adaptive learning, and risk-based training (not just compliance) they can materially reduce your attack surface and improve outcomes for security teams.

If you want to dig deeper into the analyst findings, Frost & Sullivan’s Customer Transformation Journey report on Hoxhunt is available in full. It details how organizations across energy, legal, and enterprise sectors are reducing human risk and building a stronger security culture with measurable outcomes.

‍

How human risk management is evolving (and why it matters now)

For years, security awareness training focused on check-the-box compliance. But cyber threat actors have evolved, leveraging social engineering, credential harvesting and access to breached data from the dark web. The human error gap hasn’t closed fast enough.

That’s why Human Risk Management (HRM) is emerging as a critical layer of every modern cybersecurity strategy. The Frost & Sullivan report validates this shift, showing that behavior-based interventions can directly impact metrics that matter: reduced security incidents, improved employee behavior, and real-time risk mitigation.

Metrics have shifted from awareness to action:

• Old metrics: completion rate, quiz scores
• New metrics: risk scores, reporting velocity, behavior change trends

And this raises an important question for every security leader: how do you actually measure behavior change? It’s one thing to track completion rates, but it’s another to quantify the shift from awareness to real risk reduction. To explore this challenge further, we sat down with our Head of Human Risk, Maxime Cartier, to discuss how organizations can move beyond surface-level awareness and start measuring what truly matters.

‍

What analysts saw in Hoxhunt’s Human Risk Management model

Frost & Sullivan’s analysts interviewed leaders from sectors like energy, legal, and global infrastructure. They consistently reported:

• Sustained behavior change, not just short-term awareness
• Seamless integration with existing security technology stacks, including Microsoft 365 and Microsoft Defender
• Training nudges and micro-learning that mapped to real risk factors and attack vectors

Instead of static training programs, Hoxhunt uses AI-powered tools and machine learning to personalize training nudges based on user actions.

Here's how EON's CISO put it: “Our phishing click rates dropped from 10% to below 3%. Reporting rates went from 20% to over 60%. We didn’t just raise awareness - we built a security-conscious culture.”

What E.ON, Bird & Bird, and AES told Frost & Sullivan about managing human risk

In its Customer Transformation Journey report, Frost & Sullivan interviewed Hoxhunt customers across high-risk sectors - energy, legal, and global enterprise infrastructure. Each faced a common challenge: reducing human error as a driver of security incidents, while shifting from awareness to measurable employee risk management.

These weren’t marketing testimonials. They were deep interviews with CISOs and security professionals who had deployed Hoxhunt in real-world environments.

E.ON: Security awareness that energized engagement

As a major energy provider, E.ON needed to reduce its exposure to phishing threats and improve resilience across a large, distributed workforce. After implementing Hoxhunt:

• Phishing Click Rates fell from double digits to below 3%
• Reporting rates surged by over 3X
• Employees engaged with gamified phishing simulations, including a QR code phishing campaign tailored to energy sector attack vectors
• Read full case study

Bird & Bird: Embedding Human Risk Management in legal cyber defense

For global law firm Bird & Bird, the stakes were high: protecting confidential client data, ensuring regulatory compliance (like PCI DSS), and overcoming executive resistance to security training. With Hoxhunt:

• Senior lawyers began engaging with training programs - a group often excluded from simulations
• The firm saw a marked increase in phishing simulation engagement and threat reporting
• Legal-specific phishing templates aligned training with internal communication norms
• Read full case study

AES: A Fortune 500’s shift from awareness to security culture

AES, a global energy giant, faced low training completion and disengagement across a 10,000-employee base. Manual simulations weren’t scalable and the attack surface was growing. After adopting Hoxhunt:

• Phishing simulation reporting rates increased from 80 to over 2,000 per month
• Behavioral analytics helped track repeat offenders, response time, and department-level risk
• The platform integrated seamlessly with Microsoft Defender, enabling faster incident response
• Read full case study

This kind of cross-sector adoption - now validated by third-party analysts - signals that Human Risk Management isn’t niche anymore. It’s becoming foundational to modern cyber defense.

Real outcomes: Click rate reduction and 225% increase in reporting

The true test of Human Risk Management isn’t awareness... it’s action. According to Frost & Sullivan, Hoxhunt’s customers saw a 3X drop in phishing click rates and a 225% increase in threat reporting after deployment.

These aren’t vanity stats, they represent a fundamental shift in employee behavior. When employees recognize and report phishing emails at scale, it gives security teams critical visibility into early indicators of compromise.

What stands out is not just the numbers, it’s the speed of transformation. Hoxhunt achieved measurable risk reduction within months of rollout, compared to legacy security awareness and training platforms that plateau after the first wave of engagement.

‍

Why employee engagement is the missing link in cyber defense

Frost & Sullivan’s CTJ report underscores a powerful truth: traditional security awareness training falls short because it neglects engagement. Our effectiveness stems from designing security awareness experiences that employees actually enjoy - which translates into real, measurable behavior change.

Legacy training programs often rely on stale content, quiz-style modules, and one-off awareness sessions that users easily ignore or rush through.

At Hoxhunt, we've found that even when employees recognize security risks, they’re less likely to report them if the process is cumbersome or feels punitive.

Our model embeds engagement at every level...

Personalized gamification: Simulations adapt using machine learning - tailored by role, location, language, and previous response patterns.

Frequent micro-learning nudges: Training events pop up unpredictably throughout employees' workflows to reinforce awareness without fatigue.

Positive reinforcement loops: Feedback, badges, leaderboards, and progress tracking turn security behavior into shared achievement, not just compliance.

These elements combined create motivation that results in sustained engagement, which research shows is a clear predictor of reduced human cyber risk.

Below you can see what Hoxhunt's gamification looks like.

‍

What makes Hoxhunt’s HRM platform different?

Frost & Sullivan highlighted several factors that set Hoxhunt apart from traditional security awareness programs - most notably our adaptive design, automation, and measurable impact on human risk. Rather than relying on generic training programs, Hoxhunt integrates behavioral analytics and AI-based tools to personalize learning across roles and geographies.

Key differentiators identified by analysts

Adaptive learning: Training evolves based on employee behavior, risk scores, and organizational attack vectors. This ensures that simulations stay relevant and challenging.

Behavioral science at the core: Frost & Sullivan called out Hoxhunt’s use of behavioral nudges and gamification, which shift focus from awareness to behavioral change. Employees don’t just avoid clicks; they proactively report threats.

Integrated Security Technology Stack: Hoxhunt plugs into widely used tools like Microsoft 365 and Microsoft Defender, reducing friction for security teams and feeding actionable training data back into the incident response cycle.

Granular analytics and risk scoring: Customizable dashboards provide both department-level metrics and organization-level metrics, helping CISOs track report rates, click rates, and employee risk management progress.

By combining adaptive phishing training, real-time feedback, and integrations into the broader cybersecurity strategy, Hoxhunt shifts Human Risk Management from a compliance function into a measurable defense capability.

‍

How HRM improves threat detection and incident response

The report found that Human Risk Management has a direct impact on how quickly and effectively organizations identify and respond to security incidents. By training employees to recognize and report phishing emails in real time, Hoxhunt customers gave their security teams far greater visibility into early indicators of compromise.

Faster threat reporting

One multinational energy company went from receiving 80 monthly phishing reports to more than 2,000 per month after rolling out Hoxhunt. This 1400% increase allowed their SOC to detect and analyze threats earlier, improving overall incident response time.

Automation that reduces SOC burden

The report also emphasized how Hoxhunt integrates with existing security tools like Microsoft Defender to automate parts of the incident response process:

• Automatically removing reported phishing emails from inboxes
• Feeding real phishing incident data into dashboards for behavioral analytics
• Reducing false positives while accelerating triage for confirmed threats

Building a resilient security posture

By combining training programs with integrated security technology stacks, organizations improved both human and technical layers of defense.

The Customer Transformation Journey report also shows how our HRM model turns employee behavior from being a potential weak point into a frontline attack vector defense.

Here's how threats reported through Hoxhunt get turned into simulations that reflect the latest threats...

‍

What CISOs should look for in Human Risk Management solutions

Frost & Sullivan emphasized that HRM is not just a “nice-to-have” - it’s becoming a critical requirement for modern CISOs. As human error continues to drive the majority of cybersecurity breaches, CISOs need solutions that go beyond awareness and deliver measurable improvements in security posture.

Key capabilities Frost & Sullivan highlighted

1. Integration capabilities: Seamless connections with security operations tools and workflows (e.g., email gateways, SOC systems, Microsoft Defender) that amplify ROI by turning employee reporting data into actionable intelligence.
2. Real-time behavioral insights: The ability to detect risky employee behavior in real time and provide corrective training nudges - reducing the chance of security incidents before they escalate.
3. Multilingual and customizable training: Training programs must adapt to different geographies, business units, and attack vectors, making content relevant and engaging for a diverse workforce.
4. Alignment with security culture: Programs that foster a security-conscious culture, where risk awareness is shared across all levels — from frontline employees to executives.
5. Automation & AI: Reducing the manual workload on security professionals by using AI-powered tools and automation to scale training, reporting, and risk mitigation.
6. Robust KPI Tracking: Reduction in phishing click rates, increase in reporting rate and reporting velocity, improvement in incident response time, department-level risk scores that reveal vulnerabilities across the organization.

Why this matters for CISOs

As regulatory pressures mount (e.g., PCI DSS, GDPR) and cyber threat actors continue to exploit the human risk element, CISOs are under pressure to show measurable improvements. Frost & Sullivan argues that the right HRM solution should integrate with an organization’s cybersecurity strategy, reduce its attack surface, and deliver metrics that resonate with both boards and auditors.

‍

The analytics behind the report: How Frost & Sullivan validated the results

One of the most important aspects of this Customer Transformation Journey is that the findings weren’t vendor-driven. Frost & Sullivan followed a rigorous methodology to ensure accuracy and neutrality.

Their process included:

• Primary interviews with Hoxhunt customers across industries (energy, legal, multinational enterprise)
• Quantitative measurement of outcomes like click rates, reporting velocity, and training completion rates
• Secondary research to validate claims and benchmark against industry standards like the Verizon Data Breach Investigations Report.
• Peer review and modeling to confirm the consistency of results

The report captures the numbers... but to understand the Human Risk Management journey, it helps to see it in action. Our interactive demo below lets you step into the shoes of a Hoxhunt user: spotting a simulated phishing email, reporting it, and experiencing the instant feedback loop that drives behavioral change.