Annual Security Awareness Training Built for the AI-Phishing & Deepfake Era
Six modules. Twelve lessons. Ninety minutes. One certificate. Designed for every non-technical employee at any SMB or regulated firm. Satisfies the named annual training requirements under GLBA, HIPAA, CMMC, PCI-DSS, NYDFS Part 500, and SOC 2 — in plain English, with practitioner-led content and Kokoro-narrated audio.
Generic Phishing Tips Stopped Working in 2024
For two decades, awareness training said the same thing: watch for typos, broken English, and obvious spoofs. That advice is now actively misleading. Generative AI has industrialized the attacker side of the equation, and the regulators caught up too.
On May 13, 2024, the FTC amendment to the Safeguards Rule (16 CFR § 314.5) reset the math for every non-bank financial institution under FTC jurisdiction. Security events affecting 500 or more consumers and exposing unencrypted customer information must be reported within 30 days — and the report is published on a public, searchable portal. State laws layered on top routinely impose 14-day or 15-day clocks. Every parallel framework now expects an annual security awareness training program with documented attendance and assessment.
At the same time, attackers stopped sending sloppy emails. A 2026 phishing message can quote your last LinkedIn post, name your manager, reference a real invoice number from a breach dump, and arrive from a domain that differs from the legitimate one by a single Cyrillic character. Voice cloning convincing on a phone call is achievable from 30 to 60 seconds of public source audio. Deepfake video on Zoom, Teams, and Google Meet has already been documented in eight- and nine-figure fraud cases — the publicly reported Arup case in early 2024 involved a finance employee authorizing roughly USD 25 million after joining a video conference where every face on the call was synthetic.
That is the reality your front-line staff walk into every Tuesday morning. Generic security awareness training, built around 2018 threat models, does not prepare them. 2026 Security Awareness Training closes that gap in 90 focused minutes and gives every employee a practitioner-grade mental model of how modern attacks unfold and where to interrupt them.
If your firm is subject to a cybersecurity audit, an insurance underwriting questionnaire, or a regulator examination this year, you need documented training evidence in the file. This course produces it.
Built for Every Non-Technical Employee
If a person reads email, answers the phone, signs into a SaaS app, or carries a phone with company data on it, they need this training. The course is written for a non-technical audience and works equally well for a 20-person dental practice, a 500-person manufacturer, or a regulated financial firm.
Front Office & Reception
The first humans every attacker tries: phone calls, walk-ins, packages, and the loose information that gets shared by reflex. Module 5 trains the verification habit.
Finance & Accounts Payable
Wire fraud and vendor-impersonation invoices target this team weekly. Module 2 walks the canonical AP attack and the call-back habit that breaks it.
Executives & Their Assistants
Whaling, voice clones, and deepfake video calls. Module 2 covers the pre-shared code-word habit that stops a $25 million wire from leaving the building.
HR & Payroll
W-2 fraud, fake "employment verification" requests, and direct-deposit redirection. Module 4 covers data-classification and out-of-band verification.
Sales & Customer Success
OAuth-consent phishing inside CRMs, and shadow-AI exposure when reps paste customer data into public LLMs. Modules 3 and 4 address both directly.
Engineering & Operations
Long-running sessions, package and dependency exposure, and remote-access discipline. The course pairs with role-based training; this is the human-firewall layer.
Field, Remote & Hybrid Staff
Coffee-shop Wi-Fi, lost laptops, shoulder-surfing, and personal devices. Module 5 is dedicated to mobile and physical security for staff who never sit at a desk.
Healthcare, Legal & CPA Staff
HIPAA, attorney-client privilege, and IRS Pub. 4557 obligations sit on top of general SAT. The course satisfies the named training requirement and pairs with our role-specific tracks.
What Is Inside the Course
Six modules. Twelve lessons. Ninety minutes total. Beginner level. Audio narration available throughout. Final exam at 80 percent for the certificate of completion, valid for one year from issue.
The 2026 Threat Landscape
Why training your people is still the highest-ROI control your firm owns. We walk the modern attacker kill chain in plain English, the four dominant initial-access vectors, and a real Tuesday-morning AP breach reconstructed step by step from detection through ransomware. Lesson 1.2 includes a side-by-side table mapping every attack vector to the specific training behavior that breaks it. By the end of the module, every learner has a working mental model of how a real intrusion unfolds and where their judgment stops it.
Phishing in the AI Era — Deepfakes, Voice Clones, Quishing
The longest module, because this is where most breaches start. We cover why old red flags (grammar, generic greetings) no longer work, the new red flags that actually do (urgency-plus-money, display-name spoofing, IDN-homograph domains, OAuth-consent phishing, QR-code "quishing"), the documented deepfake-video case that cost roughly USD 25 million, and the out-of-band verification habit that defeats voice clones. Includes the canonical AP attack reconstruction, lookalike-domain inspection workflow, and a per-channel quick-reference table.
Identity, Passwords, MFA & Passkeys
Modern NIST SP 800-63B guidance: length over arbitrary complexity, no forced rotation without evidence of compromise, and password-manager workflows that make unique-everywhere achievable. The MFA hierarchy from weakest (SMS) to strongest (FIDO2 / passkeys). The three attacks that defeat ordinary MFA — push-bombing fatigue, SIM swap, and adversary-in-the-middle proxies like Evilginx — and the specific defenses that stop each one. Account-recovery hardening so attackers cannot walk in through the side door.
Data Classification, Vendor Risk & Shadow AI
What counts as sensitive at your firm, where it lives, and how to handle it day-to-day. The vendor- and supply-chain attack pattern (your trusted MSP, software vendor, or accountant gets popped first). Why "shadow AI" — pasting customer records, source code, or contracts into public LLMs — is the single fastest-growing data-loss category in 2025-2026. A practical decision tree for what AI tools your team can use, with what data, under what guardrails.
Mobile, Remote & Physical Security
The threats that follow your people out of the office. Coffee-shop Wi-Fi and rogue access points. Lost laptops and the encryption defense that keeps a lost device from becoming a breach. Personal-device discipline (BYOD), MDM, and the line between work and personal data. Tailgating, social-engineering at reception, badge cloning, shoulder-surfing on flights, and the "clean desk" habits that survive the next surprise audit.
Incident Reporting & Compliance Recap
The single most under-trained skill across the modern workforce: how to report fast enough that it still matters. We cover the language to use, the channel to use, the legal-hold reflex (do not delete the suspicious email), and the two-minute report that can save the firm. Closes with a recap of how the course satisfies named training requirements under GLBA, HIPAA, CMMC, PCI-DSS, NYDFS, and SOC 2, plus the final exam and certificate workflow.
One Course. Six Named Annual Requirements.
Annual security awareness training is not optional under any major framework your organization is likely to touch. It is an explicit, named requirement. Completion records and exam scores from this course produce the documented training evidence regulators, examiners, and underwriters expect to see.
| Framework | Clause / Citation | What It Requires |
|---|---|---|
| GLBA Safeguards Rule | 16 CFR § 314.4(e) | Provide security awareness training and updates to personnel sufficient to address relevant risks |
| HIPAA Security Rule | 45 CFR 164.308(a)(5) | Implement a security awareness and training program for all members of the workforce, including management |
| CMMC 2.0 Level 2 | AT.L2-3.2.1 & 3.2.2 | Train users on the security risks associated with their activities and their applicable policies, standards, and procedures |
| PCI-DSS v4.0 | Requirement 12.6 | A formal security awareness program is in place and reviewed at least annually and on hire |
| NYDFS Cybersecurity | 23 NYCRR 500.14(a)(3) | Provide cybersecurity awareness training, including social engineering, that is updated to reflect the risks identified in the risk assessment |
| SOC 2 (TSC) | CC1.4 & CC2.2 | The entity demonstrates a commitment to attract, develop, and retain competent individuals; communicates security responsibilities and trains personnel |
Frameworks not on this list (NIST CSF 2.0 PR.AT-01 / PR.AT-02, ISO/IEC 27001:2022 A.6.3, FFIEC, IRS Pub. 4557 WISP) impose substantively similar annual training obligations. This course satisfies the awareness-training prong; role-based training for Qualified Individuals, IT staff, or HIPAA Security Officers is delivered as part of our vCISO engagement.
Why "We Bought KnowBe4 Last Year" Is Not Enough
General awareness platforms ship canned scenarios and rotating phishing simulations. That is useful, but the content is written by training-product teams, not active practitioners, and it tends to lag the threat landscape by 12 to 24 months. The 2026 attacks — AI-personalized phishing, voice-clone vishing, deepfake video calls on Zoom and Teams, OAuth-consent attacks against M365, AiTM proxies that defeat ordinary MFA, shadow-AI data exposure, QR-code phishing — are not adequately covered by libraries built around 2020-2022 threat models.
This course is written and narrated by the same incident-response and CMMC team that handles real breaches at Petronella. The content is not a curriculum — it is the briefing we wish every employee had received the week before we got called in.
How It Compares to KnowBe4 & Curricula
We are not here to trash competitors. KnowBe4 and Curricula are real products with real customers and serve a real market. The comparison below is honest and focused on the dimensions that actually drive learner outcomes for SMBs and regulated firms.
| Dimension | 2026 Security Awareness Training | KnowBe4 / Curricula-style platforms |
|---|---|---|
| Per-seat list price | $99 / seat / year, all-inclusive | Typically $20-$60 / seat / year list, plus phishing-sim add-ons, plus implementation |
| Content authorship | Practitioner-led: written by the Petronella IR / CMMC team | Curriculum-team authored, often licensed from third parties |
| 2026-specific threats | Deepfake video, voice clones, AiTM, OAuth-consent, shadow-AI, quishing | Coverage varies; legacy libraries lag 12-24 months |
| Compliance mapping | Six named frameworks mapped to specific lessons | Compliance reporting available; mapping detail varies by tier |
| Time commitment | 90 minutes per learner per year, single sitting or split | Variable, often longer with more drip content |
| Phishing simulation | Sold separately as part of vCISO & managed-security engagements | Bundled into the platform |
| Audio narration | Kokoro-narrated throughout for accessibility | Variable per course |
| Best for | SMBs and regulated firms wanting current, defensible annual training | Larger orgs wanting continuous phishing-sim infrastructure |
Many of our clients run both: this course for the annual practitioner-grade content, plus a phishing-simulation tool for the continuous behavior-shaping layer. They are complementary, not competitive.
$99 Per Seat. Per Year. Everything Included.
$99
Per seat · Per year · Certificate of completion
- 6 modules / 12 lessons / approximately 90 minutes total runtime
- Final exam at 80 percent passing; certificate valid for one year from issue
- Kokoro-narrated audio throughout for accessible, mobile-friendly learning
- Course updates included for the duration of your annual enrollment (12 months from purchase) — new threats added at no additional cost
- Documented attendance and exam-completion records for your audit file
- Volume pricing on five seats or more — call (919) 348-4912
Pricing reflects single-seat enrollment. Group rates available for five or more seats — call (919) 348-4912 for enterprise pricing, administrator dashboards, and SSO onboarding.
Includes a Downloadable Resource Pack
Every enrollment includes a Resource Pack of practitioner-built templates the Petronella incident-response team uses on real engagements. These are the same documents firms typically pay hundreds of dollars to license from compliance-template vendors. They are yours to fill in, brand, and put to work the day a learner finishes the course.
The Resource Pack closes the gap between awareness and action. Knowing how a deepfake call unfolds is one thing; having a one-page Quick Reference Card on every desk that walks the front-line through the verification habit is another. The four documents below ship with every seat:
- Incident Report Template. Employee fill-in form that captures who, what, when, where, and the suspicious indicator. Same intake form our IR analysts use on day one of an engagement.
- MFA Enrollment Checklist. Step-by-step for Microsoft 365, Google Workspace, Apple ID, password manager, banking, and social platforms — with passkey-versus-TOTP guidance and the order to enroll services so a SIM-swap attack cannot lock you out mid-rollout.
- Vendor Risk Questionnaire. 25 questions to send any new SaaS vendor before signing up — encryption, sub-processors, breach notification, data residency, deprovisioning. The standalone licensing fee for an equivalent template would cost hundreds elsewhere.
- Quick Reference Card. Single-page tri-fold summarizing the entire course — the new red flags, verification habit, MFA hierarchy, and incident-report shortcut. Print, fold, hand to every employee.
Every template is delivered in editable format so your firm name, qualified individual, and phone numbers drop in cleanly. Updates ship to enrolled learners as the threat landscape evolves — no extra charge.
About Petronella Technology Group
Petronella Technology Group is a Raleigh-based cybersecurity and AI automation firm. We are a CMMC Registered Practitioner Organization, BBB A+ since 2003, and our leadership has more than 30 years of cybersecurity experience. Founder Craig Petronella holds CMMC-RP, CCNA, and CWNE credentials and is a Digital Forensics Examiner (DFE #604180). Our team operates incident response, CMMC assessments, and 24/7 security operations across regulated industries — defense contractors, healthcare, financial services, legal, and accounting. The content of this course is written by that same team, narrated in our voice, and refreshed as the threat landscape evolves. Beyond training, our team delivers cybersecurity audits, vCISO and fractional security leadership, CMMC compliance for defense contractors, incident response, and managed IT services that make compliance sustainable.
Frequently Asked Questions
Who needs this training?
Every employee at any organization that handles email, sensitive data, or customer information — which is essentially every employee. Front office, finance, HR, sales, executives, field staff, and remote workers all benefit. The content is written for a non-technical audience and works equally well for a 20-person dental practice and a 500-person manufacturer. Role-based deep-dive training for IT staff, the Qualified Individual, or a HIPAA Security Officer is delivered separately as part of our vCISO engagement.
How long does the course take?
Approximately 90 minutes total — six modules, twelve lessons. Most learners complete it in a single sitting; others split it across two or three lunch breaks. The final exam is 20 questions and takes another 10 to 15 minutes. Audio narration runs alongside the on-screen text throughout, so the course can be consumed eyes-free during a commute or warehouse shift.
Does this satisfy our annual SAT requirement under HIPAA / GLBA / CMMC / PCI / NYDFS / SOC 2?
Yes. The course content is mapped to the named security awareness training clauses in 16 CFR § 314.4(e) (GLBA Safeguards), 45 CFR 164.308(a)(5) (HIPAA), AT.L2-3.2.1 / 3.2.2 (CMMC 2.0 Level 2), PCI-DSS v4.0 Requirement 12.6, 23 NYCRR 500.14(a)(3) (NYDFS), and SOC 2 CC1.4 / CC2.2. We document attendance and exam completion to give you written training evidence regulators, examiners, and underwriters will accept. For role-based training above the awareness-training prong, see our vCISO services.
Why $99 when KnowBe4 lists at $20-$60 per seat?
Because the content is materially different. Platform-style awareness libraries are written by curriculum teams, often lag the threat landscape by 12-24 months, and require add-on phishing-simulation modules and implementation effort to reach feature parity. This course is written and narrated by the practitioner team that handles real breaches and CMMC assessments — the briefing we wish every employee had received the week before we were called in. For a directly comparable phishing-simulation product, we partner with several SIM platforms and bundle them into our managed engagements at need. Annual price-shop and you will find this is competitive with mid-tier KnowBe4 plans plus their phishing-sim add-ons.
Is the course really written for non-technical employees?
Yes. Every concept is introduced in plain English with a real-world example before any acronym lands. The "MFA hierarchy" lesson explains why SMS codes are weakest and passkeys are strongest using the analogy of door keys, not by quoting NIST SP 800-63B at the learner. Front-line staff at law firms, dental practices, manufacturing floors, and county offices have completed the course without IT background and passed the final exam on the first attempt.
Does the certificate of completion expire?
The certificate is valid for one year from issue, matching the annual cadence the major frameworks expect. Re-enrolling for the following year is $99 per seat per year, and course updates ship to currently-enrolled learners at no additional cost for the duration of their 12-month enrollment, so the content stays current between exams.
Do you offer team or group pricing?
Yes. Volume pricing kicks in at five seats. Five-seat, 25-seat, and enterprise licenses are available with administrator dashboards, completion reporting, and SSO options. Call (919) 348-4912 or email support@petronellatech.com for a quote tailored to your headcount. We routinely deploy this for organizations with 50 to 500 employees, and the deployment lift is typically under one hour for the IT lead.
Can the course be branded for our firm or hosted on our LMS?
Yes. White-label options for the certificate, the course intro, and a co-branded landing page are available on enterprise tiers. SCORM and xAPI export packages are available for organizations that want to host the course inside their existing LMS. Both options are quoted on a per-seat basis — call (919) 348-4912 for details.
What happens if a learner fails the final exam?
The exam pass mark is 80 percent. Learners who do not pass on the first attempt can retake the exam after a 24-hour wait. There is no additional charge and no limit on the number of retakes within the active enrollment year. Most learners pass on the first or second attempt. We provide a per-question rationale at the end of each attempt so the learner knows exactly which lessons to review.
What's included in the Resource Pack?
Every enrollment ships with a downloadable Resource Pack of templates worth hundreds in standalone licensing fees from compliance-template vendors:
- Incident Report Template (employee fill-in form used by our IR analysts on real engagements)
- MFA Enrollment Checklist for Microsoft 365, Google, Apple ID, password manager, banking, and social — with passkey-vs-TOTP guidance
- Vendor Risk Questionnaire — 25 questions to send any new SaaS vendor before signing up
- Quick Reference Card — single-page tri-fold summary of the course to hand to every employee
All templates are delivered in editable formats. Updates ship to enrolled learners as the threat landscape evolves at no additional charge.
How does this pair with our FTC Compliance Mastery and CPA Firm Cybersecurity courses?
This course is the human-firewall layer for every employee. Our FTC Compliance Mastery course is the regulatory deep-dive for officers, compliance leads, and legal teams at FTC-regulated businesses. Our CPA Firm Cybersecurity & Compliance course covers the IRS Publication 4557 WISP for tax preparers and accounting firms. The three are complementary — SAT for the workforce, role-specific for the leaders — and most regulated clients run all three.
What is the refund policy?
If a learner has completed less than 25 percent of the course and the request arrives within 14 days of purchase, we issue a full refund. After 25 percent completion or 14 days, refunds are no longer available because the annual access has effectively been delivered. Email support@petronellatech.com or call (919) 348-4912.
Do you also offer audits, vCISO, and incident response?
Yes. Beyond training, Petronella delivers cybersecurity audits and gap assessments, vCISO and fractional security leadership, incident response and breach-notification preparation, CMMC compliance for defense contractors, and AI-augmented compliance automation. Many clients start with this course for the workforce, then engage us for the program build-out and the ongoing managed work.
Train Your Workforce Before the Next Tuesday Morning
Enroll seats online for $99 each per year, or call our team to discuss volume pricing, white-label options, SCORM export, or pairing the course with a Safeguards or HIPAA gap assessment.
Questions? Email support@petronellatech.com
This page provides marketing information only and is not legal advice. Consult qualified counsel for jurisdiction-specific obligations.