Core concepts: the building blocks of Hook
Define every core object in Hook — organizations, users, groups, campaigns, templates, courses, enrollments, reports, the watchlist, autopilot, and directory sync — and how they relate.
The Hook platform is built around a small set of objects. Understand these once and the rest of the docs become navigable: a campaign is built from a template and aimed at groups of users; an enrollment assigns courses to those same users; reports and the watchlist read the results back out; and autopilot automates the whole loop on a cadence. This page defines each object, names where in the portal you work with it, and flags a few spots where the UI label and the underlying object don't quite match.
This is reference reading, not a procedure — use it when a term in another article is unfamiliar, then follow the links to the how-to.
Organization
The organization is the top-level container. Every user, group, campaign, template, enrollment, and report belongs to exactly one organization, and almost every screen in the org portal is scoped to the organization you currently have selected.
Organizations form a hierarchy. A Managed Service Provider (MSP) is an organization that manages downstream client organizations as children (parent/child). If you administer more than one organization — your own plus clients, or several business units — you switch between them with the workspace switcher in the sidebar. The data on screen always reflects the selected workspace.

Users and groups
A user is one person who can be targeted by a phishing campaign and enrolled in training. A group is a named set of users — usually by department, location, or role — and groups are how you target almost everything in Hook.
Users and groups in the new portal are read-only. They arrive in Hook one of two ways, recorded as the object's source:
- Directory sync — pulled from Microsoft Entra (Azure AD). This is the recommended source for keeping your roster current.
- Imported — brought over from the legacy PhishingBox account during migration.
Groups can additionally show a source of Manual or System (for groups Hook maintains automatically). On the Users & Groups page you can filter by source, filter by status (active/inactive), and search, and you can open any user or group to see members and memberships — but you do not add, edit, or delete people here.
Edits happen in the source, not in Hook
Because users and groups are read-only in the portal, you change them where they originate. For directory-synced records, edit the user or group in Microsoft Entra and let the next sync reconcile it. For imported records, the change happens upstream too. Deactivating someone in the source is what removes them from future campaigns and enrollments.

Campaign and template
A campaign is a phishing simulation: an email Hook sends to a defined set of your users, after which it tracks who opened it, clicked, submitted credentials on the landing page, or reported it.
Every campaign is built from a template — the bundle of a phishing email and its matching landing page. Templates can be stock (from Hook's library) or custom (a stock template you cloned and edited, or one built for your org). Each template carries a difficulty rating and a category.
When you create a campaign you choose one of three recipient modes, which map directly to how Hook resolves the audience:
- All users — every active group with targets in your organization.
- Specific groups — only the groups you select.
- Exclude groups — every group except the ones you select (handy for carving out execs or IT).
The recipient count Hook shows is an estimate resolved at send time, not a frozen snapshot — if someone is added or deactivated between now and launch, the final count differs. One-off edits you make to a template in the campaign wizard (subject, from name/domain, reply-to, body) apply only to that campaign and leave the library template untouched. Editing a template that is already custom is done from the library, not the wizard.

See Run a phishing campaign for the full wizard, Manage phishing templates for the library, and View campaign previews to see exactly what a recipient will receive.
Course and enrollment
A course is a single training module — a short, browser-based lesson — drawn from Hook's curated catalog. Only courses that Hook has published appear in your library; each entry has a display name, description, category, topics, difficulty, and an estimated length.
An enrollment assigns one or more courses to a set of recipients. You create enrollments as a batch: pick the courses, pick the recipients (individual users or groups), and set a start date and due date. Hook then tracks each recipient's completion against that due date, surfacing who's done, who's in progress, and who's overdue.

Browse what's available in Browse the training library, assign with Assign training to groups, and follow progress in Track course completion and Review enrollment history.
Reports
Reports read the results back out. They span four categories — campaigns, courses, users, and groups — and each can be exported to PDF and emailed. Some reports pull live from the delivery provider (PhishingBox) for up-to-the-minute phishing results; others read from Hook's local database.
You can also automate report delivery: schedule a report to email a list of recipients on a recurring frequency, so the right people get the numbers without logging in.
A few report names don't match their underlying object
The reports catalog exposes some labels that differ from the concept they represent. Two to know:
- The "Enrollment Completion" report is the course enrollment report — it tracks course enrollment status, completion rates, and overdue assignments by user.
- The "Phishing Trendline" card opens the Group Performance report — 12-month click-rate and report-rate trends broken down per group.
Start at Browse and run reports, then dig into specific ones like the Executive Summary or the Group Performance report. Set up scheduled sends in Automate report delivery.
Security watchlist
The security watchlist is the cross-campaign view of repeat offenders — users who failed phishing tests two or more times within a selected date range. It's a User report, so it isn't tied to a single campaign; it aggregates failures across all of them to surface who needs targeted intervention or extra training.

See Review the security watchlist.
Autopilot (Campaign of the Month)
Autopilot runs hands-off recurring phishing simulations so you don't have to launch one manually every cycle. In the UI you'll see it called COTM (Campaign of the Month) — they're the same feature. COTM is Phishing Autopilot.
An autopilot schedule has a frequency (Monthly, Bimonthly, or Quarterly), a recipient mode (the same All / Specific / Exclude modes as a one-off campaign), and per-cycle controls to pause the schedule or skip the next cycle. Reports that depend on autopilot — like the COTM Campaign Report — only appear when COTM is enabled for the organization.
Autopilot is provider-enabled, not self-serve: your Hook contact turns it on for the organization; you don't flip it on yourself.
Training autopilot is coming soon
Phishing autopilot is live. Training autopilot — recurring, hands-off course enrollment on a cadence — is not yet launched. Its schedule data may render for parity, but the edit surfaces are disabled and marked Coming soon behind a feature flag until it ships.
See Understand and set up autopilot and Run the COTM campaign report.
Directory sync
Directory sync is the pipeline that brings Microsoft Entra groups and their members into Hook and keeps them current. You connect Hook to Entra, pick which Entra groups to sync, preview the members, and confirm. From then on Hook refreshes membership on a recurring basis — no re-running the wizard for routine joiner/leaver churn.
Sync also drives recipient domain authorization: the email domains of your synced users are surfaced as authorized domains, which is how Hook knows where it's allowed to deliver phishing simulations. If a recipient's domain isn't authorized, delivery won't reach them.

Connect a directory in Sync users from Microsoft Entra, manage it from Manage directory connections, and confirm delivery in Authorize recipient domains.
Naming overlaps, at a glance
A quick reference for the labels that don't match their concept:
| What you see in the UI | What it actually is |
|---|---|
| COTM / Campaign of the Month | Phishing Autopilot |
| "Phishing Trendline" card | Group Performance report |
| "Enrollment Completion" report | Course Enrollment report |
Related
Run a phishing campaign
Walk the four-step wizard to launch a simulation against your users.
Understand and set up autopilot
Turn the recurring COTM phishing schedule into a hands-off program.
Browse the training library
See which curated courses you can assign to users and groups.
Sync users from Microsoft Entra
Connect a directory so your user and group roster stays current.
Get started with Hook: from sign-in to your first campaign
A 15-minute first-run walkthrough that takes a new org admin from passwordless sign-in to a launched phishing campaign and a readable executive summary.
Org Admin Guides
Day-to-day operator guides for a single organization — getting around the portal, campaigns, training, autopilot, reports, users, and directory sync.