We use cookies to enhance your browsing experience, serve personalized ads, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.
31 interactive scenarios mapped to NIST, PCI-DSS, CMMC, and DoD standards. See if you're current.
NIST 800-50NIST 800-53FISMAPCI-DSS v4.0CMMC Level 2DoD 8140HIPAAGDPRSANS Top 12
Cyber Awareness TrainingThreats identified: 0
Interactive training demo — scroll through and play
lesson 0
01 — Phishing & Social Engineering
the address bar
The first thing you should always check.
Before you type anything — look up. The address bar tells you if the site is encrypted and if the domain is who it claims to be.
Which of these is safe to enter your password on?
http://mybank.com/login — Not Secure
Enter your username and password to continue.
https://mybank.com/login
Enter your username and password to continue.
But HTTPS doesn't mean safe. A phishing site can have a lock icon too. The lock means the connection is encrypted — not that the site is trustworthy.
spot the fake
One character. That's all it takes.
Click the real domain. Look carefully.
Attackers register domains that look identical at a glance. rnicrosoft.com — that's an r and an n, not an m. Also: paypa1.com (one not L), amaz0n.com (zero not O), g00gle.com (zeros). Check every character.
the hover test
Links lie.
The text says one thing. The URL goes somewhere else. Hover these links to see where they really go:
Click here to verify your PayPal accounthttps://paypa1-verify.security-check.ru/login
✗ The real URL goes to a Russian domain. Sender is paypa1 — one not L.
Review your latest Amazon orderhttps://www.amazon.com/orders
✓ The real URL matches amazon.com — this one's legit.
Your Microsoft 365 password expires todayhttps://rnicrosoft365-reset.com/update
✗ The domain is rnicrosoft — "rn" looks like "m" in most fonts. Classic homograph attack.
Your UPS package is out for deliveryhttps://www.ups.com/track?loc=en_US&tracknum=1Z999AA1
✓ Correct ups.com domain with a real tracking parameter.
Zoom: You have a new meeting invitehttps://z00m-meeting.us-verify.net/join/8832
✗ Domain is z00m-meeting.us-verify.net — zeros, wrong domain. Real Zoom is zoom.us.
Click the links you think are safe. Hover to preview the real URL first.
On mobile there's no hover — long-press links to preview the URL. If the domain doesn't match, don't tap.
your inbox
Time to clean out the inbox.
Click each email to read it. Spot the phishing. Click the sender address to check if it's legit.
Inbox (6)
Select an email to read
smishing
Your texts lie too.
Phishing isn't just email. Check your messages.
9:41 AM LTE 47%
Messages
business email compromise
No links. No malware. Just a request.
This email passed every spam filter. There's nothing technically malicious in it.
I need you to process a wire transfer of $47,000 to Meridian Partners before end of day. Account details below. This is tied to the acquisition — keep it between us until the deal closes.
Account: 4821-7793-0012 Routing: 091000019
Thanks, David
The sender is [email protected]. Your company is company.com — not company-corp.com. No links to click, no malware to scan. BEC cost organizations $2.9 billion in 2023 (FBI IC3). It's the #1 financial loss vector in cybercrime.
vishing
Incoming call: IT Support.
IT Support (ext. 4401)
Connected — 0:42
IT: Hi, this is Mike from IT. We detected unusual login activity on your account from an IP in Romania.
IT: I need to verify your identity real quick. Can you confirm your password so I can check the audit log?
deepfake
Your boss is on the phone. Or is he?
You get an urgent call. The voice sounds exactly like your CFO.
David Chen — CFO
Connected — 1:14
CFO: Hey, it's David. I'm in a board meeting and can't talk long. I need you to wire $47,000 to a new vendor before 3 PM. I'll send the details after — just get it started now.
CFO: This is confidential — don't loop anyone else in until the deal closes.
qr scam
Scan the code. Pay for parking.
You're at a parking meter. There are two QR codes — one is a sticker placed over the original. Tap one to scan it.
CITY PARKING — SCAN TO PAY
STICKER
Top QR (overlay)
c1ty-parking.com/pay
Bottom QR (original)
cityparking.gov/pay
Tap a QR code to scan
02 — Passwords & Identity
passwords
Type a password. We'll tell you how fast it dies.
Length beats complexity. correct-horse-battery-staple takes centuries to crack. P@ss1! takes seconds. Use a password manager — Bitwarden, 1Password, KeePass. Generate unique 16+ character passwords for every account.
mfa fatigue
You didn't try to log in.
You're watching TV. These notifications keep popping up.
incognito myth
What does incognito mode actually hide?
Check all that apply. Most people get this wrong.
Private Browsing Mode
03 — Malware & Software
file extensions
Click to reveal what's hiding behind the name.
safe or malware?
Invoice_Q4.pdf
128 KB — PDF Document
✓ Safe
A normal PDF. The extension matches the file type. No hidden executable.
safe or malware?
Invoice_Q4.pdf.exe
2.4 MB — Application
✗ Malware
The real extension is .exe — an executable. The ".pdf" is fake decoration. Windows hides extensions by default.
safe or malware?
Report.xlsm
890 KB — Excel Macro-Enabled
~ Risky
.xlsm files contain macros that can execute code. Only open if you trust the sender AND verified with them directly.
safe or malware?
Photo.jpg.scr
1.1 MB — Screensaver
✗ Malware
.scr is a screensaver executable — it runs code. The ".jpg" is fake. Another hidden extension trick.
fake update
One of these is real.
Click the legitimate update notification.
System Update Available
macOS 15.2 is available. Includes security fixes and performance improvements.
Restart to install · 2.1 GB
CRITICAL UPDATE REQUIRED!!
Your Adobe Flash Player is OUT OF DATE! Your system is at RISK!! Click HERE to update NOW!
Update immediately · free download
the popup
The popup.
Software updates patch security vulnerabilities. Delaying them leaves you exposed to known attacks. Let's check your update status.
System Security Check
Checking for outdated software...
Operating System✓ Up to date
Web Browser✓ Up to date
Adobe Flash Player✗ Critical update required
ransomware
This just appeared on your work computer.
YOUR FILES HAS BEEN ENCRYPTED
All your documents, photos, databases are encrypted. To decrypt send 0.5 BTC to wallet address below.
23:59:47
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
search poisoning
You Googled "download VLC media player".
Pick the right result. Watch the URLs.
download VLC media player
04 — Physical Security
physical security
You're grabbing coffee.
Your laptop is open with email, Slack, and VPN connected. What do you do?
clean desk audit
Spot the security violations.
Click every item on this desk that's a security risk.
Violations found: 0 / 5
tailgating
Hey, can you hold the door?
You just badged through a secure door. Someone behind you with their hands full says "Left my badge at my desk — can you hold it?"
usb drop
You found this in the parking lot.
USB Flash Drive
Label: "Q4 Payroll — Confidential"
05 — Network & Mobile
public wi-fi
You're at the airport. Pick a network.
9:41 AM Airplane Mode 64%
Wi-Fi
Choose a network to join
juice jacking
Your phone is at 4%. Flight boards in 45 minutes.
4% — Low Battery
Gate B14 — Charging Station Available
remote work
You're working from a coffee shop.
You need to access the company VPN and check email. How do you connect?
06 — Data & Compliance
browser permissions
FreePDFConverter.com wants access.
This site already has clipboard access — granted silently when you pasted text. Most users never know.
oversharing
Her profile is public. Find the risks.
Tap every post that leaks information an attacker could exploit.
Jessica M.
@jessicam · 1,247 followers
Risks spotted: 0 / 4
shadow it
Convenient isn't the same as allowed.
Four workplace shortcuts. Acceptable or violation?
data classification
Not everything is confidential. That's the problem.
Classify each document. Over-classification is as bad as under-classification.
insider threat
Which of these would you report?
Not every coworker having a bad day is a threat. But some patterns matter. Tap the behaviors that should be reported.
Indicators flagged: 0 / 4
incident reporting
When in doubt, report.
For each situation: report now, report later, or not reportable?
your results
How'd you do?
—
threats identified out of 60
—
detection rate
Industry benchmarks (KnowBe4 2024 / Proofpoint 2024 State of the Phish):
34.3%
Avg phish-prone % before training
4.6%
Avg phish-prone % after 12 months
$2.9B
BEC losses in 2023 (FBI IC3)
71%
Orgs hit by phishing in 2024
why it works
Marketing Slop.
31
Scenarios
Phishing, BEC, deepfakes, vishing, smishing, USB drops, QR scams, ransomware, MFA fatigue, social engineering — every common attack vector, playable.
9
Frameworks
Mapped to NIST 800-50, NIST 800-53, FISMA, PCI-DSS v4.0, CMMC Level 2, DoD 8140, HIPAA, GDPR, and SANS Top 12. Annual training, audit-ready.
0
Slide Decks
No PowerPoints, no quiz-then-forget. Each lesson is a working simulation — you make the choice, you see the consequence.
6
Acts
Phishing, passwords, malware, physical security, network/mobile, data/compliance. Pace yourself or run it end-to-end.
$2.9B
BEC Losses
Business Email Compromise cost organizations $2.9 billion in 2023 alone (FBI IC3). The training that prevents it is the cheapest control you'll ever buy.
34→5
Phish-Prone %
Industry baseline: 34.3% click rate. After 12 months of structured training: 4.6% (KnowBe4 2024). Repetition + realism is what moves the needle.
how it works
The Rules.
Realism over instruction — every scenario is a working simulation: a fake browser, a fake inbox, a fake phone call. You click, you scan, you choose — the page reacts the way the real thing would.
Failure is the lesson — pick the wrong answer and you see exactly what would happen: malware downloaded, $47k wired, badge cloned. The cost of being wrong is taught, not just stated.
Live scoring, no quiz — a sticky counter tracks threats identified out of 60. No final test, no certificate to fake — you self-assess against industry phish-prone benchmarks at the end.
Six acts, modular — Phishing, Passwords, Malware, Physical, Network/Mobile, Data/Compliance. Run a single act for a 10-minute lunchtime drill or the full thing for an hour-long onboarding.
Mapped to standards — every scenario aligns to a control in NIST 800-50, PCI-DSS v4.0, CMMC L2, or DoD 8140. The same training satisfies multiple audit checklists.
Pure HTML/CSS/JS — one file, no backend, no tracking, no LMS lock-in. Drop it on any intranet or training portal.
The difference between a breach and a near-miss is usually one click. Train the click.
Most cybersecurity training is a slide deck and a multiple-choice quiz. Employees click through it on 1.5x speed, pass the quiz, and forget every word by next Tuesday. Then they wire $47,000 to a stranger because the email said "urgent."
This page is the opposite of that. Every interaction is a real attack pattern: the dark-pattern cookie popup, the rn-not-m domain, the deepfake voice, the parking-lot USB, the midnight MFA prompt. You don't read about them — you face them. Get it wrong and you see the breach in real time. The lesson sticks because the consequence is felt, not memorized.
The point.
Every interaction on this page is something that happens to real people every day. The cookie popup. The misspelled domain. The urgent email. The deepfake phone call. The parking lot USB. The MFA prompt at midnight. None of this is hypothetical — it's Tuesday.
The difference between a breach and a near-miss is usually one click. Stay skeptical. Hover before you click. Check the sender. Lock your screen. Use a password manager. Don't plug in random drives. Verify wire transfers by phone. Report the thing that feels off. And for the love of everything — reject the cookies.