Every quarter, in every boardroom, the same slide appears. Phishing Simulation Click Rate: 5.2%, down from 7.8% year-over-year. The board nods. The CFO makes a note. The CISO moves on, knowing with absolute certainty that the number means nothing.

Click rate became the default board metric for security awareness because it has three properties boards love: it’s a single number, it trends over time, and it feels like it measures security. The problem is it fails at all three. A declining click rate tells you employees got better at recognizing your simulations. It does not tell you they got better at recognizing actual attacks. In the AI era, those are different skills with near-zero overlap.

The data confirms it. Researchers at Harvard Kennedy School measured a 54% click-through rate on AI-automated spear phishing, matching expert-crafted attacks at a fraction of the cost. IBM’s 2025 research shows generative AI has compressed phishing email creation from 16 hours to 5 minutes. And Verizon’s 2025 Data Breach Investigations Report paints the landscape at scale: AI-generated phishing emails doubled year over year, phishing click rates nearly tripled, the human element was present in 60% of breaches, and one in six breaches now involves attackers using generative AI.

Your simulation library, built from historical patterns, has nothing in common with what’s actually hitting your inboxes.

The Rebrand That Changed Nothing

The industry’s response has been to replace “security awareness training” with “human risk management.” Per-employee risk scores replace aggregate click rates. The pitch sounds like progress: richer data, more granular views, individualized risk profiles.

It isn’t. These platforms turned the security team into a performance management function. They generate compliance theater with better data visualization. The employee’s experience hasn’t changed; they’re still being tested, just with more granularity in the scoring. The CISO becomes a proctor, not a partner. And both paradigms, compliance-driven SAT and human risk management, put the employee in a detection role they were never equipped to fill.

Detection requires pattern recognition against an evolving threat landscape, real-time judgment under ambiguity, and domain expertise that takes analysts years to develop. No amount of training modules or gamified simulations will compress that expertise into a quarterly refresher. The shift the industry needs isn’t a better detection metric. It’s moving employees out of the detection role entirely.

From Detection to Verification

Detection asks: “Is this email malicious?” That’s an analyst’s question.

Verification asks: “The system identified something unusual about this request. Can you confirm through another channel before acting?” That’s a process question. It requires a phone call, a Slack message, or a walk to someone’s desk.

The distinction matters enormously. One requires expertise most employees don’t have. The other requires judgment humans exercise well every day: confirming something before acting on it.

This isn’t removing humans from security. It’s changing what humans decide about. AI-powered systems handle the classification. Employees handle last-mile confirmation. The cognitive task finally matches what employees can actually do well. And it solves the surveillance problem by design. Nobody feels monitored when the system says “This wire transfer request came from a domain registered yesterday. Want to confirm with your CFO directly?” That’s not a test. That’s a tool being useful.

The Verification Resilience Framework

Once you accept this reframing, the measurement question changes completely. You stop measuring whether employees can spot attacks. You start measuring whether your organization can verify and respond to them. We propose four metrics, measured together, that give boards something click rate never could: an honest picture of whether the organization can withstand real attacks.

Threat Exposure Rate measures what actually reached your people, the denominator nobody currently reports. You cannot game the threat landscape. This metric improves only when the security infrastructure blocks more before it reaches employees.

Verification Coverage measures the percentage of critical decision workflows (wire transfers, access provisioning, vendor onboarding) that have AI-assisted verification checkpoints embedded. It’s structural, not behavioral. You can only improve it by actually building verification into workflows.

Verification Resolution Rate measures how often flagged requests reach a confirmed outcome versus being dismissed or ignored. Critically, it decomposes by workflow, not by person. If 90% of flagged wire transfers reach resolution but only 40% of flagged access requests do, that tells you the access request verification experience is the problem. It’s a system-design insight, not an employee-surveillance insight.

Mean Time to Verification (MTTV) measures elapsed time from flag to confirmed outcome. Every minute between a flagged request and a resolution is a window of exposure. “Our average verification time is 4.2 minutes, down from 11 minutes last quarter” tells a clear operational improvement story.

Every one of these metrics passes the perverse incentive test. The only path to better numbers is the outcome you actually want.

A Framework, Not a Pitch

This is not a product paper. The Verification Resilience Framework is offered as an open model for industry-wide adoption. But a framework only works if the ecosystem agrees to use it. Without a coordinated effort to align CISOs, regulators, auditors, and standards bodies around outcome-based security metrics, the industry will continue to optimize for checkbox measurements that have no demonstrated correlation with actual resilience.

The conversation about what replaces click rate cannot happen inside a single vendor’s blog. It has to happen across the regulatory and practitioner community. We’re publishing a full whitepaper with the complete framework, a four-level maturity model, implementation guidance, and the transition playbook for getting there without terrifying your board. We invite CISOs, compliance leaders, and regulators to engage with us on building outcome-based measurement that the entire industry can adopt.

Click rate was designed for a threat landscape that no longer exists. The attacks have moved on. The question is whether your measurement moves with them, or whether you keep reporting a number that makes everyone feel better about a risk they’re no longer managing.

That’s not a metrics debate. That’s a leadership decision.

Final Thoughts: Synthesizing Architecture and Metrics

You cannot protect a modern enterprise using decoupled point-solutions and vanity metrics. When an adversary uses an automated, AI-driven Adversary-in-the-Middle (AiTM) proxy kit (such as Tycoon2FA or EvilProxy), the attack bypasses multi-factor authentication seamlessly. The Secure Email Gateway (SEG) sees a clean sender, the Identity Provider (IdP) records a successful MFA completion, and the board looks at a "5.2% simulation click rate" and assumes the organization is secure. This fragmented approach leaves enterprises completely blind to operational risk.

True cybersecurity resilience requires a dual shift:

1. Architectural Transition: Moving the defensive battle line back to the inbox delivery layer, utilizing an integrated, stateful approach that detects and blocks dynamic proxy lures pre-engagement.
2. Measurement Transition: Dismantling the deceptive comfort of the traditional click rate and replacing it with the Verification Resilience Framework to track hard, objective resilience metrics.

By marrying an outcome-based security architecture with metrics that reflect real threat exposure, leadership can finally stop managing security via checkboxes and start managing actual resilience.

Frequently Asked Questions (FAQs)

Q1: If multi-factor authentication (MFA) can be bypassed by AiTM proxy kits, is it still necessary?

Absolutely. Standard MFA blocks the vast majority of basic, automated credential-stuffing attacks. However, it is not a silver bullet. Enterprises must recognize that standard push or SMS-based MFA cannot defend against real-time session token hijacking. It remains an essential baseline control, but it must be reinforced by phishing-resistant MFA (like FIDO2 keys) and advanced pre-engagement delivery filters.

Q2: Why does the traditional phishing simulation "click rate" fail as a boardroom metric?

Click rate is a vanity metric that measures a user's ability to recognize historical, static templates—not actual, weaponized attacks. In the generative AI era, attackers can craft highly sophisticated, context-specific spear-phishing lures in minutes. A declining simulation click rate creates a dangerous illusion of safety; it does not indicate how an organization will perform against dynamic, real-world proxy intercepts.

Q3: How do Phishing-as-a-Service (PhaaS) platforms change the threat profile for businesses?

PhaaS platforms completely commoditize complex technical infrastructure. Threat actors no longer need to write custom reverse-proxy scripts to steal session cookies. For a nominal monthly subscription, automated platforms handle real-time authentication relays, generate pixel-perfect login duplicates, and execute automated mailbox exploitation rules within seconds of compromise.

Q4: Why is relying on post-compromise SIEM tracking a losing strategy against token theft?

SIEM alerts are retrospective—they record what occurred after a session token has already been stolen. Because automated attack scripts can change inbox forwarding rules or exfiltrate directories instantly upon token acquisition, detecting an IP anomaly minutes or hours later shifts the timeline from proactive prevention to active incident response.

Q5: What are the core metrics of the Verification Resilience Framework that should replace click rate?

The framework shifts the focus from human error to human and technical capability across four outcome-based metrics:

• Threat Exposure Rate: The percentage of real attacks that successfully bypass technical filters to reach user inboxes.
• Verification Coverage: The percentage of employees who proactively perform an out-of-band verification before executing an unusual or high-risk transaction.
• Verification Resolution Rate: The speed and accuracy with which the security operations team confirms whether a flagged email or link is benign or malicious.
• Mean Time to Verification (MTTV): The total elapsed time between a threat landing in the ecosystem and its definitive verification.

‍