Realistic phishing tests that teach, not trick.
A good phishing simulation isn't about catching people out — it's about building reflexes. Watchword's simulator lets you design a campaign end to end: pick a template, choose your audience, randomize per-learner variants so the tests aren't pattern-matchable, schedule a send window, and watch the results land on a live dashboard.
The template library
Vetted templates across the categories attackers actually use: credential-harvest, invoice / BEC, MFA-fatigue, package / delivery, HR / payroll, IT-helpdesk, OAuth-consent, and document-share. Each one ships with its red-flag "tells" so a teachable moment is built in. Personalization tokens render with your org name and the recipient's first name.
Granular event tracking
Every recipient produces a per-event log with timestamps: sent → opened → clicked → submitted → reported. Reporting a phish is scored as a positive signal — the people who hit "Report" are your strongest defenders, and your Human Risk Score reflects that, not just quiz completions.
Adaptive and remedial
Clickers get auto-enrolled in remedial micro-training; consistent reporters graduate to harder, subtler lures. The simulation difficulty bends to behavior so it never goes stale.
Send safely — prove the domain first
A phishing simulator that will send to any address is a spam cannon waiting to be abused. Watchword's safety machinery is built and active:
- Domain-authorization gate: a mandatory
canSendcheck clears every recipient individually. If a recipient's domain hasn't been proven, that recipient is skipped — never sent. - DNS-TXT domain proof: add a domain, publish the unique TXT record we give you, and Watchword runs a real DNS-over-HTTPS lookup and requires an exact match before the domain joins the authorized list.
- Scoped, rotating tokens: each send mints a fresh token bound to one tenant and one proven domain, expiring in 24 hours — a leaked token can't be replayed against another tenant or domain.
- Live send via the notification service: once a campaign's domains are proven, a cleared audience routes through the shared notify service, carrying only the lure subject and a campaign reference — never passwords or captured data.