Phishing Programs
Adaptive Phishing Programs are available in Lucy version 5.7 and above.
Introduction
Adaptive Attack Scenarios is a new simulation mode that automatically adjusts phishing attack difficulty for each user based on their individual Risk Score. Instead of running static campaigns or manually segmenting users into fixed groups, Lucy continuously personalizes attack scenarios over time, creating a more realistic and scalable training experience.
With Adaptive Attack Scenarios, campaigns are generated automatically at scheduled intervals. Each recipient is assigned a phishing scenario that matches their current risk level, and this assignment evolves as their Risk Score changes. This allows organizations to deliver ongoing, tailored simulations without the need to redesign or rebalance campaigns manually.
This feature is designed for organizations that want:
Continuous phishing simulations without manual campaign management
Difficulty progression based on user behavior
Reduced administrative overhead
More accurate measurement of user risk over time
Getting Started
To create an adaptive campaign navigate to Phishing Programs and then select + New Program:
Give the program a name and a client, then select Create.
Test Mode enables smaller frequency options and limits recipients to 10 for safe testing.
Configuration
Just like standard campaigns, Adaptive Programs have an initial configuration that must be completed first.
Base Settings
The base settings are the same as any other campaign with one new setting, Run Frequency.
This setting controls the length of each individual scenario within the program. In the screenshot above, every scenario will run for 2 weeks. At the end of this timeframe, the program will re-calculate the risk score for each user and randomly assign them a new scenario according to their new score.
Click Save to apply your changes and select Finalize Step when you're ready to move on.
Attack Simulation
In a standard campaign you can add one or more attack scenarios to your campaign, and the same is true of an adaptive program.
The difference is that Adaptive Programs use your configured Risk Scores automatically. For each Range (Rookie, Advanced, Expert, etc.) you can add one or more attack scenarios that your Adaptive Program will use when randomly assigning scenarios.
Adding and configuring a scenario works just like in a standard campaign.
Users will not receive a scenario they've already received unless they've exhausted all scenarios in their level. Be sure to add a sufficient number to avoid repeats, and think carefully about the overall length of your program!
Select Finalize Step when you're ready to move on.
Recipients
Unlike in standard campaigns, recipients in an Adaptive Program do not need to be bound to any scenarios. The program will automatically use the Risk Score of each recipient to send them the appropriate scenario, and when that scenario is finished the program will update their scores and do it again!
Select Finalize Step when you're ready to move on.
Starting a Program
Select Start to initiate the campaign checks and start your program.
The program must run the checks for each scenario, so give it time to finish and don't navigate away from the page while the checks are in-progress.
Programs cannot be edited once started, so double-check your settings!
Program Dashboard
Once you've finalized each step you'll be taken to the program's dashboard view, which looks very similar to the standard campaign view:
Adaptive programs can use the scheduler, generate reports, and use all the other advanced options of a regular campaign.
Program Statistics
On the dashboard page you can select Program Statistics to see an overview of your program:
Selecting Export Statistics will take you to the Statistics Dashboard where you can filter by Adaptive Programs and then generate a report.
Select Edit Program to go back to the program dashboard.
Last updated
Was this helpful?