> It puts the onus on the employee, rather than the Security team to stop phishing attacks<p>Hits the nail on the head right there. Phishing simulation training (both externally paid and internal) is a way for organizations to say they are at least trying to do something to minimize the #1 attack vector. Plus, it's cheaper than actually tackling the problem at the technical level (tweaking/updating email rules/settings) with whatever email defensive appliance is (or isn't) being used.<p>I launched PhishBarrel (<a href="https://phishbarrel.com" rel="nofollow">https://phishbarrel.com</a>) based on the thesis that most phishing emails can be identified using technology, and if one gets by, having a robust API for investigations, security automation, and/or remediation is table stakes in today's security products. If you're serious about upping your organization's email phishing defensive capabilities, please reach out to me (email is on phishbarrel.com site). I'm looking for forward thinking infosec folks that are looking for a partner to tackle this problem!