In many large organizations, phishing defense has evolved into a patchwork of simulations, reporting buttons, and awareness campaigns designed to reduce human risk at scale. While these programs are intended to change behavior, they often introduce a different problem: fragmented workflows that generate more uncertainty and operational noise than clarity.

That disconnect showed up in day-to-day operations for one global manufacturer:

• Employees were unsure what to report and what to ignore

• The support desk was buried in “please check this email” tickets

• Leadership questioned whether traditional security awareness training was actually changing behavior

The company had invested in a well-known security awareness training (SAT) platform, KnowBe4, complete with phishing simulations and a phish-report button. But as renewal approached, the team realized they needed more than static content and another console. They wanted an AI-native approach that could:

• Close the loop on every phish report

• Automate low-value investigation work

• Turn real attacks into personalized coaching

After evaluating Abnormal AI—including AI Security Mailbox (AISM) and AI Phishing Coach (AIPC)—the team chose not to renew KnowBe4 and consolidated their phishing defense with Abnormal.

Before Abnormal, the manufacturer’s stack looked familiar:

• KnowBe4 for simulations and training modules

• A phish-report button integrated with KnowBe4

• A support team responsible for sorting every reported message

On paper, this appeared to be a complete security awareness program. In practice, several issues kept surfacing.

1. Confusing, fragmented feedback to employees

Employees followed the reporting guidance, flagging messages whenever something felt off. But their reports were handled by multiple, disconnected systems. As a result, it wasn’t unusual for employees to receive one type of automated acknowledgment from KnowBe4, and an entirely separate response from the internal support workflow.

Over time, that inconsistency eroded confidence. Employees weren’t sure whether to keep reporting, how to interpret disjointed responses, or which system was ultimately responsible for guidance.

2. A steady stream of manual tickets

Despite running simulations and training campaigns, the day-to-day workload didn’t disappear. Any time a reported email couldn’t be confidently classified, it turned into a ticket, especially for messages that were:

• Clearly benign newsletters

• Legitimate business email that simply “felt weird”

The security owner estimated that 20–30 support tickets per month were created just to answer a single question: Was this actually phishing? For a lean team, that was time taken away from higher-impact investigations.

3. A gap between training content and real attacks

KnowBe4 offered an extensive library of simulations and videos, but those simulations weren’t consistently aligned with the actual attacks reaching users’ inboxes.

In practice:

• Training often felt generic rather than tailored to the organization’s threat landscape.

• Campaigns and reporting data lived in disconnected systems, making behavior change difficult to measure.

The team wasn’t looking for more content—they needed a way to unify reporting, detection, and coaching around real-world threats.

Going into their evaluation, security and IT leaders aligned on four non-negotiables:

• Real-time answers for employees. When someone reports an email, they should quickly understand whether it’s malicious, graymail, or safe, and what to do next.

• Less manual triage. Routine “is this bad?” reports should be resolved automatically wherever possible.

• A consistent reporting experience. Regardless of where an email is reported, everything should flow into a single, coherent workflow.

• Training grounded in real attacks. Awareness content should reflect the actual attacker behavior the organization is seeing, not generic examples from a library.

AI Security Mailbox and AI Phishing Coach were designed to work together to meet these requirements.

1. AI Security Mailbox: Closing the Loop on Every Report

The team first deployed AI Security Mailbox, routing user-reported emails into Abnormal while keeping their existing setup intact during testing.

Without introducing a new workflow, Abnormal:

• Monitored the same mailboxes used by the existing phish-report button

• Analyzed every reported email using the same behavioral AI that protects inbound mail

• Automatically classified messages as malicious, graymail, or safe

• Generated plain-language responses explaining each decision

The operational impact was immediate:

• Employees received clear, timely feedback, including positive reinforcement when they reported a real attack

• Many “check this email” tickets were resolved before ever reaching the support queue

• The support desk could focus on genuinely ambiguous or high-risk cases

This translated to an estimated 20–30 fewer manual tickets each month tied to user-reported messages.

2. Generative AI Responses That Reinforce Good Behavior

End-user feedback quickly became a leading indicator of success. Employees responded positively to Abnormal’s generative AI messages:

• Celebratory responses when they correctly reported phishing

• Clear explanations of why an email was malicious or safe

• Actionable cues to look for in future messages

The tone was intentionally coaching-oriented rather than punitive, encouraging continued reporting even when users were unsure. Compared to generic simulation receipts, the guidance was clear and instructive.

3. AI Phishing Coach: Awareness Training Driven by Real Threats

With AI Security Mailbox in place, the team turned to AI Phishing Coach to modernize their awareness program.

Several capabilities made it easier to move away from KnowBe4:

• Personalized simulations informed by the actual attacks targeting users

• Fast, branded training content generated for the organization

• Integrated coaching across simulations and real-world reports

Training evolved continuously based on real attacker behavior, without requiring manual campaign rebuilds.

4. One Platform, Clear Direction

Beyond individual features, the decision was strategic. With Abnormal, the manufacturer standardized on an AI-native platform that unified inbound email security, mailbox automation, and human risk management.

This delivered:

• A consolidated roadmap across detection, reporting, and training

• A path from a legacy phish-report button to a native Abnormal experience

• Deeper behavior-based insights reused across investigations and reporting

By the time the KnowBe4 renewal came up, Abnormal had become the system of record for phishing defense.

Today, the manufacturer:

• Gives employees clear, consistent answers on every reported email

• Reduces manual workload by eliminating dozens of low-value tickets each month

• Runs simulations and training aligned to its real threat landscape

• Manages protection, reporting, and awareness in a single platform

Rather than swapping one training platform for another, the organization restructured its phishing defense around a single, AI-native loop powered by behavioral intelligence, where reporting, response, and coaching reinforce each other based on real attacks.

Explore how Abnormal unifies phishing reporting and security awareness into a single AI-native workflow.