
DocuSign is the world's leading Intelligent Agreement Management company, helping organizations prepare, sign, act on, and manage agreements digitally. Trust is central to both its business and its brand. Protecting that trust requires requires employees who recognize threats, make good security decisions, and help protect one another every day.
Employees: 7,000+
Headquarters: San Francisco, USA
Industry: SaaS |Digital Transaction Management
Traditional security awareness programs were meeting compliance requirements but falling short where it mattered most: phishing and other secure behaviors. Annual training and occasional phishing simulations couldn't keep pace with increasingly sophisticated phishing, smishing, and AI-generated attacks. DocuSign wanted security awareness to help protect their brand and drive trust and business growth.
DocuSign transformed security awareness into an engaging, behavior-driven program built around communications, adaptive learning, and continuous, gamified reinforcement. The result is a CSO Award-winning program that reduced phishing failures by more than 80%, built a culture where employees naturally tell one another to "Hoxhunt it," and continues to evolve alongside modern threats.

CSO Award Winner (2026)
"I'd recommend Hoxhunt to anyone in my space. I plan to continue using it wherever I go because it's not just about the capabilities they provide—it's the partnership."
— Missy Bentzen, Senior Security Awareness and Training Program Manager, DocuSign
For Docusign, protecting their status as the "World’s most trusted brand," according to Time Magazine, meant starting somewhere different with security awareness training to get somewhere better than mere compliance.
Docusign uses Hoxhunt to help meet employees where they’re at as individuals to help them understand why security matters. The next step is making secure behavior an enjoyable, rewarding habit. Communications, awareness campaigns, executive messaging, and timely alerts create context that makes later training feel relevant rather than mandatory.
Communications programs reward quarterly high-performers with recognition in company newsletters and tangible awards. Security has been embedded into the Docusign culture with corporate incentive programs that were made possible by the gamification elements of the Hoxhunt platform.
She calls the approach Security CAT—Communications, Awareness, and Training—three disciplines that reinforce one another throughout the year instead of existing as separate initiatives.
"We started with phishing and microtraining, but now there's smishing, and it just continues to evolve so we meet people where they’re at."
By keeping security personalized and relevant, DocuSign transformed awareness into an ongoing conversation instead of an occasional event.
The clearest signs of success showed up in conversations and vocabulary. You know how to Google something became a verb? So did Hoxhunt, at Docusign.
Employees naturally began reminding one another around the proverbial water cooler to "Hoxhunt it" whenever something looked suspicious. What started as a reporting button evolved into a cultural touchstone with their everyday company language.
Even the security skeptics developed into vocal security champions over the course of their learning journeys. Few things are more important to embedding security into the corporate culture than champions.
"We've even gotten to the point where it's a regular message within the company: 'Hoxhunt it.' We have our own built-in champion program that I didn't even have to create."
Gamification at DocuSign isn't about making training entertaining. It's about reinforcing the behaviors that keep people secure with a proven set of psychological principles, called “game design.”
Employees earn stars, build reporting streaks, and climb leaderboards by succeeding at desirable behaviors, like recognizing and reporting a phishing simulation. They compare progress with colleagues throughout the year.
Every quarter, Docusign recognizes both the organization's top stars earners and employees who consistently report every phishing simulation correctly, celebrating the behaviors that strengthen resilience rather than simply avoiding mistakes.
The program became so engaging that employees began worrying about losing their streaks while they were on vacation. Hoxhunt's Vacation Mode quickly became one of the most appreciated features because it allowed employees to pause their training without sacrificing the progress they had worked to earn.
"People get upset when they lose their streak. They love seeing where they rank and earning stars. Having people unhappy that they weren’t getting enough security training was a first for me, I can assure you. When we introduced Vacation Mode, employees loved it because they weren't going to lose their streak anymore."
For Missy, that's one of the clearest signs the program is working. Employees aren't participating because they're required to—they're participating because they genuinely care.
For many organizations, Cybersecurity Awareness Month is another communications campaign. For DocuSign, it's the biggest engagement opportunity of the year.
Missy Bentzen uses October to introduce creative challenges that encourage employees to actively participate rather than passively consume content. Programs like Craft-a-Phish, also known as Phish a Friend--where employees have the tools to make phishing messages and send them to colleagues--bring cybersecurity to life during October. Weekly learning modules and other themed competitions keep employees learning while earning stars, climbing leaderboards, and competing with colleagues.
The campaign builds on the engagement already established throughout the year instead of trying to create excitement from scratch.
Rather than treating Cyber Awareness Month as four weeks of mandatory education, DocuSign turns it into a company-wide celebration of security culture.
Missy believes phishing click rates still matter, but they shouldn't define program success alone.
Increasingly, leadership is shifting its attention toward resilience ratio: a behavior-based metric that shows how effectively employees recognize threats, report suspicious activity, and collectively interrupt attacks before they become incidents.
As a dashboard metric it’s simple: divide your simulated phishing reporting rate by your failure rate. Docusign’s, according to Missy, is astronomically higher than those of her colleagues, who usually have reporting rates between 10-20%, and failure rates in excess of 10%. That would yield a resilience ratio of 1-2.
Docusign scores close to 40, with reporting rates over 60% of the company and failure rates below 2%.
Behavioral trends, reporting activity, engagement, and risk reduction provide a much richer picture of organizational readiness than click rates alone.
"I'm actually trying to move over to the idea of resilience instead of just click rate. It's really important that we evolve that."
That evolution reflects a broader shift happening across the industry—from measuring compliance to measuring human risk.
Modern attackers don't target everyone the same way. Neither should security awareness.
DocuSign tailors communications and training to employee roles, business functions, and evolving risks. Sales teams, engineers, finance professionals, and customer-facing employees each encounter different attack techniques and therefore require different learning experiences.
The program has expanded well beyond traditional phishing simulations to include smishing, QR-code phishing, mobile threats, and emerging AI-powered attacks.
Training evolves alongside the threat landscape instead of reacting months later.
"We're getting much more focused on persona-based and risk-based training. We're really evolving the program."
One of the most interesting evolutions of DocuSign's program is that its security philosophy no longer ends with employees.
The same reporting mindset used internally is increasingly being extended to customers. In fact, Docusign won a CSO Award for this approach.
By making it easy for customers to report suspicious DocuSign-themed messages, the organization strengthens both threat intelligence and customer trust. The same behaviors that protect employees also help protect the millions of people who rely on DocuSign every day.
This is how internal resilience and trust became a business driver.
DocuSign's program has produced measurable improvements in both security outcomes and employee engagement.
Phishing failure rates dropped by 82%, from approximately 10% to 1.8%, while threat reporting approximately doubled. Completion consistently exceeds 95%, and employees now actively encourage one another to report suspicious messages rather than waiting for direction from the security team.
The program has expanded from traditional phishing simulations into smishing, QR-code phishing, and customer threat reporting, while leadership increasingly measures resilience instead of click rates as the primary indicator of success.
For Missy, however, one result stands above all the others.
"We've dropped down to the lowest click rate I've ever seen—or even heard of personally. We're below 2% on average, and that's beyond anything I've seen in my career."