How Often Should You Run Phishing Simulations?
A practical cadence guide for security teams that need steady phishing awareness, useful metrics, and audit evidence without creating training fatigue.
Cover image credit: U.S. Air Force photo by Senior Airman Sir Wyrick, public domain, via Wikimedia Commons.
Most organizations should run phishing simulations on a predictable monthly or quarterly cadence, then add targeted follow-up when risk changes. Monthly simulations work well for teams that can review results quickly and provide lightweight coaching. Quarterly simulations are often better for smaller teams, highly regulated environments, or organizations still building trust with employees and works councils.
The wrong cadence is usually one of two extremes: an annual checkbox exercise that nobody remembers, or a constant stream of tests that trains people to resent security. The goal is not to send more simulated phishing emails. The goal is to help employees recognize suspicious requests, report them faster, and give security teams evidence that awareness work is operating over time.
This guide is for security engineers, IT admins, CISOs, and compliance owners designing a safer phishing simulation program. It focuses on defensive awareness training only. It does not include phishing templates, credential collection tactics, delivery bypasses, or operational attack instructions.
The short answer: start quarterly, mature toward monthly
If you are starting from scratch, quarterly phishing simulations are usually enough to build a baseline without overwhelming employees or administrators. After two or three cycles, many organizations move toward monthly lightweight simulations, especially if they have automated scheduling, clear reporting, and useful follow-up training.
A practical starting model looks like this:
| Organization state | Suggested cadence | Why it works |
|---|---|---|
| New program, low trust, limited admin time | Quarterly | Creates a baseline while leaving time for communication, review, and policy alignment. |
| Small or mid-sized team with some automation | Monthly or every 6-8 weeks | Keeps awareness fresh without turning every campaign into a major project. |
| High-risk roles such as finance, HR, IT, and executives | Monthly plus targeted coaching | These teams handle sensitive requests and benefit from more relevant practice. |
| Regulated or audit-heavy environment | Quarterly baseline plus documented follow-up | Produces cadence evidence while reducing the risk of rushed, poorly governed campaigns. |
| After a major incident or process change | Targeted simulation within 30-60 days | Reinforces a specific lesson while the risk is still relevant. |
The cadence should be boring enough to sustain and varied enough to teach. If employees can predict "the monthly phishing test" from timing alone, the program is too mechanical.
Why annual phishing tests are usually too weak
Annual phishing simulations are easy to schedule and easy to explain in a compliance calendar. They are also easy to forget.
An annual test can establish a baseline, but it rarely creates behavior change by itself. People change habits through repeated practice, short feedback loops, and visible reporting norms. If employees only see one simulated phishing email per year, security teams get a thin data point rather than a useful trend.
Annual campaigns also create a reporting problem. A single click rate does not tell you whether:
- employees are reporting suspicious messages faster
- risky behavior is concentrated in specific roles or workflows
- follow-up training is improving outcomes
- new hires understand reporting expectations
- recent threat patterns are reflected in awareness content
For compliance teams, the issue is not only frequency. It is evidence quality. A program that runs once a year may show that training happened, but it gives weaker proof that the organization reviews outcomes and improves the control.
Why constant simulations can backfire
Running phishing simulations too often can create a different failure mode: fatigue.
Employees may start treating every unusual message as a security-team trick. Managers may push back because campaigns interrupt work. Help desks may receive more noise than they can triage. Works councils or privacy stakeholders may question whether the program is proportionate.
High frequency is only useful when the organization has the operational maturity to handle it. Before increasing cadence, check whether you can:
- review results within a few business days
- explain what changed after each campaign
- keep follow-up training short and relevant
- avoid public shaming or punitive scoring
- segment campaigns by role, region, and risk
- document approvals, data retention, and reporting rules
If you cannot close the loop, do not increase frequency. More campaigns without more learning just create more data.
Build cadence around learning loops, not campaign count
A strong phishing simulation cadence has four parts:
- Baseline
- Practice
- Follow-up
- Review
The baseline tells you where the organization starts. Practice gives employees repeated exposure to realistic but safe decision points. Follow-up turns mistakes into short learning moments. Review shows whether the program is improving behavior and whether governance expectations are being met.
This is where phishing simulation reporting matters. Click rate alone is not enough. Useful metrics include report rate, time to report, repeat-risk trend, coverage, training completion, and evidence exports. AutoPhish covers those metrics in more detail in the guide to phishing simulation reporting.
Your cadence should leave enough time for that loop to complete. A monthly campaign can work if reporting and follow-up are mostly automated. A quarterly campaign may be better if every review requires manual spreadsheet work.
A cadence model security teams can actually operate
For many organizations, the most sustainable model is a layered cadence:
| Layer | Frequency | Purpose |
|---|---|---|
| Company-wide baseline | Quarterly | Measures broad awareness and creates evidence of recurring control operation. |
| Role-based scenarios | Monthly or every 6-8 weeks | Gives higher-risk teams relevant practice without testing everyone constantly. |
| New-hire awareness | During onboarding, then next normal cycle | Sets expectations early and avoids leaving new employees untrained for months. |
| Incident-driven follow-up | Within 30-60 days | Reinforces a specific lesson after a real phishing wave, process change, or near miss. |
| Leadership review | Quarterly | Turns metrics into decisions, not vanity charts. |
This model keeps the program active without forcing every employee into every campaign. It also helps compliance teams show scope, cadence, and review over time.
Adjust frequency by risk, not by vendor defaults
Many phishing simulation platforms make it easy to schedule recurring campaigns. That is useful, but vendor defaults should not decide your risk model.
Use these factors to choose frequency:
- Business risk: Finance, HR, IT, legal, procurement, and executives often face higher-impact phishing scenarios.
- Employee turnover: More new hires usually means a stronger onboarding and baseline cadence.
- Recent incidents: A real phishing wave, mailbox compromise, invoice fraud attempt, or MFA abuse pattern may justify targeted follow-up.
- Operational capacity: If security cannot review reports, respond to user questions, or tune training, the cadence is too aggressive.
- Privacy expectations: Works councils, employee representatives, and data protection teams may require clear notices, retention limits, and proportionate measurement.
- Compliance evidence: Some teams need a documented recurring awareness control, but should avoid claiming that simulations alone "ensure compliance."
For privacy-sensitive programs, pair cadence decisions with clear rules for data minimization, retention, and reporting. AutoPhish's guide to privacy-friendly phishing training is a useful companion if you need to involve works councils or data protection stakeholders.
What to vary from one simulation to the next
Cadence does not mean repeating the same test every month.
Employees need to practice different defensive decisions:
- recognizing suspicious payment or invoice requests
- verifying changes to bank details or payroll information
- reporting suspicious QR codes or mobile messages
- pausing before granting SaaS app permissions
- checking sender context before acting on urgency
- using the approved reporting channel instead of forwarding screenshots
Keep the scenarios realistic enough to teach, but not so operationally detailed that the training becomes a how-to guide for attackers. A good rule: simulate the decision point, not the exploit path.
For example, it is useful to train employees to pause before approving an unusual request. It is not useful to publish detailed instructions on bypassing email controls or harvesting credentials. CISA's public phishing guidance is a good external baseline for defensive recognition and reporting language.
How to avoid training fatigue
Training fatigue is not only caused by frequency. It is caused by poor program design.
Employees are more likely to accept phishing simulations when the program is clear, fair, and useful. That means:
- announce the existence and purpose of the program before testing
- avoid humiliating employees or publishing individual failure lists
- keep follow-up lessons short
- explain how reporting helps the security team
- rotate scenarios without using cruel or emotionally manipulative lures
- avoid testing during known high-stress periods unless there is a strong reason
- show aggregate improvements to leadership and staff
If employees believe the program exists to catch them, they will optimize for not getting caught. If they believe the program exists to make reporting safer and faster, the metrics become much more useful.
When monthly phishing simulations make sense
Monthly phishing simulations make sense when the organization has a repeatable operating model.
Use a monthly cadence if:
- simulations are easy to schedule and approve
- reporting definitions are stable
- follow-up training is automated or lightweight
- security can review outcomes quickly
- managers understand the purpose
- privacy and employee relations rules are already settled
- the program measures reporting behavior, not just clicks
Monthly does not mean every employee receives the same simulation every month. A better model is rotating cohorts and roles. Finance may receive one scenario, IT another, and general staff a lighter baseline. The program stays active, but it does not feel like constant testing.
If your team is comparing the operational burden of recurring campaigns, the article on automated phishing testing vs. manual campaigns explains why cadence often breaks when too much work remains manual.
When quarterly phishing simulations are better
Quarterly phishing simulations are often the better default when the organization needs control and trust more than speed.
Use a quarterly cadence if:
- you are launching a new program
- employee representatives need to review the approach
- the security team has limited time for campaign operations
- the organization is highly sensitive to employee monitoring concerns
- leadership wants clean evidence packs rather than noisy dashboards
- each campaign requires manual coordination across regions or business units
Quarterly does not have to mean passive. You can still run onboarding training, publish short reminders, review real reported phishing examples, and improve reporting workflows between simulation cycles.
The mistake is treating quarterly as "set and forget." A quarterly cadence should still include review, follow-up, and documented decisions.
A simple 12-month phishing simulation calendar
Here is a practical annual structure for a mid-sized organization:
| Month | Activity |
|---|---|
| January | Program notice refresh, approved reporting channel reminder, baseline simulation. |
| February | Review results, update training for high-risk groups. |
| March | Role-based simulation for finance or HR. |
| April | Quarterly leadership review and evidence export. |
| May | General staff simulation with a different decision point. |
| June | New-hire cohort check and reporting workflow review. |
| July | Role-based scenario for IT, admins, or executives. |
| August | Privacy and retention review; adjust notices if needed. |
| September | General staff simulation and follow-up training. |
| October | Security awareness month reinforcement without overloading employees. |
| November | Targeted simulation based on current threat patterns. |
| December | Annual trend review, lessons learned, next-year cadence decision. |
This schedule is only a starting point. The best cadence is the one your team can operate consistently without losing trust.
What compliance teams should document
Phishing simulations can support compliance evidence, but they should not be framed as a magic compliance guarantee.
Document the program as a recurring awareness and control-improvement activity:
- program objective and scope
- campaign calendar and cadence
- approval process
- employee notice and privacy guardrails
- data retention rules
- metrics definitions
- aggregate results
- follow-up actions
- leadership or control-owner review
- changes made based on results
This kind of evidence is usually more defensible than a single annual pass/fail chart. It shows that the organization operates the awareness program, reviews outcomes, and improves over time.
Cadence checklist before you launch
Before choosing monthly, quarterly, or targeted simulations, answer these questions:
- What behavior are we trying to improve: recognition, reporting, verification, or follow-up completion?
- Which groups are in scope, and which need special handling?
- How often can we review results without rushing?
- What data do we collect, and how long do we keep it?
- How do employees receive feedback?
- What will we report to leadership?
- What would make us reduce frequency?
- What would justify increasing frequency?
- How will we show that the program improved after each cycle?
If these answers are unclear, start with a lower cadence and improve the operating model first.
FAQ
Is monthly phishing simulation too often?
Not always. Monthly phishing simulation can work when campaigns are lightweight, role-aware, privacy-conscious, and followed by useful feedback. It becomes too often when employees feel harassed, reports are not reviewed, or security cannot explain what changed after each campaign.
Is quarterly phishing simulation enough?
Quarterly simulation is often enough for a baseline program, especially for smaller teams or organizations that need careful governance. It should still include follow-up, reporting review, and documented improvement actions between campaigns.
Should every employee receive every simulation?
No. Many organizations get better results by rotating cohorts and tailoring scenarios by role. High-risk groups may need more frequent practice, while general staff can follow a broader baseline cadence.
Should failed phishing tests trigger mandatory training?
Sometimes, but keep it proportionate. Short, immediate feedback usually works better than long punitive training. Repeat-risk patterns may justify additional coaching, but avoid public shaming or automatic escalation without human review.
Do phishing simulations prove compliance?
No single phishing simulation proves compliance. A well-run program can support compliance evidence by showing awareness cadence, scope, outcomes, follow-up, and review. Avoid claims that a tool or campaign "ensures compliance."
What is the safest cadence for a first phishing simulation program?
Start quarterly, communicate clearly, measure reporting behavior, and review results with stakeholders. Move toward monthly or targeted simulations only after the process is trusted and operationally manageable.
Build a cadence your team can sustain
The best phishing simulation frequency is not the highest frequency. It is the cadence that helps employees practice, gives security teams useful reports, and produces evidence without creating fatigue.
For many organizations, that means quarterly baselines, monthly or role-based follow-up where risk is higher, and short coaching moments tied to real lessons.
If you want a low-overhead, privacy-aware way to run recurring phishing simulations, automate follow-up training, and keep reporting useful for leadership and compliance, Sign Up.