This guide outlines the steps to implement Security Awareness Training (SAT) in your organization, which will provide personalized, relevant, and adaptive security awareness training for human risk management. By integrating comprehensive security awareness training (world's largest content library in 35+ languages), AI-native defense agents, and real-time security coaching, SAT creates a human defense layer and empowers your users through behavior change.

Step 1: Add Your Users

To begin, add your users to your KSAT console to send them simulated phishing emails and enroll them in training campaigns. If your organization uses multiple email domains, you must first add those domains to your KSAT console before adding users. For detailed instructions, refer to our Add and Verify Domains article.

User Provisioning Method

The preferred method for syncing users to your KSAT console and maintaining your user list over time is user provisioning. You can utilize Google User Provisioning (GUP), Active Directory Integration (ADI), or SCIM to provision users automatically. For detailed instructions, refer to our Google User Provisioning (GUP) Guide, Active Directory Integration (ADI) Configuration Guide, or SCIM Configuration Guide.

CSV Import

This method is useful for importing a larger number of users and for including other user data such as names, phone numbers, group memberships, and more. To learn more, see our Import Users with a CSV File article.

Step 2: SSO Authentication

KnowBe4 supports SAML 2.0, enabling users to log in to KnowBe4 through your organization's single sign-on (SSO) provider. Utilizing SSO eliminates the need for users to set up or use a separate password.
For detailed instructions on enabling SAML in your account settings and completing the setup with your SSO provider, refer to our Set Up SAML Single Sign-on (SSO) for the Security Awareness Training Console article.

Step 3: Baseline Phishing

Before starting your security awareness training program, it is highly recommended that you send a baseline phishing test to all users. This test will serve as a starting point for establishing initial metrics.

To learn more about our recommendations for the baseline phishing process, see the subsections below or our One Minute Baseline Phishing Campaign For Clicks video.

Preliminary Test Campaign

Before you create a baseline phishing campaign for your users, we recommend running at least one test campaign that is limited to a small group of users, such as your IT team. For more information on creating groups, see our Users and Groups Management Guide.

The purpose of this preliminary test campaign is to ensure that you have whitelisted correctly and that the emails pass through your spam filters and firewall protection.

This preliminary campaign will also ensure that clicks and other phishing test failures are tracked in your account. Click the simulated phishing link in your test email to ensure that failures are being tracked in your account. To learn more, see our Create and Manage Phishing Campaigns article or our Monitor and Review Phishing Campaigns article.

Establishing a Baseline

After you have confirmed that your preliminary phishing test campaign was successful, you will create a baseline phishing test campaign for all your users. This test will show your organization’s initial Phish-prone Percentage. Consider the initial Phish-prone Percentage as your starting point. Use this initial Phish-prone Percentage to measure the success of your security awareness training plan going forward.

To learn about our recommendations for setting up your baseline phishing campaign, please see our Best Practices Guide: Set Up a Baseline Test or our Baseline Test Template Recommendations article.

Send a Baseline Test to Your IT Team

Another option you may want to consider is to send two baseline phishing tests: one to your IT or help desk department first, and then a separate one to the rest of your employees afterward. This way, when the rest of your employees begin reporting the suspicious email, your IT or help desk employees will be aware of the situation, and they will also have had the chance to participate in the baseline assessment. In addition, this is a great way to ensure you’ve whitelisted our mail servers effectively and that your baseline test will reach everyone’s inbox.

Step 4: Configure AIDA Orchestration

Enable AIDA Orchestration in your KSAT console to automate phishing simulations and training campaigns. AIDA Orchestration streamlines your security awareness program by intelligently managing phishing delivery and remedial training without requiring manual campaign setup. For more information, see our AIDA Orchestration Guide and AIDA Orchestration Technical Overview article.

Step 5: Train Users

For your initial security awareness training campaign, we recommend enrolling all your users in the 45-minute KnowBe4 Security Awareness Training or another comprehensive course. To learn about the training content available to you, see our ModStore and Library Guide.

To learn about our recommendations for setting up your first training campaign, see our Best Practices Guide: Create Your First Training Campaign.

ModStore - Content Selection for Initial Training Campaign

Browse the ModStore and Library Guide to select appropriate content for your initial training campaign.

Create Training Campaign

To create a training campaign, access your KnowBe4 console and select the Training tab. Next, select the + Create Training Campaign button located in the upper-right section of the page. After selecting this button, the Create New Training Campaign page will appear.

Enable AIDA Knowledge Refreshers

When creating your training campaign, enable AIDA Knowledge Refreshers to automate parts of your security awareness training. Knowledge refreshers are available for video modules and deliver bite-sized quizzes that help users review and reinforce key concepts from their recent training. For more information, see our Get Started with AIDA article.

Step 6: Ongoing Phishing Campaigns

Conducting ongoing phishing campaigns is essential to helping your organization manage the problem of phishing and social engineering.

Automate Phishing Campaigns with AIDA Orchestration

Enable AIDA Orchestration in your KSAT console for streamlined phishing management. We recommend this method to automate the creation and delivery of your ongoing phishing simulations. For more information, see our AIDA Orchestration Guide and AIDA Orchestration Technical Overview article.

Manual Ongoing Phishing Campaigns

If you want to create and manage your phishing campaigns manually, we recommend sending a phishing test to all your users on at least a monthly basis. You can do this by creating a monthly phishing campaign using the following criteria:

• Include multiple email categories and include different types of phishing tests.
• Spread emails out over a longer duration, such as one week. That way, users will not know when they will receive a phishing test.
• Add the users who fail the phishing test to a remedial training group.

In addition to your monthly phishing tests for all users, we recommend that you set up additional tests for your high-risk departments or employees who are more vulnerable to phishing attacks.
To learn how to determine which of your departments or employees are the highest risk to your organization, see our SmartRisk™ Engine and Risk Score Guide.

To learn more about creating and customizing phishing campaigns, see the following articles:

• Create and Manage Phishing Campaigns
• Create and Edit Email Templates and Landing Pages
• Placeholders Guide
• Use Cases for Placeholders

Step 7: Remedial and Ongoing Training

Automate Remedial and Ongoing Training with AIDA Orchestration

Enable AIDA Orchestration in your KSAT console for optimal campaign management. We recommend this method because it automates both your remedial and ongoing training campaigns. For more information, see our AIDA Orchestration Guide and AIDA Orchestration Technical Overview article.

Note: If you don't want to enable AIDA Orchestration, you can still manually set up our AIDA Remedial Training agent. For detailed configuration steps and management instructions, see AIDA Automated Training Guide. For a comprehensive walkthrough of AIDA Automated Remedial Training features, refer to the AIDA Automated Training video.

Manually Configure Remedial and Ongoing Training

Below you’ll find our minimum recommendations to manually configure remedial and ongoing security awareness training for any organization:

• Create a remedial training group and a remedial training campaign. To learn more about remedial training, see our Create a Remedial Training Campaign article or our Remedial Training Campaigns video.
• Train specific groups or employees with role-based training and other specialty courses. We recommend browsing the ModStore to find the courses you need. To learn more, see our ModStore and Library Guide.
• Set up a Security Hints and Tips message to send to your users' Learner Experience (LX). To learn more, see our Security Hints and Tips Overview article.
• To keep your users aware and ready to defend against the latest phishing and social engineering scams, set up a Scam of the Week message to send to your users' Learner Experience (LX). To learn more, see our Scam of the Week Message Overview article.