Getting Started
A 15-minute path from sign-in to launching your first phishing campaign and reading the executive summary report.
This guide takes a brand-new org admin from a fresh inbox to a launched phishing campaign and a readable report — about 15 minutes if you have your test users handy. By the end you'll have a live simulation running against a small pilot group and know where the results land.
If you're an MSP managing multiple client orgs, the flow is similar but starts at the MSP portal. Org admins start here.
Before you start
You'll need:
- A work email at the domain your team uses for sign-in (e.g.,
you@acme.test) - A short list of pilot users — 5 to 10 teammates who know they may receive a simulated phishing email
- About 15 minutes of uninterrupted time
Stage 1: Sign in
Hook uses passwordless sign-in by default. You enter your work email, we email you a one-time code, and you paste it back in the browser.
Go to app.hooksecurity.co and land on the Welcome back screen. The OTP Code tab is selected by default.
Enter your work email (e.g., demo@acme.test) and click Send OTP Code.
You'll be taken to the Check your email page.
Open the email titled Sign in to Hook Security, copy the 6-digit code, paste it into the Enter the code field, and click Verify Code.
Codes expire
The code is valid for a short window. If it expires, click Resend code on the verification screen — there's a 30-second cooldown between sends.
If your account already exists in Hook (most common — your CSM or admin provisioned it), you land directly in your portal. If you're the first person from your company to sign in, you'll be prompted to set up your organization next.
Stage 2: Land on your dashboard
After sign-in you land on the Dashboard at /org. The header reads
Your organization's security awareness at a glance. You'll see four
metric cards across the top:
- Total Users — headcount and group count
- Campaigns — active vs. completed
- Training Completion — average completion rate and overdue count
- Courses Assigned — total assigned and in-progress
Below that: Recent Campaigns, Training Status, and four quick-action cards (All Reports, Executive Summary, Course Completion, Group Performance).
Screenshot pending
[Org dashboard at /org showing the four metric cards and quick-action grid for a fresh demo org.]
A first-time org will show zeroed-out metrics. That's expected — you're about to fix it.
Stage 3: Confirm your users
Open User Management from the sidebar (/org/users). The page header
reads View users and groups in your organization and has two tabs:
Users and Groups.
User data syncs in from your existing Hook environment and your identity provider — you don't add users one at a time in the new portal. For most orgs that means one of two paths:
- Microsoft Entra (Azure AD) — the recommended path for ongoing sync. See Sync users from Microsoft Entra for the connect → pick groups → preview → confirm walkthrough.
- CSV / existing Hook 1.0 sync — if your CSM has already loaded users for your org, they'll appear on the Users tab automatically. Open the tab and confirm the count matches what you expect.
For the 15-minute path, just verify a handful of pilot users are present on the Users tab and that they're grouped together (or in a group you can target). Filter by Active status to ignore deactivated accounts.
Tell your pilot group first
Before launching anything, give your pilot users a heads-up that they may receive a simulated phishing email. Surprises erode trust; learning moments don't have to.
Stage 4: Launch your first phishing campaign
From the sidebar, click Phishing → New campaign to open the wizard at
/org/phishing/campaign. The header reads New phishing campaign. There
are four steps along the top progress rail.
Campaign details. Enter a Campaign name (internal only — not
visible to recipients). Something like Q2 2026 Pilot — Acme works.
Optionally add a description. Choose Send now for the timing option.
Targeting. Choose Include specific groups and pick the small pilot group you confirmed in Stage 3. The summary cart on the right updates with your estimated user count — keep it to 5–10 for the first run.
Template selection. Browse the template library and pick a low-difficulty stock template (filter by difficulty if you want). Preview the email, then select it. Custom edits aren't required for your first campaign.
Review & launch. Confirm the name, target count, and template in the summary, then click Launch Campaign. You'll see a toast confirming Campaign launched! Targeting N users. and land on the campaign detail page.
Screenshot pending
[Step 4 review screen with the Launch Campaign button visible and the summary cart showing template + targeted user count.]
For the full walkthrough — including scheduling, message customization, and saving overrides as a custom template — see Run a phishing campaign.
Stage 5: Read the results
Sends roll out over a short window, and engagement (opens, clicks, reports) starts trickling in within minutes.
Open Reports from the sidebar (/org/reports). The header reads
Campaign, training, and user insights. Export to PDF or share with
clients. Click the Executive Summary card.
You'll see a list of campaigns. Pick the one you just launched to open its report. The summary surfaces:
- KPIs (sent, opened, clicked, reported)
- A risk assessment for the campaign cohort
- Recommended training based on who clicked
- Share/export controls (PDF and link)
Screenshot pending
[Executive Summary report header with KPI tiles and the share / export button row.]
For the full breakdown of what each section means and how to share with leadership, see Read the executive summary report.
What's next
Now that you've shipped your first campaign, the highest-leverage next steps:
- Sync users from Microsoft Entra so your user list stays current automatically
- Assign training to groups to pair simulations with learning
- Run a phishing campaign for the full wizard walkthrough, including scheduling and custom templates