How Allure Security Plans to Disrupt the $10B Failure of Security Awareness Training
The employee completed the training. Watched the video about phishing. Passed the quiz. Even clicked through the simulated phishing test without falling for it. Security awareness: check.
Three weeks later, that same employee received an email that looked exactly like an internal IT request. Clicked the link. Entered credentials. The company’s network was compromised within hours.
Billions of dollars flow into security awareness training annually. Companies mandate modules, track completion rates, and measure quiz scores. Yet major breaches keep happening through the exact attacks this training is supposed to prevent.
In a recent episode of Category Visionaries, Josh Shaul, CEO of Allure Security, laid out why this market represents a massive failure—and a massive opportunity. His assessment is unsparing: the products fundamentally don’t work. And he believes impersonation detection, not user training, is the actual solution.
The Tens of Billions Problem
The numbers are staggering. “A lot of money is spent on security awareness training. A lot of money is spent on email security,” Josh explained. “A lot of attacks are avoided because of security awareness training and email security, and yet we still have a massive tens of billions of dollars a year of security loss problems driven through the problems that email security and security awareness training are supposed to solve.”
Read that carefully. The training prevents some attacks. The email security blocks some threats. Yet “tens of billions of dollars a year” in losses still occur through the exact vectors these products are designed to protect against.
Josh’s conclusion: “So the products don’t work and they don’t do what they’re supposed to do. They just don’t solve the business problems.”
This isn’t a controversial take whispered in private—it’s market reality. Security awareness training operates on a premise that fails in practice: that you can train users to make perfect security decisions under pressure, every single time, without exception.
Why Training Keeps Failing
The fundamental problem is asymmetry. Defenders need perfection. Attackers need one mistake.
Security awareness training teaches employees to spot phishing emails, verify sender addresses, hover over links before clicking, and question unusual requests. These are good practices. Employees learn them. Many even apply them.
But attackers only need to bypass this training once. And they have entire product teams dedicated to that goal.
“You’ve got criminals all the way up the stack from people that are building tools to help you host a scam website to people that are helping you get traffic into your scam website. They all operate as a supply chain just like any other industry would,” Josh explained.
This criminal supply chain continuously optimizes against user awareness. When training teaches employees to check sender email addresses, attackers compromise real accounts. When training warns about urgent requests, attackers craft patient, multi-touch campaigns. When training focuses on obvious red flags, attackers make their impersonations subtle.
It’s a business operation dedicated to defeating training-based defenses. No amount of user education can maintain perfect vigilance against that level of sophistication.
The Email Security Gap
Email security fails for similar reasons. “A lot of money is spent on email security,” Josh noted, yet the losses continue.
The promise is detection: identify malicious emails before they reach users. The reality is an arms race where defenders optimize for accuracy while attackers optimize for evasion.
Every new detection technique creates selection pressure. Emails that get caught disappear. Emails that bypass filters succeed. The result is evolutionary pressure toward increasingly sophisticated attacks that avoid detection signatures.
The fundamental constraint is that email security must work within the email channel. It can analyze message content, sender reputation, and behavioral patterns. But when attackers use legitimate accounts, trusted domains, and careful social engineering, detection becomes nearly impossible without blocking legitimate communication.
The Workforce Attack Pattern
Recent high-profile breaches demonstrate the scale of this failure. Josh referenced “attacks that were targeting Twilio and attacks that were targeting Okta infrastructure” as examples of workforce-targeted impersonation succeeding despite security investments.
“When you look at those sort of attacks that are happening right now, those often rely on impersonation as well. It’s different from the brand impersonations that are targeting consumers, at least from a logical perspective. But from a technical perspective, impersonation is impersonation,” Josh explained.
This insight reveals Allure Security’s expansion thesis. The company built expertise detecting and neutralizing brand impersonations targeting consumers—fake websites, social profiles, and advertisements pretending to be trusted brands. The same core capability applies to workforce-targeted attacks.
An attacker impersonating your IT department to steal employee credentials uses fundamentally the same techniques as an attacker impersonating your brand to steal customer credentials. The target changes, but the attack pattern doesn’t.
The Missing Component
Allure Security sees an opportunity to become “another component in that overall solution set that organizations are using to protect themselves against these attacks that result in compromise that start with, oh, that looks like a place where I should put my username and password.”
Notice the framing: not a replacement for awareness training or email security, but an additional component. Josh isn’t claiming Allure Security will eliminate all attacks. He’s arguing they can address the gap that existing solutions leave wide open.
“We see huge opportunity for Allure Security to step up and be another component in that overall solution set,” Josh said. The strategy acknowledges that awareness training and email security will continue—they’re too entrenched to displace. But they need augmentation with something that works differently.
The Impersonation Detection Thesis
Here’s how the expansion works technically. Allure Security already scans the internet continuously, hunting for impersonations. They find websites pretending to be banks, social profiles pretending to be executives, applications pretending to be legitimate software.
Extending this to workforce protection means expanding detection to include impersonations targeting internal systems: fake IT portals, impersonated executives, fraudulent internal tools, compromised internal communications.
“From a technical perspective, impersonation is impersonation,” Josh noted. The detection systems, takedown processes, and poisoning strategies Allure Security built for consumer brand protection transfer directly.
When they find a fake IT portal attempting to harvest employee credentials, they can poison it with synthetic credentials, just as they do with consumer-facing phishing sites. “If somebody wants usernames and passwords, if somebody wants credit cards, our software knows how to generate those things and give them to the attacker. So we fill their bucket with data. Data that looks like what they want, data that feels like what they want. But brother, it’s not the data that they want,” Josh explained.
The goal remains breaking attacker economics. Make workforce-targeted attacks as expensive and unreliable as Allure Security has made consumer-targeted attacks for their clients.
The Market Expansion Opportunity
This expansion dramatically increases addressable market. Consumer brand protection serves companies with consumer-facing brands—primarily financial services, ecommerce, and crypto. Workforce protection serves every company with employees, which is every company.
More importantly, it solves a problem where massive budget already exists but satisfaction is low. Organizations know their current solutions aren’t working. They see the breach headlines. They calculate the losses. They’re searching for something that actually prevents compromise.
“The more we can put ourselves into that equation over the next several years, the larger we’ll be able to grow,” Josh said.
The Honest Positioning Again
Consistent with Allure Security’s approach in consumer brand protection, Josh isn’t promising elimination. “You just can’t stop people from putting things on the Internet, so the ability to completely eliminate the problem just isn’t there,” he acknowledged.
The promise is making attacks economically unviable and dramatically reducing successful compromises. Not zero attacks—but attacks that don’t result in meaningful business impact.
This matters because it’s a promise Allure Security can actually keep. In a market exhausted by products that promise perfect security and deliver ongoing breaches, realistic claims backed by proof become powerful differentiation.
The Tens of Billions Opportunity
If Josh is right—if awareness training and email security represent tens of billions in annual spending on solutions that don’t solve the business problem—then the company that provides the missing piece has enormous upside.
Allure Security isn’t starting from scratch. They have the technology, the platform relationships, the detection infrastructure, and the proof points from consumer brand protection. They’re extending proven capabilities to a new market with demonstrated pain and existing budget.
The question isn’t whether workforce impersonation is a problem worth solving. Organizations already know it is. They’re spending billions trying. The question is whether impersonation detection works better than user training and email filters.
Allure Security believes the answer is yes. And they’ve got the consumer brand protection results to prove their approach works. Now they just need to prove it works for workforce protection too.
If they can, they won’t be disrupting a market. They’ll be fixing one that’s been broken for decades.
Twitter
facebook
linkedin