Help Center › Getting started

Getting started

What Watchword is, how to open it for the first time, the tabs you'll use, and the sample data that's already loaded so you can try everything in minutes.

1 · What is Watchword?

Watchword is phishing-simulation and security-awareness training software for SMBs and MSPs. It bundles four things into one app:

A training LMS — 10 short, real micro-courses, each with lessons and a graded quiz that earns a verifiable certificate.
A phishing template library + campaign simulator — 24 vetted lures across email, SMS, QR, and voice; you compose a campaign, pick the audience, "run" it, and see realistic results.
Risk analytics — a per-campaign phish-prone % and a per-person, behavioral Human Risk Score that rewards reporting.
An MSP console — one pane over many isolated client tenants, a cross-client risk board, and white-label reports.

It is local-first: by default it runs entirely in your browser using browser storage (localStorage), with no account and nothing sent over the network. An optional Cloud / Pro tier adds sign-in, sync, MSP entitlements, and compliance-evidence publishing.

The core flow is Train → Test → Prove. Train people with courses, test them with simulated phishing, and prove it by exporting completion and campaign records (and optionally publishing a compliance-evidence object).

2 · First run — open the app

Watchword is a static site with no build step. You open it like any web page, but it must be served over http:// (or https://), not opened as a file:// path, because the app loads its course, template, roster, and tenant data from JSON files and browsers block those reads on file://.

If you're using the hosted version

Go to the Watchword site and click Open the app → (top-right, on every page).
The app shell loads and lands on the Training tab.
That's it — no sign-up, no credit card, nothing to install.

If you're running it locally

Open a terminal in the project folder.
Start any static HTTP server, e.g. python3 -m http.server 8080.
Open http://localhost:8080/app/ for the app (or http://localhost:8080/ for the marketing site).

If you see "Couldn't load data". You almost certainly opened the app from a file:// path. Serve it over http instead (see above). This is the single most common first-run snag — see Troubleshooting.

3 · A tour of the tabs

The app has a top navigation bar with seven tabs. Here's what each one does and where it's documented in depth.

Tab	What it's for	Learn more
MSP console	The tenant tree (switch between client organizations) and the cross-client risk board. The first tab in the bar.	MSP multi-tenancy
Training	The course library. Take a course, pass the quiz, earn a certificate. This is where the app opens.	Training
Templates	Browse the 24 phishing templates, preview a lure with its red-flag tells, and send it to the simulator.	Phishing campaigns
Simulator	Compose a campaign (template + audience + cohort + schedule), run it, and read the results dashboard.	Phishing campaigns
Program	Analytics, manager view, learner view, training-due reminders, and reports/exports — five sub-tabs.	Risk scoring · Training
AI content Pro · BYO-key	Generate a lure or a lesson with your own LLM key. Your browser calls the provider directly.	Phishing campaigns
Sign in / Cloud	Optional sign-in, Pro feature gates, per-tenant sync, domain proof, live send, and evidence publishing.	Cloud / Pro

4 · The sample data you start with

So you can explore without setting anything up, Watchword ships with realistic demo data. None of it is real and no real email is ever sent.

Dataset	What's in it
10 courses	Spotting Phishing Emails, Passwords & MFA, Business Email Compromise & Wire Fraud, Ransomware & Safe Computing, Handling Sensitive Data (PII & PHI), Social Engineering & Pretexting, Working Securely from Anywhere, Physical Security & Clean Desk, HIPAA Privacy & Security Awareness, and Insider Risk & Removable Media. Each has lessons, a quiz, and framework tags.
24 phishing templates	Across categories: credential-harvest, invoice/BEC, MFA-fatigue, package-delivery, HR/payroll, OAuth-consent, IT-helpdesk, plus multi-channel smishing (SMS), quishing (QR), and vishing (voice/callback). Each carries a difficulty, a sender persona, and red-flag "tells".
A demo MSP tenant tree	An MSP root ("Northwind Managed Security") over three isolated client tenants: Acme Co (6 people), Bayside Dental (4), and Fjord Logistics (5). Each client has its own roster, brand color, and pre-seeded authorized send domains.
A demo roster	People with department, role, manager, and new-hire flags, used by the simulator, the manager/learner views, and risk scoring.

When you first open the app the active client is the first one in the tree (Acme Co). The Training / Templates / Simulator / Program tabs all operate on whichever client is active — see MSP multi-tenancy.

5 · Where your data lives

Everything you do locally — courses completed, campaigns run, assignments, the active client — is saved in your browser's localStorage under a single key. It persists across page reloads on the same browser and device.
Clearing your browser storage for the site resets the app to fresh sample data.
Using a different browser or device starts fresh, unless you sign in and use Cloud sync (Pro).

6 · A 5-minute first session

Train: open Training, click Start course on "Spotting Phishing Emails", step through the lessons, take the quiz, and view your certificate.
Test: open Templates, Preview a lure to read its tells, then click Use in simulator. In Simulator, name the campaign, keep all departments checked, and click Schedule & run simulation.
Prove: open Program → Reports & exports and download the Completion or Campaign CSV.

← Help Center Next: Phishing campaigns →