Abstract: A non-transitory, processor-readable medium stores instructions that, when executed by a processor, cause the processor to retrieve, from a database associated with a cloud service, first resource configuration data associated with a first resource. The first resource is analyzed to produce first resilience data, and a second resource associated with the cloud service is identified based on an indication of a load balancer associated with the cloud service. Based on the authentication data and an indication of the second resource, a second API call is generated to retrieve, from the database, second resource configuration data associated with the second resource is also retrieved from the database. A second resource is analyzed based on the second resource configuration data to produce second resilience data. Based on the first resilience data and the second resilience data, an indication of a vulnerability hotspot and an indication of a resource mitigation are generated.

Abstract: Asset error remediation is provided. Risk and classification of an asset error are analyzed to prioritize asset error remediation for an asset based on risk criticality, risk context, and vulnerability level corresponding to the asset by detecting suspicious behavior and risk exposure to the asset in a heterogeneous distributed computing environment using artificial intelligence. A priority of the asset error remediation is determined to fix the asset within the heterogeneous distributed computing environment based on the risk and the classification of the asset error. A set of action steps is performed to fix the asset within the heterogeneous distributed computing environment based on the priority of the asset error remediation.

Abstract: Embodiments of a computer-implemented system and methods for predicting and/or determining a probability of a cyber-related attack and associated costs are disclosed.

Abstract: Systems and methods for managing a set of electronic assets from a single location are disclosed. The method includes providing a portal with a network security access control. The method includes determining that login credentials input to the access control are associated with a set of electronic assets corresponding to a plurality of third-party computing systems with application programming interface (API) gateways configured to accept API calls directed to changes in functionality of the electronic assets. The method includes presenting, via the portal, a virtual icon to identify a coordinated action with respect to the set of electronic assets and, in response to a selection of the virtual icon, executing a set of API calls that include an asset-specific API call to each third-party computing system in the plurality of third-party computing systems to implement the coordinated action on all electronic assets in the set of electronic assets.

Abstract: Systems and methods are provided for vulnerability proofing the administration of hardware components of an IHS. A proposed configuration for a hardware component of the IHS is detected. Multiple catalogs specifying known vulnerabilities of hardware components are accessed, such as a catalog of known vulnerabilities provided by a manufacturer of the hardware component and such as a catalog of known vulnerabilities provided by a manufacturer of the IHS. The proposed configuration of the hardware component is evaluated as being vulnerable in the first catalog and also in the second catalog. If the proposed configuration is identified as vulnerable in either the first catalog or in the second catalog, the hardware component is disabled until the proposed configurations for the hardware component are changed to include no configurations with vulnerabilities identified in either the first or second catalogs.

Abstract: A computer implemented method of automatically generating security rules for a networked environment based on anomalies identified using Machine Learning (ML), comprising receiving one or more feature vectors each comprising a plurality of operational parameters of a plurality of objects of a networked environment, identifying one or more anomaly patterns in the networked environment by applying one or more trained ML models to the one or more feature vectors trained to identify patterns deviating from normal behavior of the plurality of objects, parsing each anomaly patterns to a set of behavioral rules by traversing the anomaly pattern through a tree-like decision model, and generating one or more security rules for the networked environment according to the set(s) of behavior rules. Wherein the one or more security rules are applied to increase security of the networked environment.

Abstract: The disclosure provides a security analysis method and system based on protocol state, which relates to the technical field of protocol security protection. The method includes the following: a node traversal table is built, the node traversal table is scanned and analyzed according to the protocol trigger sequence rule, a first security evaluation factor of a protocol stack is determined, and a second security evaluation factor of each protocol is determined based on protocol normal application rule, and the trustworthiness degree of the second security factor is determined based on the first security factor, and the second security factor is revised based on the trustworthiness degree, and the security state of the protocol is determined according to the revised second security factor, thus the analysis of the protocol state is realized, and the security of the protocol can be accurately determined.

Abstract: Systems and methods for managing cybersecurity for an entity are disclosed. An example method includes providing a content portal to a user configured to display a security risk profile via a generated GUI; receiving, via the generated GUI, a first input from the user comprising a selection of a component identified in the security risk profile and a response parameter; providing, via the generated GUI, parameters for a targeted scan of the selected component; receiving, via the generated GUI, a second input from the user comprising a selection of a confirmation of the parameters; identifying a vulnerability associated with a first property or a second property from device connectivity data based on the parameters; initiating the targeted scan of the selected component associated with the vulnerability; determining a result of the targeted scan; updating the security risk profile; and updating a multi-dimensional score based on the updated security risk profile.

Abstract: A system includes a cluster, memory, and processors in communication with the memory. The cluster includes nodes and an application programming interface (API) server. The processor is configured to receive a request to determine a state of maintenance availability of the cluster. Each of the plurality of applications installed on the cluster are discoverable, and a deployment metadata associated with each of the plurality of applications is retrieved. The deployment metadata for each of the plurality of applications is parsed to retrieve one or more installation rules associated with each of the plurality of applications. The one or more installation rules associated with a first application of the plurality of applications is correlated with the one or more installation rules of the plurality of applications to determine a set of conflicts for the first application. Next, a state of maintenance availability is determined based on the set of conflicts.

Abstract: Techniques are described herein that are capable of using graph enrichment to detect a potentially malicious access attempt. A graph that includes nodes and configuration-based links is generated. The nodes represent respective resources. Behavior-based links are added to the graph based at least in part on traffic logs associated with at least a subset of the resources. An attempt to create a new behavior-based link is identified. A probability of the new behavior-based link being created in the graph is determined. The probability is based at least in part on the configuration-based links and the behavior-based links. The new behavior-based link is identified as a potentially malicious link based at least in part on the probability being less than or equal to a threshold probability. A security action is performed based at least in part on the new behavior-based link being identified as a potentially malicious link.

Abstract: In some examples, temporal impact analysis of cascading events on metaverse-based organization avatar entities may include determining a temporal impact of a metaverse event on a specified organization avatar entity. With respect to the specified organization avatar entity, a similarity of the metaverse event may be determined in a current temporal context to past events. A reaction plan of a plurality of reaction plans may be selected from an event database and based on the determined similarity. Based on an analysis of the temporal impact with respect to the selected reaction plan, instructions may be generated to execute the selected reaction plan by a metaverse operating environment.

Abstract: A method for managing a data protection module (DPM) includes: obtaining an alert generated by the DPM within a predetermined period of time; obtaining metadata associated with the DPM; analyzing the metadata to extract relevant data; analyzing the alert to extract second relevant data; making, based on the second relevant data, a determination that a tolerance level associated with the alert has been exceeded; sending, based on the determination, the alert, the relevant data, and the second relevant data to a vendor environment (VE) analyzer; in response to sending the alert, the relevant data, and the second relevant data, receiving a service request (SR) generated by the VE analyzer for the DPM; and providing the SR to the client to notify a user of the client about the SR using a graphical user interface (GUI) of the client.

Abstract: A method and system for cyber-security processes mining are provided. The method comprises correlating events received from a plurality of data sources into a plurality of flows, wherein a flow of the plurality of flows is a sequence of events having a same identifier, and wherein at least one of the plurality of data sources is a cyber-security system; correlating the plurality of flows into a plurality of variants, wherein a variant out of the plurality of variants includes one or more flows having the same repeatable pattern; associating the plurality of variants with at least one cyber-security process based on a predefined template defining the cyber-security process; and causing a display of the least one cyber-security process and its plurality of variants.

Abstract: Provided are techniques for performing a search using a hypergraph. Entities are identified. A knowledge graph using the entities is generated, wherein nodes of the knowledge graph represent the entities and edges between the nodes represent pair-wise relationships, and wherein each of the edges carries an edge score that quantifies a degree of coherence between a pair of the entities. A hypergraph using the knowledge graph is generated, wherein nodes of the hypergraph represent the entities and hyperedges represent relationships between multiple entities, and wherein each of the hyperedges carries a hyperedge score that quantifies a degree of coherence between the multiple entities. A search request is received. A search result is generated using the hypergraph, wherein the search result comprises a set of coherently related entities. The search result is returned.

Abstract: Systems and methods for generating analytical data based on captured audit trails are described. An exemplary method includes generating a natural language preference for the natural language of a document based on an opening action performed by an end user using a client device associated with the end user during a user session; generating a unique transaction key in response to the opening action; correlating subsequent actions relative to the document via the unique transaction key; generating content rich analytical data from an audit trail generated during the user session; obtaining informational content for the end user from informational content stored in a database; translating the obtained informational content; reformatting a native extensible markup language format of the obtained informational content obtained from the database; and providing the translated and formatted informational content to the end user.

Abstract: Systems and methods are provided for vulnerability proofing the launching of application instances by an IHS (Information Handling System). The launching of an application instance on the IHS is detected, where the application instance is launched using an application template that includes configurations for one or more hardware components of the IHS. One or more catalogs are accessed that specify known vulnerabilities of hardware components. Hardware component configurations included in the application template are identified as vulnerable in one or more of the catalogs. If the application template includes configurations that are identified as vulnerable in the catalogs, launching of the application is prevented until the hardware component configurations within the application template are modified to include no configurations with vulnerabilities identified in the catalogs.

Abstract: Aspects of the present disclosure relate to volatile memory acquisition using live migration of an execution environment. In examples, a virtualization manager controls execution of an execution environment at a virtualization host. The virtualization manager may enable live migration of the execution environment, such that the execution environment may be migrated to another virtualization host (or “migration target”) for continued execution. Accordingly, such functionality may be used to capture a memory image at a migration target, after which the execution environment continues executing at the original virtualization host. The memory image may be analyzed to identify the presence of malware and/or to generate a list of processes that were executing at the time of the capture.

Abstract: Risk modeling for cyberspace control deficiencies includes characterizing a subject organization and loading a baseline set of controls, each control mapping to one or more threats to the subject organization. For each of the threats, a baseline risk value is computed from a hypothetical implementation of the baseline set of controls. Concurrently, risk assessment data is uploaded for the subject organization and an implemented set of controls for the organization extracted therefrom. For each of the threats, one or more of the implemented set of controls are mapped thereto and a risk value computed. Thereafter, the baseline risk value compared to the computed risk value producing a risk deficit value. On condition that the risk deficit value exceeds a threshold value, a flag is written in association with the risk assessment data indicating a necessity to modify the implemented set of controls.

Abstract: Systems and methods for measuring, grading, evaluating, and comparing AI models via a graphical user interface are disclosed. The technology obtains a set of application domains of the AI model in which an AI model will be used. The application domains are mapped to one or more guidelines to determine a set of guidelines that define operational boundaries of the AI model. The guidelines are used to generate assessment domains, each associated with specific benchmarks that include indicators of a degree of satisfaction with the guidelines. For each assessment domain, assessments are constructed to evaluate the AI model's degree of satisfaction with the corresponding guidelines. The AI model is then evaluated against the assessments. Based on these comparisons, grades are assigned to the AI model for each assessment domain. The application-domain-specific grades are generated and displayed at a GUI, reflecting the AI model's degree of satisfaction with the guidelines.

Abstract: Systems, devices, and methods are disclosed that may be used for identifying potential insider attacks on a computer network.

Abstract: Systems and methods are disclosed for monitoring, evaluating protection against, improving protection against, and simulating phishing threats. Network usage information for users of an organization can be leveraged to determine user-specific network behavior information. This user-specific network behavior information can then be leveraged to better identify incoming threats as well as generate and deploy user-specific phishing lures. Phishing simulation campaigns can be conducted, including by implementing variations in how the phishing lures are presented. Such campaigns can be scored to determine how different presentation variations perform. User-specific phishing lures can be generated using user environment information collected by an agent running on the user's device. Alerts informing users of potential threats can be dynamically updated with different presentation parameters to improve performance.

Abstract: Various embodiments that pertain to network functions are described. A network can be an ad hoc network that function with peer-to-peer communications. The network can be physically decentralized, yet logically centralized. Various functions can be practiced within this network environment. In one example, a provider can provide an authorization to a robot by way of a peer-to-peer communication. The robot can validate the authorization and practice what is authorized in response to the authorization being validated. This authorization can be to perform a function autonomously for a defined length of time.

Abstract: Adaptive online service access control includes obtaining, by a system access control monitor of a client system, a message from the client system to an external system, prior to transmission of the message, wherein the message is associated with a communication context, in response to obtaining the message, determining, by the system access control monitor, a current access score as a sum of a previous access score associated with the communication context and a modifier value determined for the message, and in response to determining, by the system access control monitor, that the current access score is less than an access threshold value, preventing transmission of the message.

Abstract: The present disclosure describes systems and methods for determining a subsequent action of a simulated phishing campaign. A campaign controller identifies a starting action for a simulated phishing campaign directed to a user of a plurality of users. The simulated phishing campaign includes a plurality of actions, one or more of the plurality of actions to be determined during execution of the simulated phishing campaign The campaign controller responsive to the starting action, communicates a simulated phishing communication to one or more devices of a user. The campaign controller determines a subsequent action of the plurality of actions of the simulated phishing campaign based at least on one of a response to the simulated phishing communication received by the campaign controller or a lack of response within a predetermined time period and initiating, responsive to the determination, the subsequent action of the simulated phishing campaign.

Abstract: Correlating Internet of Things (IoT) security events is disclosed. A set of security events is received. A graph is generated, where nodes of the graph correspond to at least some of the received security events in the set. The edges in the graph correspond to identifiable patterns of correlation. A determination of whether or not the generated graph matches a prebuilt scenario is determined and a remedial action is taken in response to the determination.

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums are described for enabling runtime supply chain security of web applications and the discovery of active malware attacks. For example, a server is configured to receive CSP-based data from browsers executing on various clients. Such data may be received via a browser extension or via a proxy between the web applications and the browsers. Using the CSP-based data, the server generates a database of supply chain inventory. The database specifies resources that are loaded for a particular web application, along with a location from where such resources are loaded. The database further specifies a chain of dependencies between such resources. The database is analyzed to determine whether any such resources have been compromised with malware or whether clients on which such resource have been loaded have been compromised with malware. Responsive to determining such cases, actions(s) may be performed to mitigate the malware.

Abstract: In an embodiment, a management system obtains a criticality rules table that includes a plurality of rules mapped to corresponding criticality scores indicative of a level of risk in the event that an associated asset of a managed network is compromised by a third party. The one embodiment, the criticality rules table is updated based upon machine learning and/or feedback from an operator of the managed network. In another embodiment, the criticality rules table is used to assign one or more criticality scores to one or more assets based on one or more attributes of one or more assets, and the criticality rules table.

Abstract: This disclosure describes techniques that include evaluating websites and web services to identify those that are at risk for a denial-of-service attack or a distributed denial-of-service attack. In one example, this disclosure describes a method that includes interacting, by an assessment computing system, with a target computing system, wherein interacting includes issuing a plurality of requests to the target computing system and receiving a plurality of responses to the plurality of requests; identifying, by the assessment computing system and based on the plurality of responses, a plurality of latency values that are attributable to processing performed by the target computing system; and determining, by the assessment computing system and based on the plurality of latency values, whether the target computing system is vulnerable to a denial-of-service attack.

Abstract: Improving utilization of network devices includes detecting that a first network device is added to a network system comprising a plurality of network devices associated with a service map, wherein at least one of the plurality of network devices corresponds to one or more activities of a workflow for the service map, determining a first activity of the workflow that utilizes data from the first network device, and in response to determining that the first activity of the workflow utilizes data from the first network device, determining sensor attributes of the first network device that are tied to key performance indicators for the first network device, and adding the first network device to the service map such that the determined sensor attributes provide input for the first activity.

Abstract: The disclosure generally describes one or more techniques for supporting deployment of application extensions for a client system.

Abstract: A computing system receives requests from client devices to process voice queries that have been detected in local environments of the client devices. The system identifies that a value that is based on a number of requests to process voice queries received by the system during a specified time interval satisfies one or more criteria. In response, the system triggers analysis of at least some of the requests received during the specified time interval to trigger analysis of at least some received requests to determine a set of requests that each identify a common voice query. The system can generate an electronic fingerprint that indicates a distinctive model of the common voice query. The fingerprint can then be used to detect an illegitimate voice query identified in a request from a client device at a later time.

Abstract: Certain exemplary embodiments can provide a method comprising receiving a request to apply a DTL Seal to a file. The method further comprises inserting the DTL Seal in the File. The method further comprises storing a first copy of the File comprising the DTL seal to an information device of a user. The method further comprises storing a second copy of the File comprising the DTL seal to a custodial memory device.

Abstract: A system and methods for cybersecurity rating using active and passive external reconnaissance, comprising a web crawler that send message prompts to external hosts and receives responses from external hosts, a time-series data store that produces time-series data from the message responses, and a directed computational graph module that probes, scans, and fingerprints devices within a cyber-physical graph and analyzes the results as time-series data to produce a weighted score representing the overall cybersecurity state of an organization.

Abstract: Techniques are provided for generating security response recommendations. In one embodiment, the techniques involve receiving scoring functions, a logical operator selection, a security graph, and external threat intelligence, generating a search pattern based on the scoring functions and the logical operator selection, evaluating the search pattern against a selected node of the security graph to identify a potential security threat represented by the security graph at the selected node, and generating a recommendation based on the evaluation and the external threat intelligence.

Abstract: Arrangements for providing software vulnerability analysis and monitoring are provided. In some aspects, software bill of materials (SBOM) data may be received and software attributes may be extracted from the SBOM data. Author data may be received and analyzed using natural language processing and/or machine learning to identify author attributes. Current event or vulnerability data may be received. In some examples, one or more machine learning models may be executed to determine a confidence score associated with the software being analyzed. For instance, software attributes, author attributes, and current event data may be used as inputs in the machine learning model and a confidence score may be output. Based on the confidence score, one or more alerts may be generated and transmitted to one or more enterprise organization computing devices.

Abstract: A non-transitory computer-readable media, method and server for detecting and addressing vulnerabilities in a third-party code are described. In some examples, a server receives a security advisory that includes a description of a vulnerability and accesses a version control system (VCS) used by a third-party library to determine additional resources related to the vulnerability. The server determines a set of code changes performed by the project maintainers in the VCS, identifies one or more fix commits that address the vulnerability, and identifies one or more functions with the vulnerability that have been changed by the fix commits. The server performs a search for components and component versions that include the one or more functions with the vulnerability and generates an enriched vulnerability description that includes identifiers of package versions that include fixed versions of the one or more functions and vulnerable version of the one or more functions.

Abstract: Embodiments include a method for vulnerability management of a computer system. The method includes collecting vulnerability information over a network from a publishing source. The vulnerability information includes a known vulnerability of a first computer asset, where at least some of the vulnerability information is a set of cybersecurity vulnerabilities and exposures (CVEs) published online. Further, at least some of the CVEs is in a human-readable format. The method further includes collecting system information of the computer system subject to the vulnerability management, where the system information includes information about a second computer asset of the computer system. The method further includes processing the collected vulnerability information and the collected system information by interpreting the human-readable CVEs and correlating the interpreted CVEs with the collected system information.

Abstract: A method of selecting data for privacy preserving machine learning comprises: storing training data from a first party, storing a machine learning model, and storing criteria from the first party or from another party. The method comprises filtering the training data to select a first part of the training data to be used to train the machine learning model and select a second part of the training data. The selecting is done by computing a measure, using the criteria, of the contribution of the data to the performance of the machine learning model.

Abstract: Systems and methods are provided for vulnerability proofing updates to an IHS (Information Handling System). An update system receives a notification of an update including updated configurations for hardware components of the IHS. The update system queries the IHS for vulnerability proofing requirements for updates that modify configurations of hardware components of the IHS. In response to the query, vulnerability proofing requirements are retrieved from a persistent data storage of the IHS and transmitted to the update system, where the vulnerability proofing requirements specify catalogs of known vulnerabilities of hardware components. The update system determines whether the updated configurations are identified as vulnerable in the one or more of catalogs. If the updated configurations are not identified in the catalogs, the update is transmitted to the IHS. If configurations from the update are identified in the catalogs, the update is terminated and the IHS is notified.

Abstract: Code injection is a type of security vulnerability in which an attacker injects client-side scripts modifying the content being delivered. A sanitizer function may provide defense against such attacks by removing certain characters (e.g., characters causing state transitions in HTML). A string sanitizer may be modeled in order to determine its effectiveness by obtaining data flow information indicating string operations that used an input string or information derived therefrom, including a string sanitizer function. A deterministic finite automata representing string values of the output parameter may be generated based on a graph generated from the data flow information, where the automata accepts possible output string values of the sanitizer. It can be determined whether there is a non-empty intersection between the automata for the sanitizer output and an automata representing a security exploit, which would indicate that the sanitizer function is vulnerable to the exploit.

Abstract: A system and method for automated cybersecurity defensive strategy analysis that predicts the evolution of new cybersecurity attack strategies and makes recommendations for cybersecurity improvements to networked systems based on a cost/benefit analysis. The system and method use machine learning algorithms to run simulated attack and defense strategies against a model of the networked system created using a directed graph. Recommendations are generated based on an analysis of the simulation results against a variety of cost/benefit indicators.

Abstract: Techniques are disclosed for usage-tracking of various information security (InfoSec) entities for tenants/organization onboarded on an instant multi-tenant security assurance platform. The InfoSec entities include policies, procedures, controls and evidence tasks. A policy or procedure is enforced by implementing one or more controls, and the collection of one or more evidence tasks proves/verifies the implementation of a control. The InfoSec entities are linked to each other across the platform and accrue a number of benefits for the tenants. These include automatically/continuously creating asset populations and drawing samples from the asset populations for auditing. The population samples may be generated by entering natural language queries in the platform. Asset data from the asset populations is used to feed/populate various other modules and systems used by the tenant of the platform.

Abstract: Auditing information is captured from a processing stack of an invoked application. An annotation customized for that invocation context is processed to filter and/or add additional audition information available from the processing stack. The customized auditing information is then sent to a destination based on a processing context of the invoked application when the invoked application completes processing. In an embodiment, the customized auditing information is housed in a data store and an interface is provided for customized query processing, report processing, event processing, a notification processing.

Abstract: Disclosed herein are system, method, and computer program product embodiments for transforming backups of applications. An embodiment operates by extracting a resource snapshot into memory. The resource snapshot is formatted in a first configuration. An embodiment performs a transformation on the resource snapshot, thereby transforming the resource snapshot from the first configuration to a second configuration for an environment into which the resource snapshot is being restored. The transformation is made up of a set of operations. One of the operations includes a regular expression. Once the transformation is complete, the resource snapshot is restored to the environment based on the second configuration.

Abstract: Aspects of the subject disclosure may include, for example, an IoT device inspection method, and a device therefor. An analysis server transmits an information collection module to an IoT device, collects state information about the IoT device through the information collection module, and searches, on the basis of the state information, for a database including information related to weaknesses, so as to analyze weaknesses of the IoT device. Other embodiments are disclosed.

Abstract: Systems and methods are provided for vulnerability proofing the installation of new hardware components in an IHS (Information Handling System). The coupling of a new hardware component to the IHS is detected. A profile is identified that is to be used in provisioning the new hardware component that has been coupled to the IHS. The profile may include various configurations for the coupled hardware component. One or more catalogs are accessed that specify known vulnerabilities of hardware components. Configurations from the profile for the coupled hardware component are used to identify any configuration that have known vulnerabilities that are listed in the catalogs. If known vulnerabilities are identified in the configuration for the new hardware component, further use of the new hardware component by the IHS is disabled until the profile is modified to include no configurations with vulnerabilities identified in the catalogs.

Abstract: Systems, computer program products, and methods are described herein for a data obfuscation authentication security display session. The invention provides a secondary authentication by recognizing the initial access to a display screen and overlaying and presenting false information on the screen. The false screen may mimic that of a real account screen, but the personal information about the user is false. The invention then requires the user to perform a secondary authentication to gain access information on the display session that is not false. The invention may allow for a duress code implementation in place of the secondary authentication, which initiates security protocols, include a continuum based protocol arrangement of security protocols.

Abstract: A resource request that is directed to a first online resource of a resource provider is detect by a computing device. A first user that initiated the resource request is identified based on the resource request. A set of challenge questions is determined in response to the resource request and based on the first user. A first challenge question of the set of challenge questions is present, to a first client device of the first user.

Abstract: A system for detection of covert spying devices. A computing device of the system is configured to receive user selections of covert spying device detection options. An image recognition process is carried out to determine whether any object detected in an image of objects being scanned resembles an already known covert spying device. A network scan process is carried out optionally or additionally to determine whether any network attribute associated with objects being scanned resembles any network attribute associated with the already known covert spying device. A monitoring process detects and logs any unauthorized access made to objects being scanned on finding any deviation in activities occurred in the objects being scanned from a standard set of activities. A report indicates any object as a suspected covert spying device on finding any resemblance with an already known covert spying device or on finding any unauthorized access.

Abstract: Systems and methods are described for leveraging the knowledge and security awareness of well-informed users in an organization to protect other users and train them to identify new phishing attacks. Initially, a report of a message being suspicious may be identified and it may be determined whether message is a malicious phishing message. In an example, a well-informed user of an organization may report the message as suspicious. Further, on determining the message to be a malicious phishing message, a simulated phishing message or a template may be created. The simulated phishing message may then be communicated to one or more devices of one or more users.