How Beephish is Rethinking Human Risk in a World Tired of Checkbox Training
If you talk to enough CISOs about security awareness, you start to hear the same exhausted sigh. Most organizations are still stuck on the same formula: generic phishing simulations, canned videos, and periodic “security awareness month” blasts that feel like punishment instead of enablement.
Beephish is betting that this entire model is broken.
“I’m the CEO of Beephish,” says Glauco Sampaio, as we sit down at the RSAC Conference. “The problem that we focus on is human risk management. Most of the companies are doing basic trainings and phishing campaigns for users. It’s been like this for a long time. We saw the need to improve these metrics, improve this approach, and focus on human risk management.”
In other words, Beephish is not trying to be yet another “send more simulations, assign more videos” vendor. The company is trying to help CISOs understand how people actually behave, and then use that insight to train them only when and where it matters.
From Awareness Theater To Actual Human Risk Management
The core idea behind Beephish is simple, but quietly radical for a training market that still loves one-size-fits-all content.
Glauco explains the usual pattern: “Most of the times the CISOs decide what are the trainings that the users must do. ‘Okay, everyone must be training on phishing or training on passwords or training on MFA.’ But not all the users need this training.”
The result is something every security leader has seen up close: users forced through hours of irrelevant content, clicking “next” while multitasking on something they actually care about. Training completion goes up, security posture does not.
“If you don’t have the visibility that the user needs to be trained on data loss prevention or data classification,” he says, “you are directing them to the wrong path.”
Beephish’s human risk management approach starts with a blunt premise: different people have different risk profiles. That means different training, at different times, for different reasons.
When you do it right, Glauco says, engagement flips from resistance to acceptance.
“It’s horrible for everyone when you give the user something they don’t need. When you are more assertive and you say, ‘Hey Pete, you must do this training because you are generating these alerts, you are not following this policy of the company,’ it’s easier for the user to understand why they need to be trained. It’s different than receiving a general training they don’t need.”
And sometimes the right thing to do is nothing at all.
“You can not simply force a user to do training when he’s otherwise doing good,” he adds. “He’s a low-risk user. He has a really good behavior. Why do I have to bother him to do trainings without the need? In the opposite way, you are giving back more time to the users – to not spend doing trainings without the need – to actually get work done.”
For CISOs who are tired of being told the solution is “more content,” this is a refreshing inversion: less training for low-risk users, and highly targeted intervention for those who actually need help.
A New Platform Built After Hitting The Technical Wall
Beephish arrived at RSA to announce a major rebuild of its platform. Not a facelift. A restart.
The reboot has given them a chance to design around flexibility from day one. If the last generation of awareness vendors was about “here is our catalog, have fun,” Beephish wants to let security teams truly shape what users see and how they see it.
“This new platform brings a big number of new features in terms of flexibility,” he explains. “We are able to deliver a platform for the customers where they can do whatever they want in terms of use of the platform. ‘I want to use this. I don’t want to use this.’ You can configure the time for the users to complete the training. You can customize your training. You can copy our training content and create a trail for them.”
This is the part many vendors claim to do, but often in clumsy ways that require a small project team to pull off. Beephish is leaning into the idea that the CISO’s world is already complex enough, so the training platform should be the flexible one in the relationship.
Gamification Without The Gimmicks
Security awareness vendors have been promising “gamification” for years, usually meaning someone slapped a scoreboard on top of a quiz. Beephish is trying to push that concept a bit further toward actual behavioral science and incentives.
“We provide the ability to make gamification in terms of creating trainings,” Glauco says. “You can create security challenges for the users and put them in a competition. Who gains more points and achieves the goals of the challenge receives a bonus, receives a gift.”
They have even wrapped that into a kind of internal marketplace.
“We also created a marketplace where companies can put their own gifts, what they want to deliver as a bonus,” he explains.
So instead of a generic “congratulations, you earned a badge no one cares about,” Beephish lets organizations tie real-world incentives to measurable secure behavior. If that sounds a bit like sales gamification tools applied to security, that is more or less the point. People respond to incentives and recognition, not yet another corporate sermon about phishing.
Black Mirror For Security Culture
One of the more interesting aspects of Beephish’s approach is how seriously they take content quality. Many awareness programs still revolve around low-budget animations that feel dated before they launch. Beephish is trying to raise the bar.
“We worked in the last months creating 100 new trainings, 100 new videos,” Glauco says. “Including videos with people, filming regular people in relevant situations. It’s like a whole production. We hired actors. We hired a production company to make this for us. They bring actors, real people, with scripts, like a movie.”
He laughs as he describes the style.
“We look at [the TV show] ‘Black Mirror’ as an approach. We have our own version that is more focused. Each episode has its own idea. You can watch them individually and use them for a specific purpose. So we give more flexibility to the user in terms of using this content.”
For CISOs who have sat through yet another monotone video about password hygiene, the idea of “Black Mirror for security culture” is oddly compelling. The goal is not just to inform, but to keep users awake long enough to absorb the message.
Continuous Monitoring And Just-In-Time Nudging
If Beephish stopped at better content and gamification, it would still look like a modern awareness platform. Where it starts to diverge is in how deeply it ties training triggers to ongoing user behavior.
“What’s interesting,” I suggest during our conversation, “is that the user who’s doing everything right and doesn’t need training today might need it down the road.”
Glauco agrees. “Yeah, absolutely. The platform is looking at the logs all the time. Every night we bring the logs to the platform and see: ‘Hey, Pete needs now a training on this because he generated these alerts. This behavior is not good. Put him in training.’”
This is essentially user behavior analytics feeding a training engine. Instead of yearly cycles or static campaigns, the system watches for signals that someone’s risk profile is changing, and then gives a precise nudge at the right time.
Beephish also includes a self-assessment component, which helps tailor that first round of recommendations.
“We start with that,” he says. “‘Okay, Pete, fill-in these 15 questions in terms of what you are using, what your best practices for cybersecurity are.’ Based on that, you bring the first line of trainings that Pete must do. ‘Okay, Pete does not use MFA too much on his accounts, so we have to talk about that.’”
The philosophy behind this is straightforward: the more personally relevant the training, the more likely it is to stick.
Connecting Home And Office Behavior
One of the more thoughtful parts of Beephish’s worldview is the refusal to treat “work security” and “home security” as separate universes. If anything, the hybrid world has made that distinction quaint.
“We really believe that the user must be secure in all environments where they are,” Glauco says. “Home and the company. If you are not creating this connection between the corporate environment and the personal environment, I don’t believe that the user will receive all the training they need and it will become a culture for them.”
He points out the obvious, but often ignored, reality:
“Most of the time the users are working on the same computer at home, for personal use and for corporate use. So if you don’t understand this challenge, you are not able to solve the problem with technology.”
Beephish’s mission is already stretching beyond the individual employee to their families.
“We also have the mission to deliver this content to families,” he says. “Because if your son compromises your network at home, and you are working from home – maybe it’s a risk for the company. So in the near future, we will provide companies the ability to deliver these trainings to the family.”
It is a reminder that no amount of ZTNA and EDR will save you if your most privileged users are approving random MFA requests while their home network is quietly falling apart.
Competing With The Giant, Serving The Overlooked
At some point in any conversation about security awareness, the name KnowBe4 will appear. In this case, it comes with a mix of respect and a quiet challenge.
“We came after KnowBe4,” Glauco says. “For a long time they were the big one and the example for everyone entering that space. But we want to create our own space, and most of that is based on what we want to deliver to the user: the flexibility that most platforms don’t have.”
Both he and his partner have lived the CISO life, including working with the incumbent platforms.
“We looked at the market using my experience as a CISO,” he explains. “My partner also worked with KnowBe4, for a long time. He knows the pains. He knows what works and what’s not working in terms of using platforms. We bring all this knowledge to the platform and create something that really fits the needs of the CISOs, including contents, features and flexibility.”
The flexibility point comes up again, especially for larger organizations with wildly different user groups.
“Every company has their own needs,” he says. “It’s not what I think is right for everyone. I provide the technology, the features, a standard to use, but you can go there and change it all for your needs. And even in big companies, you have different people, different groups inside the company that have different needs. So you need to be flexible.”
This is not just a play for global enterprises. In fact, a big part of Beephish’s growth is coming from the segment that the larger vendors often ignore.
“In Brazil we have 35 customers,” Glauco says. “80% of them have never had access to a training platform. It’s the first time. We also have big customers that are users from KnowBe4 and other products that are migrating to us. We are creating a market for companies and giving them the possibility to have something that the big vendors don’t allow them because of pricing or approach. [The big training companies] do not take care of the small and medium companies.”
For an industry that loves to talk about the “long tail” of risk while pricing like everyone is a Fortune 100, that is a pointed observation.
Why Incidents Still Start With A Phone Call
Ask any incident responder what triggered the last big breach they worked and you will still hear the same root cause: a human who never really understood what was happening.
“I have a bunch of examples of incidents that started with social engineering,” Glauco says. “They failed education because the user got on the line with someone saying he’s from the IT team. ‘You’re going to get an authorization number on your phone. When you get it, please give me the number.’ If the user doesn’t have this knowledge that this can happen, they will fall.”
The problem is not that organizations are not “doing training.” It is that much of what passes for training is still awareness theater, optimized for compliance reports rather than changed behavior.
As Glauco puts it, “Companies must be compliant with ISO, PCI – all the regulations that tell them they need to have awareness and training for the users. Most of the companies start with that. But the more mature companies see they need to train the users because incidents are still happening, even if they are putting a lot of money into technology. If one user is falling in a social engineering attack, providing a username and password – then all of the money doesn’t matter.”
Beephish is betting that the next generation of security leaders will not be impressed by slide decks that show “X hours of content delivered.” They will want to see how human risk is being measured and reduced over time.
What CISOs Should Do Next
If you are leading security for an organization where:
- Users complain about irrelevant training
- Incidents still keep starting with human failure despite your awareness budget
then Beephish is squarely targeting you.
The company’s message is clear: treat people as a dynamic risk surface, not a captive audience for quarterly videos. Use logs, alerts and behavior to drive just-in-time, personalized nudges. Stop punishing your lowest-risk users with yet another “mandatory module” just because a regulator wants to see a checkbox.
For CISOs, the next step is to pressure-test Beephish the same way you would any other security control. Ask for a demonstration of how the platform:
- Integrates with your existing telemetry to detect risky behavior
- Tailors content paths for different risk profiles and business units
Then look at the content and ask yourself a simple question: “Would my people actually watch this?”
The market for human risk management is finally maturing past generic phishing simulations and recycled cartoons. Beephish wants to be one of the vendors leading that shift, especially for organizations that have felt priced out or underserved by the incumbents.
If your security strategy still treats human beings as a compliance checkbox instead of a living, changing risk vector, it might be time to see whether Beephish’s “Black Mirror for security culture” can earn a spot in your stack.
Author’s Note
The author sat down with Glauco Sampaio, CEO of Beephish, during the 2026 RSAC Conference in San Francisco, March 23rd to 25th, 2026, for this Innovators Spotlight feature in CyberDefense Magazine.
For more information, please visit https://beephish.com/en/home/
About the Author
Pete Green is the CISO / CTO of Anvil Works, a ProCloud SaaS company and co-author of “The vCISO Playbook: How Virtual CISOs Deliver Enterprise-Grade Cybersecurity to Small and Medium Businesses (SMBs)”. With over 25 years of experience in information technology and cybersecurity, Pete is a seasoned and accomplished security practitioner.
Throughout his career, he has held a wide range of technical and leadership roles, including LAN/WLAN Engineer, Threat Analyst, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Director of IT, CTO, CEO, Virtual CISO, and CISO.
Pete has supported clients across numerous industries, including federal, state, and local government, as well as financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality.
He holds a Master of Computer Information Systems in Information Security from Boston University, which is recognized as a National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA/CD) by the NSA and DHS. He also holds a Master of Business Administration in Informatics.
