What's the phishing simulation maturity model?

A five-tier framework describing operational maturity of a phishing simulation and security awareness training program. The five tiers are Baseline, Evolving, Intermediate, Advanced and Innovative, mirroring the structure FFIEC's Cybersecurity Assessment Tool uses for its broader cybersecurity-control maturity assessment. Each tier specifies what the program does across six dimensions: cadence, multi-channel coverage, auto-assigned remediation training, role-based differentiation, trend reporting, and integration with other security controls. The model is useful for self-assessment and for setting realistic year-over-year improvement goals.

What tier should our organization target?

Depends on regulatory exposure and risk profile. Most general-commercial organizations target Intermediate (continuous program with auto-remediation and risk-tied metrics). Regulated industries - banks, healthcare, defense contractors, critical infrastructure - typically target Advanced (behavior-based program with measurable click-rate decline and threat-aligned content). Innovative (adaptive content driven by integrated threat intelligence) is the explicit goal for organizations facing nation-state or sophisticated targeting; most don't need to reach this tier. Baseline is the regulatory minimum and increasingly cited as insufficient by examiners and underwriters.

How long does it take to advance one maturity tier?

Realistic timelines: Baseline -> Evolving: 3-6 months (continuous cadence + first phishing tests). Evolving -> Intermediate: 6-12 months (auto-remediation rollout, risk-tied metrics, role-based content for privileged users). Intermediate -> Advanced: 12-18 months (multi-channel coverage, measurable click-rate decline, threat-aligned templates). Advanced -> Innovative: 18-24+ months (threat-intel integration, per-user risk scoring, adaptive content). Most organizations advance one tier per year for the first three years, then plateau at Intermediate or Advanced. Plateau is fine if the tier matches your risk profile.

What are common plateau patterns - why do programs stall?

Five common plateau patterns: (1) The annual-only training plateau - program scheduled annually because that's what compliance frameworks list as floor; never advances to continuous. (2) The single-channel plateau - email-only program; never adds SMS or voice despite the threat landscape requiring it. (3) The generic-template plateau - never customizes templates to organization-specific risk; uses out-of-the-box library only. (4) The reporting-only plateau - dashboards exist but no documented response when click rates exceed thresholds. (5) The integration plateau - phishing simulation evidence not connected to SOC 2 / cyber insurance / vulnerability assessment workstreams. Each plateau is a known operational gap that examiners and underwriters increasingly cite.

Does the FFIEC CAT actually map to phishing simulation maturity?

Yes, but FFIEC CAT covers broader cybersecurity controls; the phishing-simulation maturity model adapts CAT's tier structure to the awareness-training control specifically. The tier names match (Baseline/Evolving/Intermediate/Advanced/Innovative) but the per-tier criteria are awareness-training-specific. FFIEC examiners reading a phishing program assessed against this maturity model will recognize the structure even though the underlying controls are awareness-training-specific rather than full-spectrum CAT controls.

How do we self-assess our current tier?

Score your program against the six dimensions in the model: cadence, multi-channel coverage, auto-assigned remediation, role-based differentiation, trend reporting and integration. Each dimension is scored Baseline through Innovative based on the per-dimension criteria. The overall program tier is the LOWEST scored dimension (programs are bottlenecked by their weakest control). The self-assessment is useful both for honest current-state evaluation and for setting realistic next-tier improvement goals. We've included the per-tier criteria in the table below.

Phishing Maturity Model: 5-Tier Framework

Phishing Simulation Maturity Model: 5-Tier Framework for 2026

Most phishing simulation programs plateau. Not because the platform is wrong - because the program design hits a known operational gap and the team doesn't know what the next move looks like. The maturity model below names those gaps explicitly and tells you exactly what advancing one tier requires.

The five tiers - Baseline, Evolving, Intermediate, Advanced, Innovative - mirror the FFIEC Cybersecurity Assessment Tool's structure. The per-tier criteria below are awareness-training-specific. The model is useful for self-assessment, for setting realistic next-year improvement goals and for explaining program maturity to auditors, insurers and boards in language they already recognize.

The 5 tiers in one sentence each

Baseline: annual training delivered to all personnel; documented; no behavioral testing.
Evolving: continuous training cadence with periodic phishing tests; basic completion tracking.
Intermediate: role-based content; phishing simulation tied to risk metrics; auto-assigned remediation training.
Advanced: behavior-based program with measurable click-rate decline; multi-channel coverage; threat-aligned templates.
Innovative: adaptive content driven by integrated threat intelligence; per-user risk scoring; phishing-resistant MFA bundled.

The 6 operational dimensions

Each tier is scored across six dimensions. The overall program tier is the LOWEST scored dimension - programs are bottlenecked by their weakest control.

Dimension	Baseline	Evolving	Intermediate	Advanced	Innovative
Cadence	Annual	Quarterly	Monthly	Monthly + risk-cohort weekly	Continuous adaptive
Channels	Email only	Email only	Email + SMS	Email + SMS + voice	All channels + collaboration tools
Remediation	Manual	Manual / scripted	Auto-assigned	Auto + category-matched	Adaptive per-user pacing
Role-based	None	None	Privileged users + executives	All major risk roles	Per-individual risk score
Reporting	Completion %	Click rate per campaign	Trend + threshold response	YOY decline + cohort breakouts	Risk-integrated dashboards
Integration	Standalone	Standalone	SOC 2 / insurance evidence	SIEM + IR + insurance	Threat-intel feed driven

What target tier matches your organization

Profile	Target tier	Reasoning
General commercial, no specific compliance	Intermediate	Insurance underwriting + general due-diligence floor
SOC 2 / ISO 27001 customers	Intermediate to Advanced	Auditors increasingly weight YOY trend evidence
Banks, finserv (FFIEC, NYDFS)	Advanced	Examiners explicitly target this tier post-2023
Healthcare, HITRUST r2	Advanced	MyCSF Measured/Managed tier requires it
DoD suppliers (CMMC), critical infra	Advanced	C3PAO assessors require Measured-tier evidence
High-target sectors (defense, energy, large finserv)	Innovative	Nation-state / sophisticated targeting requires adaptive content

Realistic timelines

Baseline -> Evolving: 3-6 months. Add continuous cadence + first phishing tests.
Evolving -> Intermediate: 6-12 months. Add auto-remediation, risk-tied metrics, role-based content for privileged users.
Intermediate -> Advanced: 12-18 months. Add multi-channel, measurable click-rate decline, threat-aligned templates.
Advanced -> Innovative: 18-24+ months. Add threat-intel integration, per-user risk scoring, adaptive content. Significant tooling and integration work.

Most organizations advance one tier per year for the first three years, then plateau at Intermediate or Advanced. Plateau at the right tier for your risk profile is fine. Plateau below your risk profile's required tier is increasingly cited as audit/insurance finding.

Common plateau patterns - why programs stall

Five recognizable plateau patterns:

Annual-only training plateau. Program scheduled annually because that's what compliance frameworks list as floor. Never advances to continuous. Solution: schedule monthly cadence even if templates are simple at first.
Single-channel plateau. Email-only program. Never adds SMS or voice despite the threat landscape requiring it. Solution: pilot SMS phishing on a single risk cohort first to build operational comfort.
Generic-template plateau. Out-of-the-box library only. Never customizes templates to organization-specific risk. Solution: build a quarterly template-customization process tied to incident-response intelligence.
Reporting-only plateau. Dashboards exist but no documented response when click rates exceed thresholds. Solution: define an explicit threshold-exceedance playbook with executive escalation.
Integration plateau. Phishing simulation evidence not connected to SOC 2 / cyber insurance / vulnerability assessment workstreams. Solution: build the cross-workstream evidence package as a deliberate artifact.

How to advance one tier (the operational pattern)

Programs that successfully advance share a common operational pattern:

Score honestly. Use the dimension table as a checklist. Identify the bottleneck dimension - the lowest score is what's pulling overall tier down.
Pick the bottleneck as the next-tier focus. Don't try to upgrade everything simultaneously; change-management overhead kills programs.
Document the upgrade plan with executive sponsorship. Written plan signed off by the program executive sponsor. Specifies the dimension, target criteria, rollout timeline, tooling changes, success metric.
Execute with quarterly milestones. Most upgrades fail in execution, not design. Month 1 = configuration. Month 2 = pilot. Month 3 = full rollout. Month 4-6 = stabilization and measurement.
Re-assess all six dimensions after 90 days stable. The bottleneck dimension should now meet next-tier criteria. The new bottleneck (different dimension) becomes the next upgrade target.

Self-assessment: where are you?

Quick self-test - score each dimension honestly Baseline through Innovative based on the criteria in the table above. Your overall program tier is the lowest dimension score. Most programs that have been running 1-2 years sit at Evolving or Intermediate. Most that have been running 3+ years and are well-funded sit at Advanced. Innovative is rare; most organizations don't need to reach it.

If your assessment surfaces a bottleneck dimension below where it should be for your risk profile, that's the next-12-months program improvement target. Document it as such.

How this maturity model maps to specific compliance frameworks

FFIEC CAT uses these exact tier names; mapping is direct. The per-dimension criteria are awareness-training-specific but the structure matches.
HITRUST CSF Implementation Levels 1/2/3 align: Level 1 ~ Baseline; Level 2 ~ Intermediate; Level 3 ~ Advanced. r2 certification typically requires Advanced.
CMMC AT.L2-3.2.1/.2/.3 require Intermediate-tier evidence; most C3PAO assessors expect Advanced for r2-equivalent risk profiles.
SOC 2 / ISO 27001 auditors don't use these tier names but recognize the YOY-trend evidence at Advanced as materially stronger than the threshold-only evidence at Intermediate.
Cyber insurance underwriting increasingly aligns to Intermediate-or-better; Advanced earns better premium reductions per our cyber insurer renewal walkthrough.

Where Bait & Phish fits

Bait & Phish supports programs at every maturity tier - Baseline programs starting their first phishing tests, through Advanced programs running multi-channel + auto-remediation + cohort-differentiated content. The platform's design assumes programs will advance over time and provides the operational hooks (auto-assignment, multi-channel, role-based, integration) that the higher tiers require. Start a 25-user free trial at any tier to validate fit, or talk to us about a maturity-model walkthrough mapped to your current and target tier.

This post is informational. Specific maturity-tier targets, regulatory alignment, audit posture and program-improvement plans are organization-specific - consult appropriate counsel and program advisors for tailored guidance.

See also: Click-rate benchmarks by industry for tier-aligned click-rate expectations, Executive metrics that matter for board-reporting at each tier, and Compliance comparison hub for cross-framework evidence overlap.

Related program operations and how-to guides

09may