Fighting AI powered social engineering: How SoSafe is evolving to prevent today’s biggest Human Risk

This year, four in five organisations reported facing phishing campaigns written by AI. That is a forty four percentage point jump from 2024. At the same time, nearly one in three organisations has encountered AI voice cloning of executives or partners, and one in four has seen deepfake videos used to make fraudulent requests look more credible. Combined with the fact that seventy four percent of breaches still involve the human element, the conclusion is clear: AI is now the default engine behind social engineering.

At HuFiCon 2025, our Co-Founder and CEO Dr Niklas Hellemann shared the full story behind these numbers and what they mean for defenders. You can watch his keynote here: HuFiCon Keynote by Niklas

Right after that, our product team took the stage to show how we are evolving SoSafe to help you move from static awareness to adaptive human resilience. If you want to see the features in action, we recommend watching the Product Keynote

In this blog, we want to walk you through the core innovations we presented there, why we built them, and what they mean for you as a SoSafe customer or future customer.

We are organizing this around three questions we hear most often from security and awareness leaders:

• How do we keep training aligned with real attacks when threats change every week
• How do we reach our people in ways that actually change behaviour
• How do we prove to the business that awareness is moving the risk needle

Below is how the new and upcoming capabilities answer those questions.

Turn Real Attacks Into Training In Minutes, Not Months

Recreate Attack

Many teams told us the same story this year: employees are targeted daily by sophisticated, often AI powered phishing, but training still runs on generic, year old templates from a static library. The gap between real threats and simulations keeps growing.

Recreate Attack is built to close that gap.

Instead of starting from a blank canvas, you can now:

1. Take a screenshot of a real phishing email
2. Upload it in the SoSafe dashboard via Template Studio
3. Let our AI reconstruct a safe, editable simulation template for you
   

The system parses the content and rebuilds the email structure for you: subject, sender, body, layout. It even assigns a difficulty level, so you can quickly pick the right audience or campaign.

From there, you stay in control. You can:

• Edit text, change the subject line, or swap images
• localise it with automatic translations for your global teams
• Preview the result so you are confident it is realistic but safe
  

What used to take hours of manual work drops to minutes. The result is training that mirrors what people actually see in their inboxes, including AI written attacks.

Recreate Attack moves into beta this quarter.

Threat Inbox

Recreate Attack solves the simulation speed problem. Threat Inbox tackles a different but related issue: volume and noise.

In many organisations, a small security team is outnumbered by employees and the flood of reported emails. Every report is important, but not every report is actually malicious. Sorting the needle from the haystack is slow and draining, and there is a risk that genuine threats get overlooked.

Threat Inbox gives you a central, structured workspace for all reported emails:

• All employee reports land in one dedicated view in the SoSafe dashboard
• You can filter by attributes such as incident flags, presence of links or attachments
• You can inspect full content, sender details, links, attachments, and headers in a safe environment

Once you have investigated an email, you classify it and send feedback back to the reporting employee. That instant feedback loop is important. It thanks them for protecting the organization and reinforces the behaviour you want: report when in doubt.

The crucial step comes after classification. SoSafe takes those confirmed malicious emails, detonates and anonymizes them, then adapts and tokenizes the content to generate safe simulation templates. These will soon appear in a dedicated “Threat Inbox generated” folder in your template library (date to be announced). 

In other words, every real attack that hits your workforce can become a learning opportunity for everyone else, not just the one person who reported it.

Threat Inbox is in beta now.

Move From Policy Ticking To Real Understanding

Policy Management

Policies are the backbone of security and compliance, but managing them often means chasing acknowledgements across spreadsheets and tools. Messages get buried. Audits become stressful. And for many employees, policy communication is something to click through, not something to remember.

Policy Management in SoSafe is designed to make this easier and more effective for you.

With Policy Management you can:

• Send policy updates directly to employees where they work, for example in Microsoft Teams or Slack
• Target specific user groups, such as remote workers or certain departments
• Use built in translation support so each person receives policies in their preferred language
• Track acknowledgements centrally in the SoSafe dashboard and export audit ready reports with a few clicks
  

Employees receive a simple two step process: read the policy, then acknowledge it. You see the acknowledgement rate rising in real time and can download a line by line breakdown when auditors ask for evidence.

Policy Management has been live since the summer and is available to customers today.

Policy to Lesson

Acknowledgement is only half the battle. According to our customer research, the average policy is around ten pages, and organisations can easily have twenty or thirty of them. Expecting employees to remember all details weeks or months later is unrealistic.

Policy to Lesson is our answer to the knowledge retention problem. It will be released in January 2026.

Here is what it does:

• You upload a policy document, such as a work from home or acceptable use policy, into the SoSafe platform
• AI analyses the content and generates a five minute interactive lesson, similar to the SoSafe learning lessons your users already know
• You choose the tone that matches your culture, for example more formal or more friendly
• You select relevant languages and see versions generated for each
• You can make edits, then either plug the lesson into your existing learning paths or export it as a SCORM package for your LMS
  

This takes policy content from static and overwhelming to short, targeted and engaging. It lets you keep compliance training aligned with how people actually learn and retain information.

Reach Learners Anywhere And Prepare For New Formats

Learn Anywhere

Our users are more diverse than ever: global teams, different roles, different devices, different learning preferences. To keep up, we invested in the largest rebuild of our content architecture so far and rolled out a refreshed Learn Anywhere experience.

This includes:

• A fully responsive lesson design that works on desktop and mobile
• New interaction patterns and animations that make learning feel more modern and interactive
• A catalogue of e learning lessons available in thirty two languages
  

Thousands of learners have already gone through the new Learn Anywhere experiences as part of the beta, with very strong feedback and over ninety five percent positive NPS.

This rebuild was not only about visual refresh. Under the hood, it lays the foundation for more dynamic, adaptive content in the future, including shorter formats like micro learning and more conversational experiences where training can happen directly in tools such as Slack or Teams.For you as a customer, this means you can reach desk workers, frontline staff, and remote employees with the same content quality, wherever they are.
Learn Anywhere is available today – ask your customer success representative.

Turn Awareness Data Into A Story Your Board Understands

Simulation Analytics Dashboard

If awareness is strategic, it needs strategic metrics. Boards and leadership want to know if the organization is actually getting safer. Many awareness leaders still struggle to turn campaign level statistics into a clear, credible narrative.

The new Simulation Analytics Dashboard, coming in Q1 2026, is built to give you that narrative in one place.

You can spot which teams are improving, which are struggling, and where targeted reinforcement is needed. If a particular group’s click rate spikes, you can drill down into exactly which simulations caused it and adjust your programme accordingly.

The goal is to equip you with a clear, visual story: where you started, what changed, and where to invest next.

Connect Risk Signals Across Your Security Stack

Risk Signals Integrations with CrowdStrike, Microsoft Defender and Okta

Traditional awareness metrics tell you who clicks on simulations or reports suspicious messages. That is important, but by itself it is not enough to manage human risk.

You also need to understand how that behaviour connects to what is happening in your broader security environment: sign in patterns, device health, malicious link detections and more.

Our Risk Signals Integrations bring these views together by connecting SoSafe with tools such as:

• Okta, to surface risky sign ins or account issues
• Microsoft Defender, to see who has clicked on malicious links detected by your protection stack
• CrowdStrike, to identify compromised or at risk devices
  

When you combine awareness data with these and many more operational signals available via these integrations, you can move from isolated training metrics to a more complete picture of human risk. It becomes easier to answer questions like:

• Which users combine risky behaviour in simulations with risky real world activity
• Where do we need targeted interventions, not just more generic awareness content
  

This is a core step toward treating human risk as a measurable security domain, not a side programme.
The integrations are available today to the customers who are users of our Human Risk OS solution.

Prepare For Multi Channel AI Attacks With Future Multi Chain Simulations

Multi Chain Attack Orchestrator (Coming in 2026)

Attackers no longer rely on a single email. A modern social engineering campaign might start with an email, jump to SMS, continue in a messaging app and end in a phone call, all within a few days. Each step reinforces the previous one until the whole story feels believable.

Today, most awareness programmes still train people to spot one off phishing emails. The upcoming Multi Chain Attack Orchestrator is our vision for closing that gap.

The orchestrator is designed to:

• Let you choose from prebuilt, realistic multi step attack scenarios
• Chain multiple channels such as email, messaging, text and voice across a defined time window
• Use events, delays and conditions to mirror how real attacks unfold
• Give you a visual flow builder that feels similar to modern workflow tools, so you can tweak steps, timing and content
• Allow AI assisted creation of entirely new multi chain campaigns based on your description, such as an invoice fraud scenario targeting finance
  

Before you deploy, you can simulate the attack from the employee’s perspective, fast forwarding through the entire chain to see how it feels. This builds confidence that what you are testing reflects real world patterns.

Multi Chain Attack Orchestrator is planned for 2026. We will develop it together with customers through a dedicated founders circle. If you are interested in joining it, contac your customer success manager for an introduction to our Product Managers.

What This Means For You As A SoSafe Customer

Taken together, these innovations are designed to help you:

• Align training with real, current attacks using Recreate Attack and Threat Inbox
• Turn policies from checkboxes into behaviour through Policy Management and Policy to Lesson
• Reach every learner, on any device, in their language through Learn Anywhere
• Tell a clear, data backed story about progress with the Simulation Analytics Dashboard
• Connect awareness with real world security signals via Risk Signals Integrations
• Prepare for the next wave of AI powered, multi channel attacks with the upcoming Multi Chain Attack Orchestrator
  

We see this as a shift from compliance based awareness to adaptive human resilience. The results we are already seeing with early adopters are promising, including strong reductions in interactions with simulated threats and growing reporting cultures.

If you are already a SoSafe customer, this is a good moment to review your current package and see which of these capabilities are available to you today and which will be most valuable to add.

We are building this evolution of human risk management together with you and our community of more than six thousand organisations. The attackers have AI. With the right tools and the right network, defenders can move just as fast.