Loading...
survey

Phishing Simulation Campaign Review

Track a phishing simulation campaign from lure type and target groups through click, report, and remediation outcomes. Use it to spot repeat failers, measure awareness program impact, and plan the next campaign.

Fill it now — Free Get Started
Customize with AI → Live preview →

Trusted by frontline teams 15 years of frontline software AI customization in seconds

Built for: Financial Services · Healthcare · Saas · Education · Manufacturing

Overview

This template documents the outcome of a phishing simulation campaign in a way that supports both security awareness reporting and follow-up action. It captures the campaign identifier, lure type, target population, realism rating, open rate, click rate, report rate, failer count, repeat failers, remedial training, and program-level recommendations.

Use it after any simulation where you need to decide whether the campaign exposed a training gap, a targeting issue, or a broader risk pattern. It is especially useful when the results vary by department, when repeat failers need escalation, or when you want to compare the current campaign against the previous one for the same population. The template also helps you record whether the lure contained obvious red flags that employees missed, which is useful for tuning future simulations and training content.

Do not use this as a generic incident report or as a substitute for live phishing response documentation. It is not meant for real compromise triage, legal case tracking, or a one-line scorecard with no follow-up. If your program only needs a simple pass/fail tally, this template may be more detailed than necessary. It is most valuable when the campaign outcome will influence remedial training, manager escalation, or the design of the next simulation.

Standards & compliance context

  • Anonymity is not usually appropriate for this template because remedial follow-up depends on identifying failers, but access to the review should still be limited to authorized security and HR stakeholders.
  • If the campaign includes employee-level outcomes, document only the minimum necessary information and follow your organization’s privacy and retention rules.
  • If remedial training is assigned through an LMS or HR system, confirm that the assignment and completion records align with internal policy and any applicable labor or monitoring requirements.
  • If the campaign is used for regulated industries, keep the review consistent with your internal security awareness controls and audit trail expectations.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

What's inside this template

Campaign Overview

This section anchors the review to one simulation run and captures the audience, lure type, and difficulty level that shaped the outcome.

  • What was the name or identifier of this phishing simulation campaign? (required)

    Enter the campaign name or ID as recorded in your phishing simulation platform (e.g., KnowBe4, Proofpoint, Cofense).

  • What phishing template type was used in this campaign? (required)

    Select the category that best describes the simulated phishing lure used.

  • How would you rate the overall realism and difficulty of this simulation's phishing lure? (required)

    1 = Very easy to detect (obvious phish), 5 = Very difficult to detect (highly convincing)

  • What was the total number of employees targeted in this campaign? (required)

    Enter the exact headcount of recipients included in the simulation send.

  • Which departments or employee groups were included in this campaign? (required)

    List all departments, business units, or role groups targeted (e.g., Finance, HR, All Staff, New Hires <90 days).

Simulation Results & Key Metrics

This section shows how employees interacted with the lure and whether the campaign met your risk and reporting goals.

  • What was the overall email open rate for this campaign? (%) (required)

    Enter the percentage of targeted employees who opened the simulated phishing email.

  • What was the overall click rate (link clicked or attachment opened) for this campaign? (%) (required)

    Enter the percentage of targeted employees who clicked the malicious link or opened the simulated attachment — this is the primary failure metric.

  • How would you rate the click rate outcome relative to your organization's acceptable risk threshold? (required)

    1 = Far exceeds acceptable threshold (critical concern), 5 = Well within acceptable threshold (strong performance)

  • What was the phishing report rate for this campaign? (%) (required)

    Enter the percentage of targeted employees who correctly reported the simulated phish via your reporting mechanism (e.g., Phish Alert Button, IT helpdesk).

  • How would you rate the report rate outcome relative to your security awareness program goals? (required)

    1 = Far below program goals (needs significant improvement), 5 = Meets or exceeds program goals (strong reporting culture)

  • Were there any departments or roles with notably higher-than-average click rates? If so, describe them.

    Identify any high-risk segments for targeted follow-up. Include department name and click rate if available.

Failure Analysis & Risk Assessment

This section explains who failed, why the failures matter, and whether the pattern suggests a broader awareness gap.

  • What was the total number of employees who failed this simulation (clicked or submitted credentials)? (required)

    Enter the raw headcount of employees who failed, not just the percentage.

  • How would you rate the overall security risk posed by the observed failure patterns in this campaign? (required)

    1 = High risk (widespread failures, sensitive roles affected), 5 = Low risk (isolated failures, low-sensitivity roles)

  • Were repeat failers identified (employees who also failed a previous simulation campaign)? (required)

    Repeat failers represent an elevated risk profile and may require escalated intervention beyond standard remedial training.

  • If repeat failers were identified, describe the escalation plan for these individuals.

    Examples: manager notification, mandatory 1:1 security coaching, HR involvement per policy, increased simulation frequency.

  • What indicators of compromise (IOCs) or red flags were present in the simulation that failers missed? (required)

    Document the specific phishing indicators employees should have recognized (e.g., spoofed sender domain, urgency language, mismatched URLs, unexpected attachment).

Remedial Training & Follow-Up

This section tracks the corrective action taken after failure so the campaign leads to behavior change, not just a score.

  • Was immediate remedial training (landing page or auto-enrolled module) triggered for employees who failed? (required)

    Best practice per NIST SP 800-50 and SANS Security Awareness guidelines is to deliver just-in-time training at the moment of failure.

  • How would you rate the relevance and quality of the remedial training content delivered to failers? (required)

    1 = Poorly matched to the simulation scenario (generic, unhelpful), 5 = Highly relevant and actionable (directly addresses the failure)

  • What percentage of failers completed the assigned remedial training module? (%) (required)

    Enter the completion rate for the follow-up training assigned to employees who failed the simulation.

  • How would you rate the overall remedial training completion rate for this campaign? (required)

    1 = Very low completion (significant follow-up required), 5 = Near-complete or full completion (strong compliance)

  • Were any failers non-compliant with the remedial training deadline? If yes, describe the follow-up actions taken.

    Document escalation steps for non-compliant employees (e.g., manager notification, HR referral, access restriction per acceptable use policy).

Program Effectiveness & Continuous Improvement

This section turns the campaign into a program decision by comparing trends and capturing the next changes to make.

  • How does this campaign's click rate compare to the previous campaign's click rate for the same population? (required)

    Trend direction is a key indicator of security awareness program ROI. A declining click rate over time signals program effectiveness.

  • How would you rate the overall effectiveness of your organization's security awareness program based on this campaign's results? (required)

    1 = Ineffective (no measurable improvement, high risk), 5 = Highly effective (consistent improvement, strong security culture)

  • What changes to simulation design, targeting, or training content would you recommend for the next campaign? (required)

    Consider: lure difficulty calibration, department-specific targeting, training content updates, reporting mechanism visibility, or cadence adjustments.

  • Are there any additional observations, anomalies, or context from this campaign that should be documented?

    Use this space to capture anything not covered above — e.g., platform technical issues, unusual employee feedback, or external events that may have influenced results.

How to use this template

  1. 1. Record the campaign name, lure type, target groups, and total employees targeted so the review is tied to one specific simulation run.
  2. 2. Enter the core metrics for open rate, click rate, report rate, and any department-level outliers, then compare them to your acceptable risk threshold and program goals.
  3. 3. Document how many employees failed, whether repeat failers were identified, and which red flags or indicators of compromise they missed.
  4. 4. Capture whether remedial training was triggered, what content was delivered, and how many failers completed it before the deadline.
  5. 5. Summarize the campaign’s impact relative to the prior campaign and note the concrete changes you will make to targeting, lure design, or training content next time.

Best practices

  • Use the same metric definitions across campaigns so click rate, report rate, and failer counts remain comparable over time.
  • Document department or role outliers separately, because a single average can hide a weak spot in one business unit.
  • Record the specific red flags in the lure, not just that employees failed, so future simulations can test the same weakness more intentionally.
  • Trigger remedial training immediately for failers when possible, because delayed follow-up weakens the learning effect and complicates completion tracking.
  • Treat repeat failers as a separate risk group and document the escalation path clearly before the next campaign starts.
  • Compare report rate alongside click rate, since a lower click rate is less useful if employees also stop reporting suspicious messages.
  • Keep demographic or employee-group notes limited to what is needed for action, and place any optional context after the campaign results.

What this template typically catches

Issues teams running this template most often surface in practice:

High click rates in one department but not others, which often points to role-specific lure relevance or uneven awareness training.
Low report rates even when click rates are moderate, suggesting employees may recognize suspicious messages but do not know how or where to report them.
Repeat failers who need a different intervention than the standard remedial module, such as manager coaching or targeted follow-up.
A lure that was too obvious or too unrealistic, which can distort the result and reduce the value of the campaign.
Remedial training assigned but not completed by the deadline, creating a gap between awareness policy and actual follow-through.
A drop in click rate with no improvement in report rate, which can indicate passive avoidance rather than stronger security awareness.
Missing context on the red flags present in the simulation, making it harder to improve the next campaign design.

Common use cases

Banking security awareness review
A security team reviews a credential-harvest simulation sent to branch staff and back-office employees. The template helps separate branch-specific risk from broader program trends and documents whether repeat failers need escalation.
Healthcare department comparison
An awareness lead compares results across clinical and administrative groups after an invoice-themed phishing test. The review captures which roles had higher click rates and whether remedial training was completed before the deadline.
SaaS quarterly campaign follow-up
A security program owner uses the template after a quarterly simulation to compare the current click rate with the prior campaign. The record supports changes to lure difficulty, report-button promotion, and training content.
Education repeat failer escalation
An IT security team documents repeated failures among faculty and staff after several campaigns. The template records the escalation plan, the red flags missed, and whether follow-up coaching was assigned.

Frequently asked questions

What is this template used for?

This template documents the full review of a phishing simulation campaign, from the lure used and who was targeted to click rate, report rate, failers, and remedial training completion. It is meant to capture the outcomes that matter for security awareness decisions, not just a raw scorecard. Use it after each campaign to keep a consistent record of risk patterns and follow-up actions.

Is this for one campaign or an ongoing program?

It is designed for one campaign review, but it works best as part of an ongoing phishing simulation program. Repeating the same structure across campaigns makes it easier to compare click rates, report rates, repeat failers, and changes in behavior over time. That consistency also helps you see whether training changes are actually improving outcomes.

Who should complete the review?

Security awareness, IT security, or the phishing program owner should complete it, usually with input from HR, compliance, or department leaders when follow-up actions are needed. If remedial training is automated, the reviewer should still confirm that assignments, deadlines, and completion tracking were handled correctly. The goal is to create one accountable record of what happened and what was done next.

How does this template handle repeat failers?

It includes a specific section for identifying repeat failers and documenting the escalation plan for those individuals. That matters because repeat failure often changes the response from simple awareness training to manager involvement, targeted coaching, or additional controls. The template helps you record that decision clearly without overreacting to a single mistake.

What metrics should I focus on in the review?

The most useful metrics are open rate, click rate, report rate, number of failers, and remedial training completion. Those measures show both exposure and response: who engaged with the lure, who recognized and reported it, and whether follow-up training actually happened. The template also prompts you to compare results against your acceptable risk threshold and prior campaign performance.

Can I customize the template for different phishing scenarios?

Yes. You can adapt it for credential-harvest emails, attachment-based lures, invoice scams, password reset messages, or executive impersonation simulations. The structure stays the same, but the red flags, failure patterns, and recommended next steps should match the specific lure type and audience.

How should this be integrated with other tools or records?

It can be paired with your phishing simulation platform, LMS, ticketing system, or security awareness dashboard. Many teams use it as the narrative layer that explains the numbers exported from those systems and records the actions taken after the campaign. That makes it easier to audit the campaign later and to brief stakeholders without stitching together multiple reports.

What are the common mistakes when using a phishing campaign review?

A common mistake is focusing only on click rate and ignoring report rate, remediation completion, or repeat failers. Another is failing to document what red flags were present in the lure, which makes later tuning harder. It is also important not to treat one campaign as a standalone verdict; the value comes from comparing campaigns and adjusting the program.

How does this compare to an ad hoc post-campaign email or spreadsheet?

An ad hoc note usually captures only the headline result and loses the follow-up details that drive improvement. This template keeps the same review fields every time, so you can compare campaigns, track escalation, and document training completion in one place. That consistency is especially useful when multiple departments or repeat failers are involved.

Related templates

Surveys

Self-Service Portal Adoption Review

Measure whether people can solve issues in the self-service portal, where they get stuck, and whi...
Surveys

Community Needs Assessment Field Survey

A door-to-door and event-based community needs assessment survey that captures household context,...
Surveys

CSAT and QA Score Correlation Review

Review how QA scorecard results line up with post-call CSAT for a specific period, team, or queue...
Surveys

Workplace Safety Survey

A frontline safety survey covering hazard reporting, training, PPE, and whether employees feel sa...
Surveys

Training Effectiveness Survey

A post-training survey that captures relevance, clarity, confidence to apply skills, and what to ...
Forms

Employee Onboarding Form

Employee Onboarding Form for collecting new hire details, tax references, direct deposit, emergen...
Inspections

Forklift Daily Pre-Shift Inspection

Forklift Daily Pre-Shift Inspection template for recording pre-use checks, defects, and out-of-se...
Sop

Cash Drawer Open & Count

Cash Drawer Open & Count is the SOP for verifying a drawer, counting the starting bank, recording...

Go deeper on the topic

Related concepts
  • Benchmarking
    Benchmarking is the practice of comparing an organization's metrics — compensation, engagement, turnover, time-to-hire, training hours, span of control, any...
  • Communication
    Communication at work is the practice of moving information reliably — announcements, decisions, expectations, problems — between the people who have it and...
  • Communications Cascade
    A communications cascade is the pattern where corporate leadership sends a message to the next management layer, which rebriefs the layer below it, and so on...
  • Corporate Communications
    Corporate communications is the broad function that owns how the company communicates — to employees, investors, customers, regulators, and the press....
Related guides

Ready to use this template?

Get started with MangoApps and use Phishing Simulation Campaign Review with your team — pricing built for small business.

Get Started Customize with AI
Ask AI Product Advisor

Hi! I'm the MangoApps Product Advisor. I can help you with:

  • Understanding our 40+ workplace apps
  • Finding the right solution for your needs
  • Answering questions about pricing and features
  • Pointing you to free tools you can try right now

What would you like to know?

AI-generated responses may not be 100% accurate