Automation Workflow for Real-Time Phishing Simulation Based on Active Network Threats

Manual scenario authoring—researching threats, drafting lures, building landing pages—typically takes security teams 2-3 days per campaign. This workflow automates ingestion of IOCs from NDR/EDR tools, maps them to scenario templates, and generates complete, contextual campaigns in under 10 minutes. The operational savings free analysts for higher-value threat hunting and response activities.

Traditional quarterly phishing tests create a 60-90 day lag between emerging threat TTPs and workforce training. By triggering simulations directly from internal threat detection alerts, this workflow delivers just-in-time training within hours of an IOC being observed. This transforms security awareness from a periodic compliance exercise into an active, contextual layer of defense, directly reinforcing incident response procedures.

Generic phishing tests often suffer from low engagement and fail to measure true susceptibility. Simulations generated from actual internal network activity (e.g., a detected malware callback domain) are inherently more credible. This relevance leads to more meaningful interaction data, providing a truer benchmark of workforce risk and enabling more precise targeting of high-risk employee cohorts for additional training.

Linking simulation failures directly to precursor threat events creates a defensible model for quantifying risk reduction. By correlating a drop in click-rates for specific threat types with the frequency of those IOCs, security leaders can model reduced breach likelihood and potential financial impact. This data-driven ROI is critical for securing ongoing budget and demonstrating program value to the board and cyber insurers.

Implementation involves an event-driven orchestration layer (e.g., LangGraph) that listens to SIEM/NDR webhooks. Upon receiving a threat alert, agents classify the IOC, select a pre-approved scenario template, and generate localized content. The workflow includes mandatory approval gates for new threat categories, integrates with platforms like KnowBe4 or Cofense via API, and logs all actions for audit. Crucially, it operates within a sandboxed environment to prevent accidental exposure of real threats.

A production-grade build requires robust controls: dynamic allow-listing to ensure training emails bypass secure email gateways, privacy-preserving targeting that uses role-based logic instead of PII, and exception routing for scenarios requiring legal or comms review. Monitoring dashboards track pipeline health, campaign performance, and system-generated audit trails ensure compliance with internal policies and frameworks like NIST CSF.

This foundational agent subscribes to NDR/EDR/SIEM event streams (e.g., CrowdStrike, SentinelOne, Splunk) via API. It filters for high-fidelity IOCs (new malware hashes, suspicious domains, anomalous internal beaconing) and maps them to a library of phishing scenario templates (e.g., 'fake software update' for a malware alert, 'urgent credential reset' for a suspicious login). The mapping logic uses a vector database of threat TTPs to ensure training relevance, automating the manual analysis that typically delays scenario creation by days.

Upon receiving a mapped IOC, this multi-agent component generates the full phishing simulation. A narrative agent drafts the email body and subject using the threat context and targeted department's jargon. A personalization agent safely enriches the scenario using role-based data from HR systems (e.g., job title, department) without using PII. A landing page agent generates a convincing fake login or download page, mimicking the infrastructure implied by the IOC. This replaces manual copywriting, design, and setup, which can consume 4-8 hours per campaign.

This is the stateful workflow core, built on a framework like LangGraph. It manages the entire simulation lifecycle: it receives the generated assets, schedules deployment based on predefined rules (avoiding weekends, major outages), obtains automated approval from a security lead via a Slack/MS Teams webhook, and then executes the launch via API to the email security awareness platform (e.g., KnowBe4, Proofpoint Security Awareness). It handles conditional branching—if the threat is critical, it can fast-track deployment; if it's a drill, it can add monitoring tags.

As employees interact with the simulation (click, report, enter data on fake page), this agent ingests telemetry from the awareness platform and email gateway. It performs immediate triage: for a click, it triggers an instant, LLM-generated micro-training module explaining the lure. For a report, it sends positive reinforcement. All data is logged to a security data lake. This closes the training loop in minutes instead of days, converting failure into a learning moment and providing granular behavioral data for risk scoring.

A critical governance agent that operates in parallel, documenting every automated decision. It logs the source IOC, the mapping rationale, the generated content, approval status, launch time, and results. It assembles this into a defensible audit trail, formatted for frameworks like NIST CSF or ISO 27001, and pushes it to a secure document store (e.g., SharePoint, S3). This automates the manual evidence collection required for internal audits and regulatory demonstrations (e.g., FINRA, GDPR), turning a compliance burden into an automated byproduct.

This analytical agent consumes the aggregated results of threat-responsive campaigns. It calculates department/role-specific click rates, report rates, and time-to-report metrics. It then updates dynamic employee risk profiles in the IAM or security awareness platform, tagging individuals who interacted with a high-fidelity threat simulation as 'elevated risk.' These profiles feed back into the orchestrator to personalize future campaign difficulty or training frequency. This creates a closed-loop system where security telemetry directly informs and optimizes human risk management.