The One-Line Truth

Adaptive Security trains employees to survive AI-powered social engineering by attacking them first with deepfake voice calls, synthetic video impersonations, and OSINT-personalized phishing across every channel an attacker would actually use.

The Role: Chief Information Security Officer / Head of Security Awareness Founded: 2023 (public launch January 2025) | HQ: New York City | Funding: $146.5M ($55M Series A including follow-on, $81M Series B, plus earlier funding) Founders: Brian Long (CEO, previously co-founded TapCommerce and Attentive) and Andrew Jones (CPO, previously co-founded TapCommerce and Attentive)

The Disruption Connection

In December, The Heed Report mapped how AI was compressing knowledge work across 40 business functions. Social engineering was one of the functions where compression cut both ways: the same generative AI tools accelerating legitimate work were simultaneously making impersonation, voice cloning, and spear phishing cheaper and more convincing than ever. Adaptive Security is the defensive response.

Deepfake attack volumes surged between 2023 and 2024. Sumsub reported a four-fold increase in deepfake incidents year over year. Entrust reported a deepfake attempt every five minutes globally. The average deepfake attack now costs organizations over $105,000, and the most devastating cases have reached far higher. Arup, a UK-based engineering firm, lost $25 million in early 2024 after employees at its Hong Kong office were deceived by deepfake video calls impersonating senior executives. The Axie Infinity breach of 2022, which resulted in over $540 million in losses, originated from a single fake job offer targeting one senior engineer. These are not infrastructure failures. They are human-layer failures, and legacy security awareness training was not built for them.

The Problem It Kills

Traditional security awareness training treats the human attack surface like a compliance checkbox: annual video modules, templated phishing emails, and completion certificates that prove attendance but not resilience. The format was designed for an era when the primary threat was a poorly spelled email from a Nigerian prince.

That era ended when generative AI made it possible to clone an executive's voice from three seconds of audio, generate a video avatar from two minutes of footage, and craft a spear phishing message personalized with hundreds of open-source intelligence data points about the target. Legacy platforms like KnowBe4 and Proofpoint Security Awareness Training still focus overwhelmingly on email phishing. They were not built to simulate a real-time phone call from a synthetic version of your CFO asking you to authorize a wire transfer.

Adaptive Security closes this gap by attacking employees across every channel an actual adversary would use: email, SMS, voice, and video. The simulations are not pre-recorded scripts. The voice deepfakes hold real-time conversations. The spear phishing incorporates actual OSINT reconnaissance on the target employee. The training modules are AI-generated and personalized to each employee's role, access level, and behavioral risk profile. The result is that employees experience what a modern social engineering attack actually feels like before a real one arrives.

Who This Is For / Who Should Skip It

Build with this if: You are a security team at a company with 200+ employees, particularly in financial services, technology, healthcare, or any industry where employees handle sensitive data or approve financial transactions. The platform is designed for enterprise scale. Customers range from Fortune 500 corporations (PayPal, Xerox) to fintech companies (Ramp, Plaid) to professional sports organizations (the NHL, the Dallas Mavericks, the PGA) to homebuilders (Lennar, 13,000+ employees). If your current SAT vendor sends the same email phishing templates every quarter and your board is asking about deepfake readiness, this is the upgrade.

Skip this if: You are a small team under 50 people where personalized security coaching is more practical than a platform. If your primary concern is regulatory compliance checkboxes rather than genuine resilience, a lower-cost legacy vendor may satisfy your auditors at a fraction of the price. The platform's strength is realism and multichannel simulation; if your threat model is still primarily email phishing from unsophisticated actors, you may be paying for capabilities you do not need yet.

How It Actually Works

Minute 1. Signup routes through a demo request. Once onboarded, the platform connects to your identity provider (Okta, Microsoft Entra, JumpCloud, Google Workspace, and others) and your HR system (BambooHR, Rippling, Workday, Gusto, Paylocity, and more). Employee rosters sync automatically. G2 reviewers consistently note that initial setup is fast and clean: "The admin portal is nice and clean. There's no need to dig through mountains of fluff to get to the information I want. Super easy to use, and their customer support has been second-to-none."

First Hour. Security admins configure their first phishing campaign. The platform offers multichannel options: email spear phishing personalized with OSINT data, SMS smishing via Direct Message Injection, and voice deepfake calls. You can upload three seconds of audio from any executive at your company and the engine generates a voice clone capable of holding a live, unscripted conversation with the target employee. The video deepfake module requires approximately two minutes of footage to create a synthetic video persona. Campaigns can be set to run automatically, including new-hire campaigns that launch on day one.

First Week. Training modules deploy alongside the simulations. The platform offers over 100 expert-vetted interactive modules covering security awareness, compliance, and AI-driven threat scenarios. These are not traditional 45-minute lecture videos. They are bite-sized, interactive, and designed in the short-form style of modern media. The AI Content Creator allows security teams to generate custom training modules from a prompt or a policy document, producing narrated, visual, quiz-embedded courses in minutes. Employees who fail a phishing simulation receive immediate micro-lessons explaining exactly what they missed. The OSINT engine evaluates over 1,000 data points per employee, surfacing public information that attackers could weaponize, and scores each employee's risk level. Admins see dashboards with engagement metrics, phishing failure rates, and risk scores filtered by department, location, or role.

The Features That Matter

Deepfake voice simulation. Three seconds of audio generates a voice clone that can hold a real-time, interactive phone conversation with an employee. The clone is not reading a script; it responds dynamically, probes for information, and creates urgency. Brian Long has demonstrated this capability by having a conversation with a synthetic version of himself in Spanish, noting that the avatar version was more fluent than he is. This is the single feature that most clearly separates Adaptive from every legacy SAT vendor.

OSINT-based risk scoring. The platform crawls public websites, social media, fitness trackers, and other open sources to evaluate over 1,000 data points per employee, with plans to scale to 10,000+. It identifies which employees are most exposed to impersonation or targeting based on their public digital footprint. Long has described the logic: "You might find only 10 or 20 really concerning things, but you want to make sure that you're taking action to get rid of those things." This shifts security training from batch-and-blast to prioritized, risk-based allocation.

AI Content Creator. Security teams can generate custom training modules from a policy document, a prompt, or existing content. The engine produces narrated, visual, quiz-embedded courses in minutes, localized across 39+ languages. This replaces the legacy model of licensing pre-built content libraries and waiting for vendors to update them.

Multichannel phishing simulation. Email, SMS (smishing), voice (vishing), and video deepfake simulations run from a single platform. Direct Message Injection allows phishing tests to arrive through trusted gateways rather than external SMTP, making them harder for email security tools to filter and more realistic for employees. QR code phishing is also supported.

Adaptive AI Governance. Launched in 2026, this product line expands the platform from training the individual to governing the AI tools individuals adopt. It provides real-time visibility into every AI tool connected to the enterprise identity fabric, maps OAuth scopes and permission entitlements, and enforces automated policies that revoke access to tools exhibiting suspicious behavior or excessive permissions. The context for this product is the shadow AI problem: 80% of employees use unapproved generative AI applications at work, yet only 37% of organizations have a formal AI governance policy in place.

Bot click prevention and phish triage. The platform automatically detects and filters bot clicks from phishing simulations, preventing false positives from inflating failure rates. Automated phish triage reduces helpdesk time by handling employee-reported suspicious messages. These operational features protect the integrity of security metrics for board-level reporting.

Real Cost

Adaptive does not publish specific pricing on its website. The pricing page states that tiers "can be adjusted to your organization's needs," ranging from basic compliance training to comprehensive multichannel deepfake simulations.

Third-party analysis from Brightside AI estimates standard enterprise plans at $20 to $30 per user per year, with custom enterprise pricing negotiated for larger deployments. For a 500-person company, that translates to roughly $10,000 to $15,000 annually. For Lennar's 13,000+ employees, the contract would be significantly larger.

The competitive benchmark: KnowBe4's Diamond plan runs approximately $30 to $40 per user per year for organizations above 100 seats. Hoxhunt is reported at similar enterprise pricing. Adaptive's pricing appears competitive with incumbents while offering multichannel capabilities (voice, video, SMS) that legacy vendors charge extra for or do not offer at all.

Hidden cost considerations: implementation and onboarding appear lightweight based on G2 reviews ("initial setup was very easy, and we were up and running quickly"), but enterprise deployments with OSINT scanning, deepfake simulation, and AI Governance likely involve professional services or dedicated account management at scale. The platform integrates with 24+ HR, identity, and GRC platforms, which reduces the integration tax.

G2 reviewers report that the platform consolidates what previously required three separate tools (training, phishing simulation, and reporting), which offsets per-user costs through vendor consolidation.

What Customers Say

Praise patterns:

The dominant theme across case studies and reviews is that Adaptive's simulations feel genuinely different from legacy training. Ben Porter, IT Director at Podium (1,100+ employees), captured it directly: "The deepfake simulations were a huge wake-up call. They fundamentally changed how our employees think about social engineering." His team reported the highest employee engagement with security training they had ever measured.

Jonathan Aluveaux, Information Security Lead at Ramp, described a behavioral shift: "We've actually got our employees reaching out to us about the training, and the information is sticking." When employees voluntarily seek out security training rather than completing it under duress, the platform is doing something legacy vendors have failed to achieve.

Kenneth Moras, Head of Security GRC at Plaid (1,000+ employees), noted the cultural impact: "Adaptive has equipped our teams with cutting-edge tools and built a smarter, more resilient security culture across the company." Plaid gave Adaptive a 10/10 likelihood of recommending to peers.

Chris Ott, Business Information Security Officer at NerdWallet, framed the transition from legacy vendors: "We didn't just adopt another training platform, we upgraded our entire security culture with a true partner that's leading the way in AI, deepfake defense, and cybersecurity."

Complaint patterns:

G2 reviews surface a consistent tension: the phishing tests skew harder than easy. One reviewer noted that "the phishing test feature has a lot more difficult tests than easy ones. Some users may get caught off guard by the harder tests." This is a design choice, not a bug, but it can create friction with employees who feel set up to fail rather than trained to succeed.

Reviewers also note that the product's rapid feature releases require adaptation: "New product rollouts require some adaptation on our end to keep pace, but it's ultimately a good thing for our business." The pace of innovation is a strength that creates its own operational overhead.

Pricing opacity is a frustration for smaller organizations. The "contact sales" model without published pricing makes it difficult for mid-market security teams to budget or compare options without entering a sales cycle.

The Competitive Read

Where Adaptive wins outright: No legacy SAT vendor offers real-time deepfake voice simulation, OSINT-based employee risk scoring, and AI-generated custom training content from a single platform. KnowBe4 has the largest content library in the market (thousands of modules, dozens of languages) but its simulations are primarily email-based and its content model is licensed rather than AI-generated. Proofpoint Security Awareness Training integrates deeply with Proofpoint's threat intelligence but shares the same email-centric limitation. Hoxhunt offers strong gamification and adaptive difficulty but lacks voice and video deepfake capabilities. Reddit security professionals have described legacy vendors as offering "recycled content" and "sluggish platforms," with one noting: "If you want something more modern and forward-thinking, Adaptive is worth looking at."

Where competitors hold advantages: KnowBe4's scale and content depth remain unmatched for organizations that need broad compliance coverage across dozens of regulatory frameworks. Proofpoint's integration with its own email security gateway creates a tighter feedback loop between real threats detected and training delivered. Hoxhunt's gamification model drives higher sustained engagement in organizations where competition motivates employees. SoSafe has stronger traction in the European market with GDPR-specific compliance workflows.

The AI Governance play changes the competitive frame. With the launch of Adaptive AI Governance, the company is no longer competing solely against SAT vendors. It is entering the shadow AI and SaaS governance space, where competitors include Nudge Security, Grip Security, and Reco. This positions Adaptive as a platform that governs both human behavior (via training and simulation) and machine behavior (via AI tool visibility and policy enforcement), a combination no single competitor currently offers.

What to pair it with: Adaptive does not replace your email security gateway (Proofpoint, Mimecast, Abnormal Security), your endpoint detection platform (CrowdStrike, SentinelOne), or your identity provider (Okta, Microsoft Entra). It sits alongside these tools as the human-layer defense. The OSINT engine and AI Governance module complement identity governance platforms but do not replace full IGA solutions.

The Honest Verdict

Excellent for: Enterprise security teams that have outgrown legacy SAT and need to prepare employees for multichannel, AI-powered social engineering. The voice deepfake simulation is a genuine differentiator that no incumbent matches today. Financial services, technology, and healthcare organizations where the cost of a successful social engineering attack far exceeds the platform's annual spend.

Breaks at: Organizations under 200 employees where the per-user cost is harder to justify and hands-on security coaching may be more effective. Companies whose compliance requirements are satisfied by basic email phishing simulation and annual video training may find the advanced capabilities underutilized. The pricing opacity makes procurement difficult for budget-conscious mid-market teams.

Trajectory: The $146.5 million in funding from OpenAI, NVIDIA, a16z, Bain Capital, Citi Ventures, and Capital One Ventures is not a typical SAT investor roster. These are organizations with direct strategic interest in the security of the AI ecosystem. The 51,000-square-foot sublease at 120 Broadway in Manhattan signals significant headcount expansion. The AI Governance product line signals a platform evolution from "security training vendor" to "human and AI risk management platform." Brian Long and Andrew Jones have built two companies to massive scale together (TapCommerce to a $100M+ Twitter acquisition, Attentive to $500M+ ARR and 8,000+ customers). The playbook they are running is familiar to them. In 12 months, expect Adaptive to push deeper into AI Governance, expand its OSINT engine toward 10,000+ data points per employee, and continue converting enterprise customers from KnowBe4 at a rate that makes the legacy vendor's 2025 go-private transaction look prescient.

Set It Up with AI

Prompt 1: Deepfake readiness assessment. "I am the CISO of a [industry] company with [X] employees. We currently use [current SAT vendor] for security awareness training. Our executive team has [number] members with significant public audio/video presence (conference talks, podcasts, media appearances). Assess our organization's readiness for deepfake-based social engineering attacks across voice, video, SMS, and email channels. Identify our five highest-risk employees based on public digital footprint and recommend a phased simulation rollout plan."

Prompt 2: OSINT exposure audit. "Analyze the public digital footprint of [executive name] at [company]. Search for publicly available audio samples (podcasts, webinars, conference recordings), video footage, social media profiles, corporate bios, press mentions, and any other open-source intelligence that an attacker could use to create a deepfake voice or video clone. Score the exposure level from 1-10 and recommend specific actions to reduce the attack surface."

Prompt 3: AI governance policy draft. "Draft an AI tool governance policy for a [company size] organization in [industry]. The policy should cover: employee use of unapproved AI tools, OAuth permission requirements for AI integrations, approval workflows for new AI tool adoption, data classification rules for AI tool access, incident response procedures for AI tool compromise, and quarterly audit requirements. Reference the Vercel/Context.ai supply chain compromise as a case study for why AI tool governance is critical."

Prompt 4: Legacy SAT migration plan. "We are migrating from [KnowBe4 / Proofpoint / Hoxhunt] to Adaptive Security. Create a 90-day migration plan that includes: Week 1 identity provider integration and employee sync, Week 2-3 baseline phishing campaign across email and SMS channels, Week 4 first deepfake voice simulation for executive team, Week 5-8 department-level training rollout with AI-generated custom modules, Week 9-12 full multichannel simulation program with OSINT-based risk scoring. Include success metrics for each phase."

Sources

Independent sources:

Customer-attributed sources:

  • Ramp Case Study -- Adaptive Security (Jonathan Aluveaux, Information Security Lead at Ramp; employee engagement shift; 1,000+ employees, 100+ SaaS integrations)
  • Podium Case Study -- Adaptive Security (Ben Porter, IT Director at Podium; deepfake simulation impact; 1,100+ employees synced, 10/10 sales/onboarding rating, highest engagement ever measured)
  • Plaid Case Study -- Adaptive Security (Kenneth Moras, Head of Security GRC at Plaid; resilient security culture; 1,000+ employees, 10/10 recommendation likelihood)
  • Enterprise Security Awareness Training -- Adaptive Security (Moras quote on cutting-edge tools, enterprise deployment architecture)

Company-published sources:

  • $81M Series B to Stop AI-Powered Social Engineering -- Adaptive Security (Series B announcement, 500+ customers, investor list, customer logos)
  • About Adaptive Security -- Adaptive Security (founder bios, Attentive history, founding motivation, TapCommerce/Twitter exit)
  • Why Adaptive -- Adaptive Security (competitive positioning, customer quotes, product differentiation)
  • Adaptive Security Pricing -- Adaptive Security (tiered plans, "adjusted to your organization's needs")
  • Control Center -- Adaptive Security (admin features, bot click prevention, phish triage, reporting API, customer testimonials)
  • Product Updates -- Adaptive Security (AI Governance launch, AI Content Studio, EU AI Act compliance, feature timeline)
  • Brian Long on LinkedIn -- Brian Long (Liz Benz voice clone story, AI Governance announcement, Vercel breach context, elder fraud statistics)

Day 26 of 30. Tomorrow: XBOW -- Day 27 brings autonomous penetration testing to the Foundation layer.