How long does it take to run a first phishing simulation?

On a modern self-serve platform like Bait & Phish, an admin can launch a first phishing simulation campaign in roughly 30 minutes. The wizard walks through five steps - group, users, template, campaign and report - and the longest step is usually CSV-importing employees. Enterprise platforms with mandatory onboarding calls and IT-led email allowlisting typically take days to weeks for the first campaign.

What do I need before starting a phishing simulation?

You need three things: a list of employee email addresses (CSV format works fine), basic awareness of the company's email environment (so you can ask IT to allowlist the simulation sending domain if necessary) and a written commitment from leadership that simulations will be launched company-wide rather than carved out for executives. The third one is non-negotiable; executive carve-outs invalidate the program.

Do I need IT to set up phishing simulation?

Usually yes, but only briefly. IT typically allowlists the simulation platform's sending IPs and tracking domain to prevent the company's email security tools from blocking the test phish. This is a one-time configuration that takes 5-15 minutes and does not require an ongoing IT engagement. The platform should provide the exact allowlist values; you should not have to reverse-engineer them.

What template should I pick for the first campaign?

For a first campaign, pick a regular-difficulty template from the Consumer & Shipping or Banking & Finance category. These produce realistic-but-not-malicious-looking lures and generate enough engagement to baseline your click rate without creating a 'gotcha' culture. Avoid hard-difficulty templates and current-events lures (tax season, holiday shipping) for the first campaign - they distort the baseline.

Should I tell employees a phishing simulation is coming?

Yes, with caveats. Notify employees that the company runs an ongoing phishing simulation program in general terms, but do not announce the specific date, sender or template of any individual campaign. The general announcement satisfies HR and ethics requirements; specific announcements invalidate the test results. Most organizations include the general notice in onboarding and in an annual security awareness policy review.

What do I do with the first campaign's results?

Three things: confirm automated remediation training fired correctly for everyone who clicked, document the campaign in a one-page summary for your future audit and insurance evidence packet and schedule the next campaign for 30 days later. Do not communicate the click rate broadly inside the company yet - first-campaign rates are baselines, not benchmarks and broadcasting them prematurely creates blame culture rather than learning culture.

First Phishing Simulation in 30 Minutes

How to Run Your First Phishing Simulation in 30 Minutes

By The Bait & Phish Team
How-To, Onboarding, Wizard

Most people who land on a phishing simulation vendor's site already know what they're trying to do. They're not researching the category - they're trying to get a campaign live before their cyber insurance renewal, or before next quarter's SOC 2 walkthrough or because the CEO read an article about ransomware and wants to know what's being done. The blocker isn't curiosity; it's calendar. The vendor that wins is the one that lets the buyer get to first-campaign-launched without three discovery calls.

Here's the actual walk-through. Five steps. Thirty minutes. No sales call required. The wizard inside Bait & Phish moves through them in this order: group, users, template, campaign, off. The fifth step is named "off" because that's when you turn the wizard off and let the platform run.

Before you start (5 minutes)

Sign up for the 25-user free trial with an email address. You don't need a credit card; you don't need a sales call. Verify your email and you're in.

While you wait for the verification email, gather one thing: a list of up to 25 employees' first names, last names and email addresses. CSV format is fine; even a Google Sheet you'll copy-paste from is fine. This is the longest-running step of the whole process and is worth doing in parallel.

Also worth doing in parallel: send a one-line message to whoever administers your email environment. "Heads up - we're launching a phishing simulation program. The platform will give us specific allowlist values to apply on our email gateway so the test emails aren't blocked. I'll forward the values once I have them." This avoids the most common first-campaign pothole, which is launching the campaign before IT has allowlisted the simulation sender and watching every test email get quarantined.

Step 1: Group (3 minutes)

The first wizard page asks you to create a group. A group is a target population - for the first campaign, this is "everyone." Name it accordingly. ("All Employees Q2 2026" works.) You can create more granular groups later (Finance, Sales, Executives), but the first campaign benefits from a single all-hands group so the baseline reflects the whole org.

One decision lives on this page: whether the group is permanent or campaign-specific. Permanent groups are reusable across multiple campaigns; campaign-specific groups are one-off. For a first campaign, pick permanent. You will run more campaigns; you don't want to rebuild the group every time.

Step 2: Users (8 minutes)

The second wizard page is the user import. Three options:

CSV upload. The fastest path. Drop your CSV; the platform parses it. This is the recommended path for any company with more than 5 users.
Manual entry. Fine for the first 1-3 test users (often yourself and a willing colleague), miserable beyond that.
Directory integration. Available, but adds setup time. Skip for the first campaign and configure it after the program is established.

The CSV needs at least three columns: first name, last name, email. Department, title and manager email are optional but make later cohort segmentation much easier; if you have them, include them. The wizard will validate the CSV, show you any rows it couldn't parse and let you fix or skip them inline.

One important habit: include yourself in the test user list. The first phishing email should land in your own inbox first, both as a sanity check that the platform's working and as a built-in test of whether your IT allowlisting is correct. If the test email reaches you, it'll reach the rest.

Step 3: Template (5 minutes)

The third wizard page is template selection. The library is organized into five categories - Banking & Finance, Consumer & Shipping, Social Media & Cloud, IT & Business and Events & Government - and three difficulty levels: easy, regular and hard.

For a first campaign, the recommended pattern is:

Difficulty: Regular. Easy templates underestimate your baseline; hard templates overestimate it. Regular gives you a meaningful first measurement.
Category: Consumer & Shipping or Banking & Finance. These categories produce realistic, broadly-relevant lures that engage a wide cross-section of departments without departmental bias.
Avoid: Current-events lures (tax season, hurricane warnings, holiday shipping). They produce inflated baseline numbers that don't reflect your normal threat exposure.

Pick one template. Preview it. Confirm the from-name, the subject line and the call-to-action all read sensibly for your audience. Move forward.

Step 4: Campaign (5 minutes)

The fourth wizard page packages everything into a campaign object: target group, template, schedule, landing page and remediation training assignment.

Three decisions:

Send window. Pick a 4-8 hour window, not a single instant. Spreading delivery over a few hours produces more realistic engagement data than a single-instant blast that looks suspiciously synchronized.
Landing page. When a user clicks, what do they see? The default training landing page is the right answer for a first campaign - it explains they fell for a simulation and assigns the remediation training in one step.
Auto-assign training on click. Confirm this is on. Auto-assigned just-in-time training is the difference between a program and a measurement; don't launch without it.

Schedule the campaign. The platform will queue the send for the configured window and start tracking from the first delivery.

Step 5: Off (4 minutes - but it runs for days)

The fifth step in the wizard is named "off" because the wizard's job is done. The campaign runs for a configurable observation window (default 7 days), during which you don't need to do anything. The platform tracks email opens, link clicks, training assignments and training completions automatically.

While the campaign runs, four things to do:

Watch the live dashboard. Click rates accumulate in real time. The first click usually arrives within minutes; the long tail extends to day 4 or 5.
If your test email didn't arrive in your own inbox within 30 minutes, that's the IT allowlist issue. Forward the platform's allowlist values to IT and ask them to apply.
Don't broadcast the click rate internally during the campaign. Wait for the full window to close.
Schedule the next campaign for 30 days later. Cadence is what produces a program; one campaign is a measurement, twelve campaigns is a program.

What you have at minute 31

Thirty minutes after starting, you have:

An active first campaign that will produce a real click-rate baseline within a week
An auto-assigned remediation training pipeline for any user who clicks
The first artifact in your audit and cyber insurance evidence packet
A user list and group structure you can re-use for the next campaign
A platform configured for your environment, with IT allowlisting either confirmed or in progress

That's a defensible first campaign. It's also a measurable difference from the alternative: a six-week sales cycle, an enterprise onboarding kickoff and a procurement back-and-forth that ends with the same outcome you could have produced in half an hour.

Common first-campaign pitfalls

The five issues that consistently trip up first-time admins, with how to avoid each:

Forgetting to allowlist the simulation sender. The most common reason first campaigns produce zero clicks is that the company's email security gateway quarantined every test email. Send yourself a test before scheduling the company-wide campaign; if your test doesn't arrive, the rest won't either.
Including a current-events lure for the first campaign. Tax-season lures, holiday shipping lures and current-events lures inflate the baseline. Stick to evergreen Banking & Finance or Consumer & Shipping for the first measurement.
Sending at 9:00 AM Monday. Synchronous send patterns produce engagement spikes that don't reflect normal user behavior. Spread the send window over 4-8 hours during a midweek workday.
Carving out executives. Don't. Executive accounts are the highest-loss attack surface and the cohort cyber insurance underwriters scrutinize most. Including them is non-negotiable.
Treating one campaign as a program. The single most common mistake. One campaign is a measurement; twelve campaigns is a program. Schedule the second campaign before the first one closes.

What to communicate to leadership and to staff

Before launching, send two short written communications:

To leadership (CEO, CFO, board chair): One paragraph explaining that the program is being launched, what the first campaign will look like and when results will be reported. Include the key principle: results will be reported in aggregate, not per-individual; this is a learning program, not a punishment program.
To staff (general announcement): One paragraph in the next all-hands or company newsletter announcing that the company is launching an ongoing phishing simulation program. Do not announce specific campaign dates or template categories. The general announcement satisfies HR and ethics requirements; specific announcements invalidate the test.

Both communications should reference the written security awareness policy. If you don't have one, that's the next program artifact to produce - short, simple and signed by an officer of the company. Cyber insurance applications ask for a written policy explicitly, so producing one early in the program lifecycle pays back at the next renewal.

What's next after the first campaign

One campaign is a baseline. The program starts with the second campaign. The cadence pattern that holds up:

Month 1: All-hands campaign with regular-difficulty Consumer & Shipping or Banking & Finance template (the one you just ran).
Month 2: All-hands campaign with regular-difficulty Social Media & Cloud or IT & Business template.
Month 3: Department-segmented campaign with mixed difficulty by cohort.
Quarter 2: Add SMS phishing (smishing) and voice phishing (vishing) campaigns to the rotation.
Ongoing: Continuous quarterly export of campaign artifacts for audit, board and broker.

If you want a guided walk-through of the platform with a Bait & Phish engineer rather than going alone, contact us. Or just start the trial and run the wizard. Most first-time admins finish the five steps in under thirty minutes; a few finish in under fifteen. Either way, the report at the other end is real, the evidence packet is real and you've started the clock on a measurable program. Pricing for full deployments is on the site whenever you're ready.

Related program operations and how-to guides

2sep