How cyber firm KnowBe4 gave security awareness training a much-needed facelift

When KnowBe4 data-driven defense evangelist Roger Grimes reveals his employer to people, he is typically met with one response.

“The first year or two I was at KnowBe4, people would say, ‘Where do you work?’ I’d go, KnowBe4 [and] they couldn’t pronounce it…Now, when I tell people I work for KnowBe4, they’re like, ‘Oh, I just failed one of your tests,’” Grimes said.

That’s because of how ubiquitous KnowBe4 has become in the cybersecurity industry. Almost 70,000 organizations rely on KnowBe4, with an upward of 50 million users using its platform everyday.

“You can go to London, you can go to Rome, you can go to New York, and everywhere it’s default. It’s KnowBe4,” co-founder and CEO of security platform Anetac Timothy Eades said.

While employees may only be able to recall failed phishing simulation tests and compliance training when they think of KnowBe4, the security awareness training company has completely turned the cybersecurity industry on its head and modernized a once antiquated way of learning. IT Brew caught up with Grimes to discuss KnowBe4’s early days and how it won the trust of thousands of companies.

The beginning. KnowBe4 was founded in 2010 by Stu Sjouwerman. At the time, Sjouwerman’s anti-malware software company Sunbelt Software had just been acquired by GFI Software.

“He sells the company, makes his millions, and within five days, he’s sitting at home bored and he’s like, ‘I want to form another company,’” Grimes said. He added that Sjouwerman had become cognizant of the threat of social engineering and unpatched software, causing him to dedicate KnowBe4 to defending against such threats.

In 2011, a year after launching, Sjouwerman brought on Kevin Mitnick, a renowned hacker and security consultant, as chief hacking officer and partial owner of KnowBe4. Grimes said Mitnick, who passed away in 2023, had been a “very early proponent” of social engineering. As videos Mitnick made began to gain traction, Grimes said Sjouwerman decided to focus more on training content. This move, along with a large ransomware incident at the time, propelled KnowBe4 into a state of growth.

From there, Grimes said KnowBe4 helped to quantify the extent of the social engineering problem and prove the importance of security awareness training. A 2023 KnowBe4 white paper shows that users who receive simulated phishing tests multiple times per week for more than a month saw a 96% improvement rate in their phish-prone percentage rate (KnowBe4 defines this as the “ability of a user to flag a potential phishing email”).

“Back when we started, it was just one of the problems, like bubbles in a glass of champagne,” Grimes said. “But we’re the ones to come out and say, ‘Hey, one of those bubbles is significantly bigger than all the others.’”

Making security awareness training, dare I say, fun? Grimes told IT Brew that part of what differentiated KnowBe4 from other security awareness training providers at the time was the platform’s ease of use.

“With some of the other competitors…you would go to an educational class and they certify you,” Grimes said. “Ours was just open up the interface and look. If you can’t be up and running within an hour, we haven’t done our job.”

However, others observed a fundamental shift in how security training was delivered and consumed after KnowBe4 hit the scene. Dev Nag, founder and CEO of QueryPal, an AI-powered ticket automation company, told IT Brew that security awareness training previously focused mainly on telling users in a simplistic manner what good cyber hygiene practices were.

“It’s almost like trying to learn how to play baseball by watching a video, but not actually ever swinging a bat,” Nag said.

Nag said KnowBe4, among others, introduced a “second generation” of training videos that not only told users what they should be doing, but also made sure they understood what they were learning in real time.

“KnowBe4 is actually like, ‘Let’s get you some bats. Let’s actually see how you swing the bat against a real live pitch and when you fail, we’ll show you how you failed and make you better at it,’” he said.

Eades added that KnowBe4’s recognition that social engineering is an “everyone problem” allowed the company to create a “go-to-market flywheel” that allowed it to penetrate the security awareness training market.

“Their M&A model was just plugging in more things that they could put into…the existing go-to-market model,” Eades said. Over the years, KnowBe4 has acquired several companies, including cloud email security firm Egress, security awareness platform SecurityAdvisor, and video production company Twist and Shout Group.

Nag said KnowBe4’s ability to invoke a “visceral experience” when training and informing end users through its video series The Inside Man, a “cybersecurity thriller” that explores different cybersecurity-related themes, was also a game changer for the company. Grimes said the ongoing, award-winning series, which now has run six seasons, has been so positively received that customers often call KnowBe4 asking when the next season is coming out. KnowBe4 data shows that those who watched between one-to-nine episodes of The Inside Man saw about a decrease of 9 percentage points in phish-prone percentage rate.

“You know you’ve made good content when they’re calling you to get more training,” Grimes said.

The future is bright personalized. Grimes said discussions with customers and emerging threat trends help to shape the type of content the company will focus on in a given year. One of the company’s 2026 videos, for example, will focus on deepfakes, which has continued to be a growing threat in the industry.

“We are sure by the end of 2025, and certainly into 2026, it’s going to be a major problem…so today, we’re making those videos and going to put them out there,” Grimes said.

As attackers continue to leverage AI to launch more sophisticated attacks at end users, Grimes suspects that security awareness training companies will need to leverage that same tool to deliver more tailored content.

“The future of security awareness training is this very individual, specific training curriculum just for you that is different than anybody else in your company,” Grimes said. “And that’s what we’re working toward and pushing toward.”

Eades said this transformation will be essential for every player in the market moving forward.

“You’ve got a tectonic shift coming with AI-based human attacks on the human layer,” Eades said. “The technology needs to step up and be more AI-infused because you’re going to have to fight AI with AI.”