How much does phishing simulation training cost per employee?

List pricing across the major platforms ranges $0.50 to $3.25 per user per month. Volume discounts kick in above 1,000 users. Annual all-in cost typically lands around $25 to $40 per user including platform, content, and a quarterly campaign.

What is the ROI of security awareness training?

Proofpoint cites 40x ROI for $1 spent on phishing simulation. IBM 2025 reports a $2.5M average reduction in breach cost for organisations running monthly campaigns. SANS data shows click rate falls from ~30% to under 5% within 12 months of consistent simulation.

Is MFA enough on its own?

MFA blocks 99.9% of credential-stuffing automation per Microsoft. SMS-based MFA is bypassable via prompt-bombing or SIM-swap. Phishing-resistant MFA (FIDO2 / passkeys) is the current target standard.

What is the most cost-effective phishing control?

Phishing-resistant MFA leads on cost-per-prevented-incident, followed by DMARC enforcement and monthly simulated phishing. Email security gateways are necessary but not sufficient on their own.

Filing 05.00.00Field 27 APR 2026Classification PublicStatus Open

Mitigation Cost & ROI

Vendor-neutral pricing for phishing controls. Per-user, per-month figures from public list price and analyst pricing surveys. Effectiveness claims sourced to primary research, not vendor marketing.

Exhibit A

"$1 spent, $40 saved" requires the $1 actually be spent on the right thing

ROI MEMO

40x

Reported ROI per dollar of phishing simulation spend

[Proofpoint State of the Phish 2025]

$2.5M

Average breach cost reduction with employee training in place

[IBM 2025]

<5%

Resulting click rate after 12 months of monthly simulation, from a ~30% baseline

[SANS Institute]

The 40x figure is well-cited but assumes a particular spend mix. Buying more email-gateway licences gets you very little additional reduction past a baseline. Buying a behaviour-change platform with monthly simulation, role-based content, and reporter telemetry returns the published ROI. Treat the multiplier as the upper bound of a layered, sustained programme, not a guaranteed outcome of an annual click-through training module.

Exhibit B

Security awareness platforms (price card)

VENDOR-NEUTRAL

Vendor	List price band	Floor / sizing	Focus
KnowBe4	$1.30 to $3.25 / user / month	Volume floor 50 users	Largest content library; gamified
Proofpoint Security Awareness	$1.00 to $2.00 / user / month	Bundled with email security	Tightly integrated with Proofpoint email defence
Cofense PhishMe	$1.50 to $3.00 / user / month	Reporter add-on quoted	PhishMe Reporter button + intel feed
Hoxhunt	$3.00 to $5.00 / user / month	100-user floor	Continuous adaptive training (per-user difficulty)
Arctic Wolf Managed Awareness	Bundled with MDR retainer	Managed-service model	Quarterly content, MDR alignment
Mimecast Awareness Training	$1.00 to $2.00 / user / month	Bundled with email security	Risk score per-user, integrated with email gateway

Pricing bands compiled from public list price, RFP responses, and Gartner pricing notes 2024 to 2026. Negotiated pricing typically lands 20 to 35 percent below list at scale. We treat all of these as categories, not endorsements.[Gartner pricing notes, vendor public RFP responses]

Exhibit C

Phishing controls and cost-per-prevented-incident

LAYERED

Code	Control	Indicative cost	Effect
C-01	Phishing-resistant MFA (FIDO2 / passkeys)	$3 to $8 / user / month	99.9% of credential-stuffing blocked, plus prompt-bomb resistance [Microsoft, CISA guidance]
C-02	Security awareness training + simulated phish	$25 to $40 / user / year	Click rate ~30% → <5% in 12 months [SANS, Proofpoint State of the Phish 2025]
C-03	DMARC enforcement (p=reject)	$100 to $500 / month for monitoring	Domain-spoofing eliminated for compliant receivers [M3AAWG, dmarc.org]
C-04	Email security gateway	$12 to $25 / user / year	70 to 90% of bulk phishing filtered [Gartner Magic Quadrant 2025]
C-05	AI-augmented email defence (ICES)	$3 to $7 / user / month	Catches AI-generated lures missed by signature filtering [Forrester 2025]
C-06	Helpdesk identity verification	Process change, ~$0	Closes the MGM/Caesars vishing path [Internal control]
C-07	Out-of-band wire approval (callback to known number)	Process change, ~$0	Cuts BEC-driven wire-fraud loss; FBI IC3 recommendation [FBI IC3]

Exhibit D

The defensive sequence we recommend

ORDER OF OPS

Phishing-resistant MFA across staff and admin accounts. Highest dollar-for-dollar return.
DMARC at p=reject for every owned domain. Closes BEC vendor-impersonation against compliant receivers.
Out-of-band wire approval and helpdesk identity verification. Process changes, near-zero cost.
Monthly simulated phishing campaigns with role-tuned content and a reporter button.
Email gateway with attachment sandboxing. Necessary but not sufficient.
AI-augmented email defence (ICES) once the above are in place and tuned.
Tabletop exercises against the BEC and vishing scenarios. Quarterly cadence.

The order matters. Buying ICES before MFA is a commonly-observed overspend in the industry. Most successful phishing incidents in our case files would have failed at step 1.

Exhibit E

Mitigation Cost & ROI

"$1 spent, $40 saved" requires the $1 actually be spent on the right thing

Security awareness platforms (price card)

Phishing controls and cost-per-prevented-incident

The defensive sequence we recommend

Cross references