When it comes to running phishing simulation campaigns. What is the best practice on how often they should be run and at what cadence should phishing simulation emails be sent out? Some organizations only run a campaign once per quarter sending out a simulated phishing email about once per week while other organizations run continuous campaigns sending out phishing simulations about once every 2 weeks. What are other organizations doing and what is the best practice?

Ideally, organizations should adopt an adaptive, continuous assessment model rather than a rigid schedule. Quarterly campaigns alone often fail to reinforce good habits or reflect the evolving nature of phishing threats.

I find it best to run ongoing, risk-based simulations where cadence and content are tailored to user behavior and organizational risk. Modern phishing platforms make this feasible by automating delivery, tracking performance, and dynamically adjusting difficulty levels.

For example...

- High-risk users (such as executives or staff with privileged access) should receive more frequent, targeted simulations that mirror the sophistication of spear-phishing campaigns they’re likely to face.

- Repeat offenders who frequently click links or fail simulations should receive follow-up microtraining and additional simulations until they demonstrate consistent improvement. In some cases, management involvement or HR escalation may be warranted for persistent high-risk users.

- Low-risk users who regularly perform well can receive periodic reinforcement or more advanced “challenge” scenarios to maintain awareness without fatigue.

The goal isn’t to “catch” users but to build a resilient security culture where awareness becomes instinctive. Modern security awareness tools make this easier through automated, adaptive campaigns that personalize content, frequency, and difficulty based on each user’s risk profile.

Ultimately, the cadence should mirror the threat environment so employees stay alert and adaptable to real-world phishing tactics.

From what I’ve seen across US/UK/Asia, regulators don’t set a fixed cadence. They expect ongoing, risk-based awareness with practical social-engineering exercises—build resilience, avoid fatigue.

What works:
• Monthly baseline to everyone, plus 2–4-weekly targeted drills for higher-exposure roles/new joiners with instant micro-learning.
• A few real-event lures (tax season, travel, major sports) kept ethical and non-distressing.
• Make report rate and time-to-report the north-star KPIs (not just clicks); tune cadence by risk and outcomes.
• Treat it as a program: clear comms, no shaming/credential capture, transparent data use, and quarterly reviews.

AI-era: add LLM-crafted, multi-channel simulations (email/SMS/Teams/LinkedIn/QR; occasional vishing) with strict guardrails and automated triage—while technical controls (DMARC, brand indicators, look-alike domain monitoring) cut noise.

I would recommend a monthly simulation utilizing variable levels of difficulty. I find this keeps employees alert without overwhelming them with content. You may find based on risk there are some departments that may more frequent testing probably around every 3 weeks but this should depend on the risk.

A monthly cadence seems to find the balance between too much and not enough for the general user base. Targeted training for departments like Finance might be warranted at a slightly higher cadence.

We had 12 phishing samples and sent them during the year randomly to the employees. This means they received 1 in every month. This approach worked well at a company of the size of 25k email users. Quarterly reports were send to the management and the click rate dropped from 26% to 5% during 2 years.