Turn Your Workforce into a Human Firewall
Petronella Technology Group delivers fully managed security awareness training that combines phishing simulations, dark web credential monitoring, role-specific curricula, and audit-ready compliance reporting. Built for Research Triangle businesses that handle regulated data and cannot afford a single employee-caused breach.
What Is Security Awareness Training?
Security awareness training is a structured program that teaches employees how to recognize, avoid, and report cyber threats targeting them directly. Unlike perimeter defenses such as firewalls and endpoint protection, security awareness training addresses the attack surface that technical controls cannot fully cover: human judgment.
A well-run program pairs educational content with hands-on exercises. Employees learn how phishing emails are constructed, why social engineering calls succeed, and what makes a password weak or compromised. They then face simulated attacks that test whether the training actually changed their behavior. The gap between knowledge and behavior is where breaches happen, and closing that gap is the entire point of the discipline.
PTG's approach goes beyond slide decks and annual quizzes. We operate a managed training platform that delivers monthly content updates, continuous phishing simulations, dark web scanning for stolen credentials, and compliance documentation mapped to the frameworks your auditors care about. The program runs in the background, does not require your IT staff to manage it, and produces measurable risk reduction quarter over quarter.
For organizations in Raleigh, Durham, and the broader Research Triangle, where healthcare practices handle electronic protected health information, defense contractors safeguard controlled unclassified information, and financial firms manage client assets under strict regulatory oversight, the stakes around employee cyber hygiene are not abstract. They are audit findings, breach notification letters, and federal investigations. Security awareness training is the first line of defense against all of them.
Why Security Awareness Training Matters
The data on human-caused breaches is not ambiguous. Attackers have shifted their primary vector from exploiting software vulnerabilities to exploiting people, and the numbers reflect that shift clearly.
Phishing Remains the Dominant Attack Vector
Phishing is not a new threat, but it has become significantly more dangerous. Attackers now craft messages using AI-generated text that eliminates the grammatical errors and formatting issues employees were once trained to spot. Business email compromise campaigns impersonate vendors, executives, and trusted partners with precision. QR code phishing bypasses URL preview protections. Voice phishing and SMS-based smishing reach employees on personal devices where corporate email filters cannot intervene.
The Research Triangle is a high-value target zone. Healthcare organizations in the Triangle hold patient records worth ten to forty times more than credit card numbers on the black market. Defense contractors near Fort Liberty handle CUI subject to DFARS 252.204-7012 and CMMC Level 2 requirements. Technology firms store intellectual property and client data that nation-state actors actively pursue. Every untrained employee in these organizations represents a viable entry point for adversaries who have already mapped out the attack surface.
Social Engineering Exploits Trust, Not Technology
Social engineering works because it targets human psychology rather than software flaws. Pretexting calls from someone claiming to be IT support, tailgating into secure areas by following an employee through a badge-controlled door, impersonating a new hire who needs emergency access to systems: these attacks succeed because people are conditioned to be helpful and to trust authority.
Technical controls cannot prevent an employee from reading a convincing email and voluntarily entering their credentials into a fake login page. Multi-factor authentication helps, but MFA fatigue attacks and adversary-in-the-middle proxies have demonstrated that even MFA is not a complete solution when the human operating the device has not been trained to recognize the deception. The only defense against social engineering is an employee who has been trained to identify it, practiced at recognizing it through simulations, and empowered to report it without fear of reprimand.
The bottom line: your firewall, endpoint protection, and SIEM are necessary but insufficient. Until every employee can reliably distinguish a real email from a phishing lure, your security posture has a gap that no amount of technology spending will close.
Our Security Awareness Training Program
PTG's program is built around six core training modules, each addressing a distinct threat category. Every module includes interactive content, knowledge assessments, and simulated attack exercises that measure behavioral change, not just information retention.
Phishing Simulation
Automated campaigns that mirror real-world attack patterns. Credential harvesting pages, fake invoice attachments, executive impersonation emails, QR code phishing, and SMS smishing are all included. Each campaign tracks open rates, click rates, credential submission rates, and report rates. Employees who interact with a simulated phish receive immediate just-in-time remediation training at the point of failure, embedding the lesson at the moment the mistake occurs. Templates are refreshed monthly based on active threat intelligence feeds, ensuring employees face the same tactics attackers are using right now rather than outdated scenarios from last year.
Password Security
Training on password creation, storage, and lifecycle management. Employees learn why credential reuse across personal and corporate accounts creates organizational risk, how password spraying and credential stuffing attacks work, and why password managers are not optional. Content covers passphrase construction, multi-factor authentication setup and usage, and the correct response when a breach notification reveals their credentials have been exposed. The module integrates directly with PTG's dark web monitoring, so when an employee's credentials appear in a breach database, they receive targeted training alongside the password reset notification.
Social Engineering Defense
Scenario-based training covering pretexting calls, impersonation attempts, baiting with infected USB drives, tailgating, and authority exploitation. Employees practice verifying caller identity, challenging unfamiliar requests even when they come from apparent authority figures, and recognizing the emotional triggers that social engineers manipulate: urgency, fear, curiosity, and obligation. Case studies drawn from real-world incidents illustrate how a single phone call can compromise an entire network when the recipient has not been trained to verify before trusting.
Data Handling & Classification
Instruction on how to identify, label, store, transmit, and dispose of sensitive data according to your organization's classification policy. Content is tailored to the data types your industry handles: protected health information for healthcare organizations subject to HIPAA, controlled unclassified information for defense contractors bound by NIST 800-171, cardholder data for merchants under PCI DSS, and personally identifiable information for any organization subject to state privacy laws. Employees learn the difference between data at rest and data in transit, why encryption matters, and what constitutes a reportable incident when data handling procedures fail.
Incident Reporting
Clear, practical training on what to report, how to report it, and why speed matters. Employees learn to use your organization's incident reporting channel, understand that reporting a suspicious email or phone call is never a punishable action, and practice the specific steps: do not click, do not forward, do not reply, and report immediately. The module includes reporting workflow simulations where employees practice submitting incident reports and receive feedback on their response time and accuracy. Organizations that build a reporting culture catch attacks earlier. Mean time to detect drops when every employee acts as a sensor.
Compliance-Specific Training
Dedicated curricula mapped to the regulatory frameworks governing your industry. HIPAA Security Rule training covers the administrative safeguard requirements in 45 CFR 164.308(a)(5). CMMC Level 2 training addresses practices AT.L2-3.2.1 and AT.L2-3.2.2 for awareness and role-based training. PCI DSS training covers Requirement 12.6 for security awareness education. FTC Safeguards Rule training addresses the employee training mandate under 16 CFR 314.4(e). Each compliance module generates completion certificates, acknowledgment logs, and audit-ready documentation that maps directly to the control language your assessor will reference during review.
Training Methodology: How We Change Behavior
Awareness alone does not prevent breaches. Behavioral change does. PTG's methodology follows a five-phase cycle designed to move employees from passive awareness to active defense.
Baseline Assessment
Before training begins, we establish a measurable starting point. A baseline phishing campaign is sent to all employees without prior warning. A dark web credential scan checks breach databases for exposed company email addresses and passwords. The results produce a risk profile for every user, department, and the organization as a whole. This baseline is the benchmark against which all future improvement is measured. Without it, there is no way to prove the training is working.
Curriculum Deployment
Based on baseline results, industry vertical, and compliance requirements, PTG configures role-specific learning paths on the training platform. Executives receive board-level risk briefings and wire fraud awareness. Finance teams focus on invoice manipulation and BEC detection. IT staff get technical content on threat indicators and incident response. Front-line employees cover social engineering, physical security, and safe browsing. New hires are enrolled automatically. Content is delivered in short modules, typically five to ten minutes, designed for completion during a normal workday without disrupting productivity.
Continuous Simulation
Phishing simulations run on an ongoing cadence, not as a one-time annual event. Campaigns rotate through multiple attack types: credential harvesting, attachment-based payloads, link manipulation, reply-to attacks, QR codes, and smishing. Difficulty increases over time as employees demonstrate improved recognition. Every interaction is tracked. Employees who click receive immediate just-in-time training. Those who report correctly receive positive reinforcement. The simulation program produces trend data showing click rate reduction across months and quarters, giving leadership quantifiable proof that human risk is declining.
Dark Web Monitoring
PTG's platform continuously scans underground forums, data breach repositories, paste sites, and dark web marketplaces for email addresses, credentials, and personal information belonging to your employees. When compromised data is discovered, the platform generates an alert with the breach source, severity rating, and recommended remediation steps. This turns a passive vulnerability into an active training moment: the affected employee receives targeted credential hygiene training alongside the password reset directive. Organizations gain visibility into their exposure before attackers can weaponize stolen data.
Reporting & Compliance Documentation
Executive dashboards display real-time metrics: training completion rates, phishing click and report rates, individual and departmental risk scores, dark web exposure counts, and compliance documentation status. Trend reports show improvement trajectories over time. Every data point is audit-ready and mapped to the specific control language in HIPAA, CMMC, NIST 800-171, PCI DSS, SOC 2, and FTC Safeguards Rule requirements. When an assessor or auditor requests training documentation, PTG generates the report, exports the evidence, and delivers it in the format required. There is no scrambling to compile records before an audit.
Compliance Coverage
Every major regulatory framework governing data security requires documented security awareness training. PTG's program satisfies all of them with a single managed platform.
CMMC 2.0 (Level 2)
CMMC Level 2 requires defense contractors to implement 110 NIST 800-171 controls, including AT.L2-3.2.1 (role-based awareness training) and AT.L2-3.2.2 (training content updates). PTG's program delivers curricula mapped directly to these practices and generates the documentation CMMC Third-Party Assessment Organizations need during a C3PAO audit. For defense contractors near Fort Liberty and across the Triangle handling CUI, this is not optional. It is a contract eligibility requirement. Craig Petronella holds the CMMC Certified Registered Practitioner credential, ensuring our training program aligns with current DoD assessment methodology.
HIPAA Security Rule
The HIPAA Security Rule at 45 CFR 164.308(a)(5) requires covered entities and business associates to implement a security awareness and training program. OCR enforcement actions have repeatedly cited inadequate training as a contributing factor in breach penalties. PTG's HIPAA-specific curriculum covers PHI handling, email security for clinical staff, mobile device policies, and incident reporting obligations. Completion records and policy acknowledgments are timestamped and audit-ready. For NC healthcare organizations, clinics, and their business associates throughout the Triangle, this training is essential to avoid OCR scrutiny after a reportable incident.
NIST 800-171 / NIST CSF
NIST Special Publication 800-171 control family 3.2 (Awareness and Training) requires organizations to ensure personnel are made aware of security risks associated with their activities and are trained to carry out their responsibilities. The NIST Cybersecurity Framework similarly includes awareness and training functions. PTG maps training modules, simulation results, and completion logs to these control families, providing the evidence needed for NIST-based assessments and self-attestations required under DFARS clause 252.204-7012.
PCI DSS v4.0
PCI DSS Requirement 12.6 mandates that organizations implement a formal security awareness program and deliver training to all personnel upon hire and at least annually. Version 4.0 strengthens this by requiring organizations to review training content annually and update it to address new threats. PTG's monthly content updates and continuous simulation cadence exceed the annual minimum, and our reporting maps directly to PCI DSS 12.6.1 through 12.6.3 sub-requirements. For merchants, payment processors, and financial services firms handling cardholder data, this coverage eliminates the training gap that QSAs flag during assessments.
SOC 2 Type II
SOC 2 Trust Services Criteria require organizations to communicate security responsibilities through training programs and to monitor employee compliance with security policies. The Common Criteria CC1.4 (Board oversight), CC2.2 (Internal communication), and CC1.1 (Commitment to integrity) all have training components. PTG's platform provides the evidence artifacts SOC 2 auditors need: training completion logs, policy acknowledgment timestamps, phishing simulation performance data, and risk score trends. SaaS companies and managed service providers pursuing SOC 2 attestation benefit from having all training evidence pre-organized and exportable.
FTC Safeguards Rule / GLBA
The revised FTC Safeguards Rule under 16 CFR 314.4(e) requires financial institutions to provide personnel with security awareness training that is updated to reflect risks identified through risk assessments. The rule applies broadly: auto dealerships, mortgage brokers, tax preparers, and any entity significantly engaged in financial activities. PTG's training program meets the rule's requirements for initial and ongoing training, risk-based content updates, and documentation of training activities. Compliance reports map to the specific regulatory language the FTC references in enforcement actions.
Measurable Results
PTG has operated security awareness training programs for organizations across the Research Triangle since 2002. The metrics our clients track demonstrate consistent, measurable improvement in human risk posture over time.
How We Measure Success
Every client receives a dynamic risk score updated after each training module completion, phishing simulation, and dark web scan. Individual scores aggregate into departmental and organizational risk ratings. The executive dashboard tracks these scores over time, producing trend lines that show improvement quarter over quarter. Click rates on phishing simulations typically start between 25 and 35 percent at baseline and drop below 5 percent within six months of continuous training. Report rates, the percentage of employees who correctly identify and report a phishing attempt, increase from single digits to above 60 percent over the same period.
ROI of Training Investment
According to the Ponemon Institute, the average cost of a phishing attack for a mid-sized company is $1.6 million. The annual cost of a managed security awareness training program is a fraction of that. When organizations track the number of phishing emails reported by trained employees that would have otherwise led to credential compromise, the return on investment becomes concrete. One prevented incident justifies years of training spend. For regulated industries where breach penalties compound the direct costs, the calculus is even more favorable. PTG provides ROI analysis as part of our quarterly executive reporting.
Note on statistics: PTG does not fabricate client metrics. The phishing click rate reduction figures referenced above reflect outcomes observed across our client base using industry-standard simulation methodologies. Individual results vary based on organizational culture, training engagement, and baseline risk posture. The industry statistics cited are sourced from the Verizon Data Breach Investigations Report and the IBM/Ponemon Cost of a Data Breach Report, both publicly available annual studies.
Who We Serve in the Research Triangle
PTG has delivered security awareness training across every major industry vertical in the Raleigh-Durham metropolitan area. Our program adapts to the specific threats, compliance mandates, and workforce profiles of each sector.
Healthcare & Life Sciences
Hospital systems, specialty clinics, dental practices, behavioral health providers, clinical research organizations, and their business associates throughout Wake, Durham, and Orange counties. HIPAA-aligned training with PHI-specific content, OCR audit preparation, and breach notification procedure drills.
Defense & Government Contractors
Cleared defense contractors near Fort Liberty, DoD subcontractors in RTP, and organizations pursuing CMMC Level 2 certification. CUI handling training, NIST 800-171 control mapping, and CMMC assessment documentation generated automatically from training and simulation data.
Financial Services
Community banks, credit unions, wealth advisory firms, insurance agencies, and mortgage companies across the Triangle. Training mapped to GLBA, FTC Safeguards Rule, PCI DSS, and SOX requirements. Wire transfer fraud, BEC, and invoice manipulation are emphasized given the sector's specific threat profile.
Legal & Professional Services
Law firms, CPA practices, and consulting organizations handling privileged client data. Training covers attorney-client privilege in digital communications, document security, client impersonation attacks, and the North Carolina State Bar's ethical obligations around data protection.
Technology & SaaS
Software companies, SaaS providers, and technology startups in RTP and downtown Raleigh-Durham. SOC 2 readiness training, secure development practices, API key and credential management, and insider threat awareness for organizations where engineers have broad system access.
Manufacturing & Supply Chain
Manufacturing firms, logistics companies, and supply chain operators across the region. Training addresses operational technology security, vendor email compromise, invoice redirection fraud, and the challenge of training mixed workforces with varying levels of technology access and literacy.
Frequently Asked Questions
How quickly can PTG deploy a security awareness training program?
Most organizations are fully deployed within five to seven business days. PTG handles the entire setup: platform configuration, user enrollment from your directory or CSV import, curriculum assignment based on role and department, and the baseline phishing simulation. There is no burden on your IT team. Organizations in Raleigh, Durham, and the Triangle can request on-site kickoff sessions to align training goals with leadership priorities and compliance requirements. Remote deployment is equally straightforward for distributed or hybrid workforces.
What types of phishing simulations does PTG run?
Our simulations mirror the full spectrum of real-world attack tactics: credential harvesting pages that replicate Microsoft 365, Google Workspace, and banking login portals; malicious attachment campaigns using fake invoices, shipping notifications, and HR documents; CEO and executive impersonation emails requesting wire transfers or sensitive data; QR code phishing embedded in printed materials or PDF attachments; and SMS-based smishing campaigns targeting personal devices. Templates are updated monthly based on active threat intelligence. Every interaction is tracked and feeds into individual risk scores and organizational reporting.
Does the training satisfy HIPAA, CMMC, NIST, and PCI DSS requirements?
Yes. Every training module, policy acknowledgment, phishing simulation result, and completion certificate is mapped to specific control language in HIPAA Security Rule 45 CFR 164.308(a)(5), CMMC Level 2 practices AT.L2-3.2.1 and AT.L2-3.2.2, NIST 800-171 control family 3.2, PCI DSS Requirement 12.6, FTC Safeguards Rule 16 CFR 314.4(e), and SOC 2 Trust Services Criteria. The platform generates audit-ready reports formatted for assessors and regulators. When your auditor asks for training evidence, it is already organized, timestamped, and ready for export.
What happens when an employee fails a phishing simulation?
Employees who click a simulated phishing link or submit credentials on a fake login page are immediately redirected to a just-in-time training module. This module explains what they missed, identifies the red flags in the email, and teaches the correct response. Their individual risk score is updated in the dashboard. Repeat offenders are automatically enrolled in additional targeted training modules. Managers receive notifications about high-risk employees so they can provide support. The goal is behavioral correction, not punishment. Organizations that treat failed simulations as learning opportunities build stronger reporting cultures.
How does the dark web monitoring component work?
PTG's platform continuously scans underground forums, data breach databases, paste sites, and dark web marketplaces for email addresses, passwords, and personal information belonging to your employees. When compromised credentials are discovered, the system generates an alert that includes the breach source, the type of data exposed, a severity rating, and recommended remediation steps. The affected employee receives a password reset directive and targeted credential hygiene training. This integration means dark web exposure is not just a security alert; it becomes an active training reinforcement point.
Can training content be customized for different departments and roles?
The platform supports role-specific learning paths that deliver different content based on job function, department, seniority level, and individual risk score. Executives receive strategic risk briefings, board reporting preparation, and wire fraud awareness. Finance teams focus on invoice manipulation, payment redirect scams, and BEC detection. IT staff get technical content on threat indicators, lateral movement recognition, and incident response procedures. Front-line employees learn social engineering defense, physical security, and safe browsing habits. Each employee receives training calibrated to the threats most relevant to their daily responsibilities.
How is PTG's training different from free or low-cost alternatives?
Free platforms typically offer generic content, limited simulation capabilities, minimal reporting, and zero managed services. Your IT team becomes responsible for configuration, enrollment, campaign scheduling, and compliance documentation. PTG's program is fully managed: we handle every operational aspect from onboarding to audit report generation. Our content is behavior-focused, updated monthly with current threat intelligence, and tailored to your industry. Dark web monitoring, continuous phishing simulations, dynamic risk scoring, and compliance-mapped reporting are included. The measurable difference: organizations using our platform consistently see phishing click rates drop below five percent within six months.
How much does security awareness training cost?
Pricing is based on the number of employees enrolled and the compliance frameworks you need to satisfy. PTG offers both a Core Plan covering training, simulations, dark web monitoring, and compliance reporting, and a Premium Plan that adds access to our private cybersecurity community with expert office hours, resource libraries, and peer collaboration. Both plans are priced per user per month with volume discounts for larger organizations. Contact PTG at 919-348-4912 or visit our contact page for a customized quote based on your organization's size and requirements.
Does PTG support remote and hybrid workforces?
The entire platform is cloud-based and accessible from any device with an internet connection. Training modules, phishing simulations, and compliance documentation work identically for remote, hybrid, and in-office employees. Content includes modules specifically designed for remote work scenarios: home network security, VPN configuration and usage, secure video conferencing, managing sensitive data on personal devices, and safe use of public Wi-Fi. Phishing simulations are delivered to employee inboxes regardless of location. Reporting dashboards aggregate data across all locations and work arrangements without any additional configuration.
What metrics and reports does the platform provide?
The executive dashboard tracks training module completion rates, phishing simulation click rates, credential submission rates, phishing report rates, individual and departmental risk scores, dark web exposure alerts, and compliance documentation status. Trend reports show how these metrics have changed over weeks, months, and quarters. All data is exportable in multiple formats and organized by compliance framework for auditor review. PTG delivers quarterly executive summaries that translate raw metrics into business risk language leadership can act on, including ROI analysis comparing training cost to estimated breach prevention value.
Start Defending Your Organization Against Human-Targeted Attacks
Schedule a free security awareness assessment with PTG. We will run a baseline phishing simulation against your team, scan the dark web for your organization's exposed credentials, and deliver a risk report with actionable findings. No cost. No obligation. See exactly where your human risk stands before committing to a program.
Serving Raleigh, Durham, Chapel Hill, Cary, Apex, Morrisville, Wake Forest, Holly Springs, and the Research Triangle Park
Related Services
Industry Specific Solutions
We know that different industries have different technological requirements. That’s why we adapt our offerings to ensure your business achieves unparalleled success.