12 July 2026 • Phishing
For most companies, phishing is one of the most common ways attackers get in, and since NIS2 many organizations are required to demonstrably train their employees. A phishing simulation is the most concrete way to do that: you use realistic but harmless phishing emails to test how your people respond, before a real attacker does.
The real question is how you organize it. You can bring in a partner that takes phishing tests completely off your hands, or choose a solution your own organization runs. In this article we cover both routes, including the three types of companies that can help you and the criteria for choosing between them.
What does a phishing simulation company do?
A phishing simulation company sends controlled, fake phishing emails to your employees. The messages look like the real thing, with urgent subject lines, spoofed senders and links to imitation login pages, but nothing happens when someone falls for them. Instead, the results are measured: who opened the email, who clicked, who entered credentials.
Those results show where your organization is vulnerable and, more importantly, form the starting point for training. A simulation without follow-up is just a snapshot. The real value comes when employees who clicked receive targeted awareness training, and when the test is repeated regularly so you can see whether behavior actually improves.
There is a formal side too. If your organization falls under NIS2, recurring simulations combined with training are among the most concrete ways to demonstrate that your awareness program actually exists, rather than only on paper.
Three types of companies that offer phishing simulations
The market roughly divides into three types of providers. They overlap in what they deliver, but differ in how much they take off your hands and how much control you keep yourself.
1. Security consultants
Consultants guide organizations toward better information security as a whole. A phishing simulation is then part of a broader program: a baseline measurement, awareness campaigns, policy, and often preparation for certifications such as ISO 27001 or NIS2 compliance. A firm like Fendix works this way, supporting organizations across the full breadth of information security and phishing protection.
This route fits organizations that have little security expertise in-house, or that are going through a compliance or certification process and want expert guidance from start to finish.
2. IT partners and managed service providers
Many companies already have a trusted IT partner that manages their workplaces, network and Microsoft 365 environment. A growing number of these partners offer phishing simulations as part of their services, usually on top of a security awareness platform. Promo Systems is an example of an IT partner that combines day-to-day IT management with security services.
The advantage is a single point of contact that already knows your IT environment. The simulation, the follow-up and the technical measures around it, such as email filtering and multi-factor authentication, then come from one hand.
3. Security awareness platforms
The third route is a platform you use yourself, or together with your IT partner. With Guardey you set up a realistic phishing simulation in minutes, see exactly who clicks, and combine the test with gamified security awareness training that keeps employees engaged week after week.
This fits organizations that want to test continuously instead of once a year, and that want to keep control over timing, templates and follow-up. It is also the route with the lowest barrier to entry: no project, no lead time, just start.
Curious who would click in your organization?
Set up a realistic phishing simulation in minutes and watch the results come in live. No payment details required.
Try Guardey free for 14 daysOutsourcing your phishing simulation or doing it yourself?
Outsourcing your phishing simulation entirely, with a one-off test by an external party, gives you a baseline. But phishing resilience is behavior, and behavior only changes through repetition. That is why the frequency question matters more than the party question. Whichever route you choose, make sure simulations recur throughout the year and are linked to training.
In practice, many organizations end up with a hybrid model: a platform for continuous simulations and training, with a consultant or IT partner alongside for policy, technology and the bigger security picture. The three types of companies above are not competitors of each other so much as complementary.
How to choose a phishing simulation company
Whichever type of provider you talk to, these are the criteria that separate a good phishing simulation from a box-ticking exercise:
- Realistic templates in your language. A translated American template stands out immediately. Simulations need to reflect the emails your people actually receive, in Dutch, from senders they recognize.
- Reporting at team level, not naming and shaming. The goal is learning, not punishing. Good providers report at organization and department level and treat individual results with care.
- Training linked to the test. An employee who clicks should get an immediate, short learning moment. Without that link, a simulation measures but does not improve anything.
- Frequency. Can you easily run simulations multiple times a year, with variation, or is every test a new project?
- Privacy and works council. Simulations involve employee data. Check how the provider handles GDPR and involve your works council before you start.
- Compliance reporting. If NIS2 or ISO 27001 applies to you, you want to be able to demonstrate that awareness training takes place. Ask how the provider supports that evidence.
Phishing simulation as part of what cyber security companies offer
Phishing simulations rarely stand alone. Cyber security companies typically offer them as part of a broader package that also covers penetration testing, security monitoring and incident response. If your organization needs more than awareness, for example because you handle sensitive data or fall under NIS2 as an essential entity, it makes sense to look at that broader picture.
The reverse also holds: if the human side is your weakest link, you do not need to buy the full package of a cyber security company to get started. A focused phishing simulation with connected training addresses the attack route criminals use most, at a fraction of the effort.
Frequently asked questions
How often should you run a phishing simulation?
More often than once a year. A single test measures a moment; recurring simulations, spread across the year with varying scenarios, actually change behavior and show you whether click rates go down.
Is a phishing simulation allowed under the GDPR?
Yes, provided you handle it carefully. Inform employees in general terms that simulations are part of your security policy, involve the works council, and report on results at group level rather than exposing individuals.
What happens after someone clicks?
Nothing harmful. In a good setup, the employee lands on a short explanation or training moment right away. The click becomes a learning opportunity instead of an incident.
Whether you end up working with a consultant, your IT partner or a platform, the first step is the same: find out where you stand today. Want to compare providers first? See our overview of the best phishing simulation software tools.
Not sure which route fits your organization?
In a 45-minute demo we'll show you how Guardey combines phishing simulations with training, and give you honest advice on the approach that fits your organization.
Schedule a personal demo