The security awareness community lacks an online home. So we built one.

Today we're launching the Secure Culture Hub, a practitioner-first space for the people who actually run security awareness and human risk programs. Here's why it exists, and what's inside.

There's no shortage of cybersecurity content on the internet. Vendor blogs, webinars, end-user training modules, threat reports: it's everywhere.

But almost none of it is written for the people who actually run security awareness and human risk programs. And virtually all of it pushes you towards products and vendor dogma.

Think about your own week. When you need to design a program from scratch, where do you go when:

• Your reporting numbers plateau and you can't work out why?
• You have to walk into a budget meeting and prove your work is reducing risk, not just running?
• You must admit, out loud, "I don’t think my last campaign made any difference", and you need honest advice instead of a pitch?

You can't really say that on LinkedIn. And you definitely can't say it in a room where someone is trying to sell you their solution.

That gap is why we built the Secure Culture Hub. It's live today at secureculture.com.

Practitioner-built, not vendor-built

Let me get the awkward part out of the way first: the Secure Culture Hub is powered by Hoxhunt. I work at Hoxhunt. So yes, a vendor is behind this.

And the whole point is that it doesn't behave like one. This community is built on three core principles that ensure the Secure Culture Hub remains true to its practitioner-first mission.  

Our first principle is simple: generous and vendor-neutral by default. We earn trust by teaching the discipline, not by preaching "our product." The content comes from security awareness and culture professionals sharing what they've actually tried — what worked, what didn't, and what they'd do differently. Everyone contributing does the job, so you hear what really happened, not a polished case study with the messy bits removed.

The second principle keeps us honest about quality: everything triangulates behavioral science, data at scale, and field-tested practice. Not opinion dressed up as best practice — the place where research, real numbers, and what actually works in the trenches meet.

And the third is the one I care about most: everything has to be actionable. Every asset includes concrete steps, templates, a toolbox or checklists you can use straight away. If something can't pass that test, it doesn't belong here.

The Academy: the craft, not a syllabus

The heart of the Hub is the Academy, and it's built around what you actually have to get good at — not an abstract curriculum.

We're launching with two courses.

Measuring Effectiveness and Metrics is about proving your program is working, not just running. It walks through building a baseline, choosing indicators that mean something, designing dashboards people actually read, presenting data differently to different audiences, and — the part that changes everything — translating your metrics into the language of risk that leadership understands.

Security Champions is about building a network that lasts. What a champions network really is (and isn't), how to start one without a big formal launch, how to earn the leadership backing that keeps it alive, and how to grow it at a pace that works for you and your organization instead of burning out.

The Academy is also the new home of the Human Risk Management Masterclass, which has already taken hundreds of practitioners through the shift from awareness to behavior change. Each topic is broken into structured modules — videos, written guides, and worked examples — organized around the real craft. And there's a dedicated customer academy on the way too.

A room for practitioners only

The community is for security awareness and human risk practitioners — whether or not you're a Hoxhunt customer — and only them. No vendors. Even Hoxhunt keeps a deliberately tiny footprint inside it.
‍
This is a core principle for us. Why? Because there simply aren't many places where you can be truly open and honest about your own awareness program and challenges. You can't post them on LinkedIn, and you can't be candid in a room where someone wants to sell to you.  So we keep the conversation to the people doing the work. Everyone's running a program, everyone's hit the same walls — and that's exactly what makes the conversation worth having.

Resources that keep moving

Alongside the Academy sits a Resource Library that grows as the field shifts: blogs, reports, practical tools, calculators, and frameworks. One resource I'm especially excited about will land soon, but I can’t share about it yet… Just know that we spent months co-creating it with many security awareness practitioners, and that it’ll be open-source. Consider this a teaser, and you’ll be the first to know if you join www.secureculture.com today!

There's also a threat intelligence corner built for practitioners, not for SOC dashboards. Phish of the Week breaks down a real attack seen in the wild every week — something you can actually take back to your colleagues — and you'll find for example work like our Verizon DBIR 2026 breakdown written specifically for human risk managers.

Events, in person and online

Last week we ran our first Secure Culture Hub Workshop in London — a full day of practitioners planning their Cybersecurity Awareness Month together, in a room with no stage and nothing to pitch. It went better than I dared hope, and it confirmed something: people are hungry for this kind of honest, peer-to-peer time.

So we're doing more. The next in-person workshop is in Arlington, Virginia, and we'll run virtual events too for the people we can't get in a room. We genuinely want your input on where we go after that — so tell us.

This is just the beginning

A quick note of honesty: right now there are only a handful of voices here. That's by design — it's day one. But this grows with the people who show up.

The Academy and the Resource Library are open without an account. Read everything, for free. Join the community (also free) to talk to the people who actually do this work.

So come introduce yourself. Share something you've tried. Ask the question you can't ask anywhere else. Tell us what you want this to become.

Security awareness work finally has a home. Let's build it together.

👉 secureculture.com

‍