Hook SecurityHook Docs
Concepts

Core concepts: the building blocks of Hook

Define every core object in Hook — organizations, users, groups, campaigns, templates, courses, enrollments, reports, the watchlist, autopilot, and directory sync — and how they relate.

The Hook platform is built around a small set of objects. Understand these once and the rest of the docs become navigable: a campaign is built from a template and aimed at groups of users; an enrollment assigns courses to those same users; reports and the watchlist read the results back out; and autopilot automates the whole loop on a cadence. This page defines each object, names where in the portal you work with it, and flags a few spots where the UI label and the underlying object don't quite match.

This is reference reading, not a procedure — use it when a term in another article is unfamiliar, then follow the links to the how-to.

Organization

The organization is the top-level container. Every user, group, campaign, template, enrollment, and report belongs to exactly one organization, and almost every screen in the org portal is scoped to the organization you currently have selected.

Organizations form a hierarchy. A Managed Service Provider (MSP) is an organization that manages downstream client organizations as children (parent/child). If you administer more than one organization — your own plus clients, or several business units — you switch between them with the workspace switcher in the sidebar. The data on screen always reflects the selected workspace.

Org portal sidebar with the workspace switcher open showing the active workspace and available organizations

Users and groups

A user is one person who can be targeted by a phishing campaign and enrolled in training. A group is a named set of users — usually by department, location, or role — and groups are how you target almost everything in Hook.

Users and groups in the new portal are read-only. They arrive in Hook one of two ways, recorded as the object's source:

  • Directory sync — pulled from Microsoft Entra (Azure AD). This is the recommended source for keeping your roster current.
  • Imported — brought over from the legacy PhishingBox account during migration.

Groups can additionally show a source of Manual or System (for groups Hook maintains automatically). On the Users & Groups page you can filter by source, filter by status (active/inactive), and search, and you can open any user or group to see members and memberships — but you do not add, edit, or delete people here.

Edits happen in the source, not in Hook

Because users and groups are read-only in the portal, you change them where they originate. For directory-synced records, edit the user or group in Microsoft Entra and let the next sync reconcile it. For imported records, the change happens upstream too. Deactivating someone in the source is what removes them from future campaigns and enrollments.

Users & Groups page with the Source filter open above the roster table

See View users and groups.

Campaign and template

A campaign is a phishing simulation: an email Hook sends to a defined set of your users, after which it tracks who opened it, clicked, submitted credentials on the landing page, or reported it.

Every campaign is built from a template — the bundle of a phishing email and its matching landing page. Templates can be stock (from Hook's library) or custom (a stock template you cloned and edited, or one built for your org). Each template carries a difficulty rating and a category.

When you create a campaign you choose one of three recipient modes, which map directly to how Hook resolves the audience:

  • All users — every active group with targets in your organization.
  • Specific groups — only the groups you select.
  • Exclude groups — every group except the ones you select (handy for carving out execs or IT).

The recipient count Hook shows is an estimate resolved at send time, not a frozen snapshot — if someone is added or deactivated between now and launch, the final count differs. One-off edits you make to a template in the campaign wizard (subject, from name/domain, reply-to, body) apply only to that campaign and leave the library template untouched. Editing a template that is already custom is done from the library, not the wizard.

Campaign wizard Targeting step with recipient modes, selected groups, and the live campaign summary count

See Run a phishing campaign for the full wizard, Manage phishing templates for the library, and View campaign previews to see exactly what a recipient will receive.

Course and enrollment

A course is a single training module — a short, browser-based lesson — drawn from Hook's curated catalog. Only courses that Hook has published appear in your library; each entry has a display name, description, category, topics, difficulty, and an estimated length.

An enrollment assigns one or more courses to a set of recipients. You create enrollments as a batch: pick the courses, pick the recipients (individual users or groups), and set a start date and due date. Hook then tracks each recipient's completion against that due date, surfacing who's done, who's in progress, and who's overdue.

Training library grid of catalog courses with category, topic, difficulty, and duration badges

Browse what's available in Browse the training library, assign with Assign training to groups, and follow progress in Track course completion and Review enrollment history.

Reports

Reports read the results back out. They span four categories — campaigns, courses, users, and groups — and each can be exported to PDF and emailed. Some reports pull live from the delivery provider (PhishingBox) for up-to-the-minute phishing results; others read from Hook's local database.

You can also automate report delivery: schedule a report to email a list of recipients on a recurring frequency, so the right people get the numbers without logging in.

A few report names don't match their underlying object

The reports catalog exposes some labels that differ from the concept they represent. Two to know:

  • The "Enrollment Completion" report is the course enrollment report — it tracks course enrollment status, completion rates, and overdue assignments by user.
  • The "Phishing Trendline" card opens the Group Performance report — 12-month click-rate and report-rate trends broken down per group.

Start at Browse and run reports, then dig into specific ones like the Executive Summary or the Group Performance report. Set up scheduled sends in Automate report delivery.

Security watchlist

The security watchlist is the cross-campaign view of repeat offenders — users who failed phishing tests two or more times within a selected date range. It's a User report, so it isn't tied to a single campaign; it aggregates failures across all of them to surface who needs targeted intervention or extra training.

Security watchlist with repeat-offender summary cards and the Repeat Offenders table

See Review the security watchlist.

Autopilot (Campaign of the Month)

Autopilot runs hands-off recurring phishing simulations so you don't have to launch one manually every cycle. In the UI you'll see it called COTM (Campaign of the Month) — they're the same feature. COTM is Phishing Autopilot.

An autopilot schedule has a frequency (Monthly, Bimonthly, or Quarterly), a recipient mode (the same All / Specific / Exclude modes as a one-off campaign), and per-cycle controls to pause the schedule or skip the next cycle. Reports that depend on autopilot — like the COTM Campaign Report — only appear when COTM is enabled for the organization.

Autopilot is provider-enabled, not self-serve: your Hook contact turns it on for the organization; you don't flip it on yourself.

Training autopilot is coming soon

Phishing autopilot is live. Training autopilot — recurring, hands-off course enrollment on a cadence — is not yet launched. Its schedule data may render for parity, but the edit surfaces are disabled and marked Coming soon behind a feature flag until it ships.

See Understand and set up autopilot and Run the COTM campaign report.

Directory sync

Directory sync is the pipeline that brings Microsoft Entra groups and their members into Hook and keeps them current. You connect Hook to Entra, pick which Entra groups to sync, preview the members, and confirm. From then on Hook refreshes membership on a recurring basis — no re-running the wizard for routine joiner/leaver churn.

Sync also drives recipient domain authorization: the email domains of your synced users are surfaced as authorized domains, which is how Hook knows where it's allowed to deliver phishing simulations. If a recipient's domain isn't authorized, delivery won't reach them.

Synced directories workspace pane showing the Groups tab, All users tab, and Authorized domains list

Connect a directory in Sync users from Microsoft Entra, manage it from Manage directory connections, and confirm delivery in Authorize recipient domains.

Naming overlaps, at a glance

A quick reference for the labels that don't match their concept:

What you see in the UIWhat it actually is
COTM / Campaign of the MonthPhishing Autopilot
"Phishing Trendline" cardGroup Performance report
"Enrollment Completion" reportCourse Enrollment report

On this page