Human cyber safety - Play it before you live it

From compliance to competence

Phishy or Not? replaces your phishing simulation and your learning module. One honest measurement of human risk.
Delivered through scenario-based play.

Built for the threats AI creates — across every channel your people face.
‍
‍

Request demo Learn more

Featured in

Phishing drives 85% of reported cyber attacks on businesses. Attacks have evolved. The training hasn't.

‍

Simulations measure whether you click.

They don't build the instinct to question whether you should.

Instinct is built. Not tested.

How Phishy works

Created by behavioural scientists, game designers and cyber professionals — to build instinct through play, and measure what matters: competence, confidence and change.

Every format, every threat

Email, SMS, voice, DMs, video, deepfakes — scenarios span every channel your people face. Calibrated to today's attacker tradecraft, not yesterday's inbox.

Live threat alerts

When a new threat hits, it's a scenario the same day. Sourced from government cybersecurity advisories and a network of CISOs and customers who see attacks first.

The Signs, spotted

Every scenario coded against The Signs. Scam formats change. Behavioural cues don't. Once spotted, the pattern transfers — across every format, every channel.

Right or wrong. Instantly.

Every decision returns immediate feedback — what the signs were, why it matters. The instinct builds in the moment, not in a debrief.

Data your board can act on

Competence per signal, per person. Confidence calibrated against actual performance. Not an attendance record.

Audit-ready records included. For governance detail, see FAQ.

An employee benefit, not a gotcha

95% completion, unprompted.
When training isn't a penalty, people do it voluntarily. The instinct compounds. And it goes home with them — protecting their family, not just your organisation.

Request Demo Ask a Question

Built on science. Tested in the field. Measured where it counts.

0/10

average user rating across enterprise deployments

click-rate reduction v's industry benchmark
Independent controlled trial

more likely to report suspicious messages
Independent controlled trial

Book a demo

"The important difference is that we measure behaviour, not training completion or phishing test results — which research increasingly shows are ineffective."

Stacey Edmonds, Westpac Backing Business. Winter 2026

press play - live in days

How to roll Phishy out across your organisation

No integration into your systems. Browser-based.
No software to install. No admins to train.
Three ways to run it:

As your cyber safety program

Your people

One licence per employee. Full admin console and cohort reporting from day one. SSO if you want it, works without it if you don't.
‍

Includes

Full scenario library, updated continuously
Per-signal susceptibility data, individual and cohort level
Completion records mapped to compliance frameworks, exportable
Optional SSO — no mandate required

Book a Demo

Your brand, your domain, our engine

Your brand

Fully branded experience, your scenario library built by Lively or co-designed with your team.

Includes

Custom brand, domain, and scenario library
Dedicated Customer Success contact
Priority access to new threat formats and product features

Book a Demo

BUILD LOYALTY THAT LASTS

Your customers

Offer Phishy to the people who trust you with their money, their data, or their relationships. Give them something genuinely valuable — the instinct to protect it.

includes

Customer-facing branded deployment
Behaviour-change and ROI measurement at customer cohort level
Designed to sit alongside your customer communications calendar
Flexible licensing based on customer base

Book a Demo

The instinct goes home.

Extend Phishy to your employees' families. Partners, parents and kids — same game, same signs. The scam that targets them at home is the same one that targets you at work.

Book a Demo

BEYOND CLICK RATES

Behaviour, belief, and the gap between them

Phishy generates real-time behavioural data across four dimensions of susceptibility. Use it to shape your awareness program, sharpen your risk reporting, and build your compliance evidence.

The 4 C's we track

Competence

What your people actually do. Measured across all 27 behavioural signals, under scenario conditions.

Confidence

Does the instinct build? Track competence and confidence at individual, team, and cohort level.
See where skills are growing and where they are degrading.

Change

Movement over time. Growth in what people do and what they believe, visible at team and cohort level.

Calibration

Confidence without competence means people stop looking. Competence without confidence means people don't trust what they see. Calibration measures the relationship between the two.

Vishing, smishing, quishing, deepfakes and DMs. The threat moved beyond email.
So did we.

Phishy shows you which signs, which cohorts, and where to act.

Request Demo Try the Game

Back your L&D and Risk teams with a Customer Success Squad

Admin onboarding, reporting templates, board-deck talk-tracks, compliance mapping, and a real human. We run alongside you, so your team runs the program, not the platform.

Rollout playbook for L&D, HR, and Risk
Board-ready reporting templates and talk-tracks
Dedicated Customer Success contact

For compliance and audit

The questions your Risk, Procurement & Audit teams will ask

Our answers. Evidence in hand.

Who has completed training, and when?

Per-user completion records with timestamps and scenario-level detail.

How often is training delivered?

Ongoing scenario delivery, not annual. Daily Dodgy option. Confidence self-assessment every two months.

Does the training cover phishing and social engineering specifically?

Scenario library covers SMS, email, game chat, DMs, voice, deepfakes, BEC, credential lures, and social engineering signals.

Is the programme reviewed and updated regularly?

Quarterly content review. New scenarios added in response to current threats (deepfake voice, AI-generated lures).

Can you prove the training actually works?

84–86% reduction in phishing click rate (Deloitte, TOLL). Transport for NSW: click rate from 32.9% to 10.9% in players. 91% confidence uplift. NPS 9.8.

Is your platform secure?

ISO/IEC 27001 certified hosting (SRA). AWS Sydney data residency. SOC 2 Type II on operational controls. Independent pen testing.

Can we meet data residency requirements?

AWS Sydney for Australian buyers. Sovereign Australian provider. Home Affairs recognised.

What about our third-party assessment?

Security pack includes ISO 27001 scope, SOC 2 report, pen test summary, privacy impact assessment, and NSW DoE information security alignment.

How do you handle failed simulations or high-risk individuals?

Platform identifies lower-performing individuals by signal. Behaviour-led remediation through scenario practice, rather than punitive retesting.

Can we get board-ready reporting?

Executive dashboard: susceptibility index, confidence trajectory, scenario-level performance by team. Aligns with CPS 234, NIS2, and DORA board-reporting expectations.

Can your evidence be used in a Report on Compliance (PCI) or audit (ISO / SOC 2)?

Completion logs, content coverage mapping, effectiveness data, and ISO 27001 certification of the platform itself are all exportable and audit-ready.

Do you cover management and board training?

Scenario content can be targeted to management cohorts. Supports NIS2 Article 20 and DORA management-body requirements.

The instinct to spot deception is the most neglected skill online. Not because people aren't smart enough. Because nobody built the right tool.

‍

That's what we made.

Frequently asked questions

How long does deployment take?

Days, not weeks. Typical enterprise rollout is under a week from contract to first scenario, because there is no system integration. White label adds two to four weeks for custom branding.

Do you support SSO?

Yes. SAML 2.0, Okta, Entra ID, Google Workspace. SCIM provisioning available on request. SSO is optional — the platform also runs without it.

Do you integrate into our email or SIEM?

No, and that's the point. Phishy runs in the browser, outside your email and identity stack. It means no IT project, no procurement delays, and deployment in days not quarters. The measurement is stronger because scenarios are controlled and calibrated — they don't depend on what makes it through your spam filter.

What languages are supported?

English (AU, UK, US), with additional languages available on request for white-label and enterprise deployments.

Can we white-label it?

Yes. Custom brand, domain, and scenario library. See deployment option 2 above.

What admin training do you provide?

A 60-minute admin onboarding session plus reference materials. Your Customer Success contact remains available for the life of the contract.

Hear from our clients

"Phishy or Not? transformed our approach to cyber safety training... it's a cultural shift in how we approach online security.”

Chief Info. Security Officer

Toll Global Express

"Dodgy or Not? proved to be a highly effective tool in strengthening the human firewall against cyber threats. Interestingly it was the language that resonated and created a safe way to talk about scams, almost instantly becoming part of the everyday vernacular.”

Director Design and Delivery

Transport for NSW

"Dodgy or Not? was a no-brainer for us. Cost-effective cyber training that doesn't put you to sleep? Sign us up! Our members are buzzing about it - the music is proving to be a real memory trigger.”

Chief Executive Officer

AICWA

"The aunties were really so happy with today; they loved playing the game. They had been feeling anxious about technology worrying that everything is a scam (!). So today really settled them and they left feeling really good and keen to play more!