Not all HRM platforms are created equal

The HRM technology landscape is noisy. Here’s how to cut through it.

As a human risk or security awareness professional, the rest of the security team probably expects you to be the expert on Human Risk Management (HRM).

But let’s be honest — you're probably just as confused as everyone else.

The term Human Risk Management has exploded across the cybersecurity market. Everyone from legacy awareness vendors to email security platforms is now calling themselves HRM solutions — even when nothing about their product has changed.

It’s HRM-washing. And it makes the landscape noisy and hard to navigate.

The result? It’s easy to lump different vendors into the same category — even when your gut tells you they’re doing very different things.

So, to help me make sense of it all, I’ve found it useful to think in terms of technology clusters — great tools doing slightly different jobs.

Why this matters.

This explainer is designed to help you:

Be the HRM expert on your team
Make better technology decisions
Understand how to compare tools in a more useful way
And grow your impact as a human risk leader

Not all "HRM" platforms are created equal

Some tools focus narrowly on training.
Some simulate phishing.
Some are Secure Email Gateways with awareness features bolted on.
And a small handful are building actual behavior-based human risk platforms.

To help make sense of the space, I group vendors into seven clusters — based not on what they call themselves, but on what they actually do.

The 7 vendor clusters you need to know

1. Human risk intelligence & behavioral management platforms

These are broad-spectrum HRM platforms that go well beyond training and phishing sims. The most effective ones:

Map behaviors to risk using structured models and real-world data
Measure a wide range of behaviors via integrations with security tools
Deliver data-driven behavioral interventions — not just training content
Automate intervention delivery using workflows to scale outcomes

These solutions usually meet the SAT compliance requirement — but they go beyond that. They measure a broader set of security behaviors and aim to demonstrate risk reduction by improving them.

2. Email security platforms with bolt-on security awareness

These vendors started life solving email threats — especially phishing — and later added awareness training as a feature. The result is often siloed, email-centric human risk coverage with little behavioral depth. (Note: KnowBe4 went the other way — training first, then added email tools.)

Buyers often see these as “HRM” tools too. But in reality, they address only a narrow slice of the broader human cyber risk surface.

3. Engagement-driven training & phishing simulation vendors

These platforms are designed around content delivery and phishing (smishing, vishing, quishing, etc.) simulations. The goal is often to boost training engagement metrics. They tend to promise “behavior change” — but in practice, they measure little beyond clicks, completions, and report rates.

These tools are great for awareness campaigns or checking the compliance box. But they don’t measure behavior change in any meaningful way beyond phishing. Nor do they help with real-time risk reduction.

4. Developer-centric secure coding & application training

These platforms focus on changing the behaviors of developers and engineering teams. They offer secure coding labs, challenges, and skills development.

Crucial for application security — but they don’t help you manage organization-wide human cyber risk.

5. Lightweight, embedded training for modern workflows (Slack, mobile)

These tools prioritize delivery convenience — offering nudges or microlearning via Slack, Teams, or mobile. They often have great UX and high engagement.

Useful for just-in-time learning — but light on behavioral analytics, risk visibility, or impact measurement.

6. Deepfake, AI phishing & social engineering simulation tools

These vendors are focused on highly specific and emerging threats — like deepfakes, AI-generated voice attacks, or video impersonation. Their simulations are often advanced and novel.

These tools are increasingly relevant and can complement an HRM strategy. But they aren’t full-featured HRM platforms.

7. Browser-based behavior nudging tools

These tools offer nudges or prompts directly in the browser, often at the moment of risky behavior (e.g., entering a sensitive site, sharing credentials). They act as real-time interventions.

Great for in-the-moment friction. But they’re limited to browser-detectable behavior and don’t provide insight into the broader behavioral landscape or risk models.

The takeaways

So there you have it. Seven distinct types of vendors, all doing something slightly different — even if they’re all waving the HRM flag.

Yes, there’s overlap. But there are also important differences.

Now, when someone in your team asks you to compare one tool to another — you can confidently point out when they’re comparing apples to oranges. And help them understand how to make better choices.

Most of your peers won’t yet see these distinctions clearly. Your CISO might not either. But now you do.

Want to talk more about the evolving HRM landscape, or have questions about which technology fits where?

Book a strategy session. Let’s talk.

Thanks for reading!

Was this email forwarded to you? Sign up here.