Hook SecurityHook Docs
Org Admin

Run the Security Awareness Snapshot

Generate a month-scoped, client-ready review combining a phishing funnel and training completion, with an appendix of clickers and incomplete-training users.

The Security Awareness Snapshot answers one question for a single month: how did this organization do on phishing and training, and who still needs follow-up? It rolls every phishing test and every training enrollment in the month into one page — a headline summary, a phishing funnel, a training-completion donut, and a named appendix of people to chase. Unlike most reports, you don't pick a campaign or a course; the snapshot scopes itself to a calendar month, so it's the report you reach for when a client (or your own leadership) asks "how did we do last month?"

Before you start

Prerequisites

  • You're signed in to Hook as an org admin with the right organization selected in the org switcher. Everything on the page is scoped to the currently selected organization.
  • There's something to report on for the month you want — at least one phishing test that started that month, or training enrollments assigned that month. With neither, the page renders but the cards show "No activity" empty states.
  • For the phishing funnel and clicker list to populate, the organization needs a working PhishingBox connection. Training numbers come straight from Hook's database and don't depend on PhishingBox.

Open the snapshot

From the left nav, go to Reports, then open the Security Awareness Snapshot (it lives under the Campaign Reports category — search "snapshot" if you don't see it). Unlike campaign-specific reports, this one needs no selection, so it opens straight to data.

It defaults to the previous completed month — if today is in June, it loads May. The header shows the organization name and the month label (e.g. Acme Corp · May 2026) once data loads.

Security Awareness Snapshot with Review month picker, hero summary, phishing funnel, and training completion donut

Change the month

The header carries two controls on the right:

  • Review month — a month picker. Pick any month, past or current.
  • Refresh — re-runs the report for the selected month, re-pulling the latest PhishingBox numbers for that month's tests.

Change the month, then click Refresh to rescope. The month maps to a full calendar window — the 1st of that month up to (but not including) the 1st of the next — so phishing tests are counted by their start date and training enrollments by when they were assigned.

The current month is partial

If you pick the month that's still in progress, the snapshot reflects only what has happened so far. For a complete, defensible review, stick with the previous month — which is why the page defaults there.

Read the hero summary

The top card is the headline you'd hand a client. It contains three parts:

Generated headline

A plain-English sentence stitched from the month's numbers — for example, "3 phishing tests reached 420 people with a 12.4% click rate, and 78.0% of 250 assigned enrollments completed training." If nothing ran, it says so directly (e.g. "No phishing simulations ran during this period").

Risk pills

Two pills sit under the headline — Phishing and Training — each showing a status label, color-coded green / amber / red / grey. The Phishing pill reads Low risk, Watch closely, Needs attention, or No activity; the Training pill reads On track, Needs follow-up, Behind schedule, or No activity. They give a read on where to focus before you dig into the numbers.

Three hero stats

A panel on the right shows three numbers:

  • Phishing tests — how many tests ran, with the targeted-people count underneath.
  • Click rate — the percentage who clicked, with the raw click count, tinted by risk level.
  • Training done — the completion percentage, with "completed of total" underneath, also tinted by risk level.

How the risk levels are set

These thresholds are fixed, not configurable:

  • Phishing — a click rate above 15% is high (Needs attention), above 5% is medium (Watch closely), otherwise low (Low risk). With no tests, it reads "No activity."
  • Training — 80% or higher completion is low (On track), 50% or higher is medium (Needs follow-up), below that is high (Behind schedule). With nothing assigned, it reads "No activity."

Phishing funnel and training completion

Below the hero sit two side-by-side cards.

The Phishing funnel card walks the five stages — Sent → Delivered → Opened → Clicked → Reported — each with a count, a percentage of the audience, and a bar. Where a stage loses people from the one before, a small drop-off figure shows how many fell off. A badge in the corner restates the click rate. If no tests ran in the month, the card shows an empty state instead.

The Training completion card shows a donut of the completion percentage with a two-row legend — Complete and Incomplete — plus the total enrollment and course counts. An enrollment counts as complete when its status is completed/passed, it has a completion date, or it's at 100%. Anything else is incomplete and feeds the appendix below.

Security Awareness Snapshot phishing funnel beside the training completion donut and Complete/Incomplete legend

The appendix: who needs follow-up

The appendix turns the percentages into named people. It has two tables:

  • Users who clicked — everyone who clicked a phishing link during the month's simulations, with their name, the test and campaign, their group, and a click count.
  • Users with incomplete training — everyone assigned or enrolled in training during the month who hasn't finished, with their name, the course, their group(s), the assigned date, and a progress bar.

Both tables are sortable by column. When both are empty, the appendix shows a green All clear badge — nobody clicked and no training is outstanding for the month.

Security Awareness Snapshot appendix with Users who clicked and Users with incomplete training tables

Export the report

Click Export PDF in the header to download a print-ready version — hero summary, both breakdown cards, and the appendix tables — formatted for sharing with a client or stakeholder.

No email delivery on this report

The Security Awareness Snapshot is export-only — there is no Email button on this page. Export the PDF and send it yourself, or schedule a different report for automated delivery. See Automate report delivery.

Where the data comes from

  • Phishing numbers (funnel + clicker list) are pulled live from PhishingBox for each test that started in the month. If a test's results can't be loaded, the snapshot shows a yellow Partial phishing detail warning above the cards and renders whatever it could retrieve — so a number lower than you expect may simply mean part of the detail failed to load. If the organization has no PhishingBox key configured, the phishing side stays empty.
  • Training numbers come from Hook's own database — the course enrollments assigned within the month. They don't depend on PhishingBox, so training always renders even when phishing is partial.

Common pitfalls

  • You're looking at the wrong month. The page defaults to last month. If a number looks off, check the Review month picker first and click Refresh after changing it.
  • A current-month snapshot looks thin. That's expected — the month isn't over. Use the previous month for anything client-facing.
  • Phishing looks under-counted. A Partial phishing detail banner means PhishingBox didn't return everything; the displayed figures are the partial results, not the full picture. Retry with Refresh, and if it persists see Troubleshoot phishing delivery.
  • It's read-only. The snapshot reports the month; it doesn't enroll or remediate. To act on the clicker or incomplete-training lists, head to Assign training to groups.

On this page