Hook SecurityHook Docs
Org Admin

Review the security watchlist

Find repeat clickers across your phishing program, read their risk signals, and decide who needs more training next.

The security watchlist is the cross-campaign view of who keeps clicking. Where the executive summary tells you how a single campaign performed, the watchlist rolls up failures across every simulation in a date range and ranks the people behind them. It's the report you open when you want to ask "which employees are showing a pattern of risk?" — not "how did this one campaign go?" You'll typically read it as the org admin or security analyst preparing a coaching plan: extra training for some, a focused phishing campaign for high-risk groups, the occasional manager conversation.

Find your watchlist

From the left sidebar, open Reports. The hub at /org/reports lists every available report as a card.

Filter the chips at the top by User to narrow the grid, or scroll to the User Reports section.

Click the Watchlist card. It opens at /org/reports/watchlist with the header Security Watchlist — Users with multiple phishing simulation failures.

Screenshot pending

[Reports hub at /org/reports with the Watchlist card highlighted under the User Reports category]

By default the watchlist looks back 12 months. Use the date range picker in the top-right to widen, narrow, or shift the window — the URL updates with startDate and endDate params, so you can bookmark or share a specific window.

What the watchlist shows

The page is laid out as three KPI tiles across the top and a single sortable table below. Everything is scoped to the date range you select.

KPI tiles

Three counters summarize the cohort at a glance:

  • Repeat Offenders — number of users with 2 or more simulation failures in the window. The headline count of who's on the list.
  • Total Failures — the sum of all repeat-offender clicks. Useful for trending against a previous quarter.
  • Critical Risk — number of users with 5 or more failures. The tile switches to a danger style when this is above zero — it's the count you want closest to zero.

Repeat Offenders table

Each row is one user who clicked at least twice in the window. The columns are:

  • Name — first and last name when available, otherwise the local part of the email (e.g., jdoe from jdoe@acme.test).
  • Email — the user's work email.
  • Total Fails — the number of phishing simulations where this user clicked the link, across every campaign in the date range.
  • Risk — a badge derived from the fail count: Critical (5 or more), High (3–4), Medium (2). Sort by this column to push the worst offenders to the top.

Screenshot pending

[Repeat Offenders table sorted by Total Fails descending, showing Critical and High risk badges for the top rows]

The list is empty when nobody has clicked twice or more in the window — that's a good sign, not a missing report.

Read a single user's profile

The watchlist itself is a flat table — rows aren't linked through to a per-user drill-down on this page. To see the campaign-by-campaign history behind a single user, copy their email out of the row and look them up under User Management (/org/users), or open the executive summary for each campaign they appeared in. The watchlist's job is ranking; the per-user history lives elsewhere.

To send the watchlist itself to a stakeholder, the Email button in the top-right opens a recipient picker and ships the rendered report — recipients see the same date window you're looking at.

What to do with this list

Three practical paths once you have the names:

  • Assign more training. Critical and High rows are the first candidates for a targeted training enrollment. See Assign training to groups for the group-based flow — group your repeat clickers and assign a focused course rather than handling each enrollment one at a time.
  • Schedule a focused phishing campaign. Build a group of the Critical/High users and run a slightly harder template against just them. See Run a phishing campaign for the wizard. The follow-up campaign tells you whether the training landed.
  • Escalate to a manager — sparingly. When the same person stays Critical across two or three windows despite training, loop in their manager. Lead with the data, not the verdict.

Be thoughtful before you escalate

Repeat clicking often correlates with role pressure rather than carelessness. People in HR, recruiting, finance, and exec assistant roles open more attachments and click more links by job description — a high fail count for one of them is a signal that your training needs to meet their workflow, not that the person is negligent. Read the watchlist as "who needs more support?" before "who's the problem?"

What it's not

The watchlist is a coaching tool, not a disciplinary one. It's designed to help you target training and conversations, not to build an HR file. Don't hand the table to a manager as evidence for a performance action — hand it to them as a starting point for a conversation about what's getting in the way.

Common pitfalls

  • Forgetting the date window. The default 12-month view mixes recent behavior with stale clicks from a year ago. If you want to know who's struggling right now, narrow the picker to the last 90 days first — someone who failed three sims early in the year and has been clean since shouldn't be coached the same way as someone who failed three this quarter.

Read the executive summary report

Assign training to groups

Run a phishing campaign

Read the executive summary report

Open, interpret, and share the executive summary for a phishing campaign so leadership sees risk and your team knows what to do next.

Automate report delivery

Schedule email delivery of campaign, training, and executive reports so stakeholders get the numbers without you sharing manually.

On this page

Find your watchlistWhat the watchlist showsKPI tilesRepeat Offenders tableRead a single user's profileWhat to do with this listWhat it's notCommon pitfallsRelated