Help desk staff are the #1 target for social engineering but training is generic and forgettable. Real attacks use pressure, urgency, and authority (e.g., pretending to be a VP) that classroom training doesn't replicate.
AI-powered voice call simulations that impersonate callers using real social engineering tactics (authority pressure, guilt-tripping, urgency). Scores staff on protocol adherence, flags where they broke SOP, and generates personalized remediation training. Runs periodic surprise tests like phishing sims but for phone/chat channels.
SaaS subscription, $3-8/user/month or bundled into existing security awareness platforms as an add-on
The MGM Resorts breach ($100M+ damages) happened because an attacker called the help desk and social-engineered a password reset. The Reddit post with 800+ upvotes shows this is viscerally felt by practitioners. Help desk staff are the #1 social engineering target and current training (slideware, annual CBTs) is universally acknowledged as inadequate. Security leaders know this gap exists — the 'I almost screwed up' narrative resonates because it happens constantly. This is a hair-on-fire problem for any CISO who read about Scattered Spider.
Niche within a large market. The broader SAT market is $5.5B+, but the addressable segment (orgs with IT help desks willing to pay for voice-specific simulation) is narrower — est. 200K+ organizations globally with 50+ employee help desks. Realistic SAM is $200-500M currently. However, this can expand via MSPs (who manage help desks for hundreds of clients) and by broadening beyond help desk to all phone-based SE targets (finance, HR, reception). Not a billion-dollar TAM on day one, but large enough to build a very valuable company.
Security awareness training is an established budget category — orgs already pay $15-45/user/year for inferior email-only products. The proposed $3-8/user/month ($36-96/year) is within range. More importantly, companies are currently paying $15K-75K per engagement for manual vishing testing from consultants. An AI product that delivers similar quality at 10x lower cost is an easy ROI story. Post-MGM, cyber insurance carriers are increasingly requiring social engineering testing, creating a compliance-driven purchase trigger. The buyer (CISO/IT Director) has budget and is actively looking for solutions in this gap.
Core tech stack exists: LLM for conversation (GPT-4/Claude), realistic TTS (ElevenLabs/PlayHT), telephony APIs (Twilio), STT (Whisper/Deepgram). A solo dev could build a working MVP in 6-8 weeks — the conversational AI loop (listen → understand → respond with SE tactics) is achievable with current APIs. The hard parts: (1) latency — real-time voice conversation needs sub-500ms round-trip, which is tight with LLM in the loop, (2) making the AI convincingly play a social engineer with nuanced pressure tactics without being robotic, (3) reliability at scale — voice calls have more failure modes than email. Feasible but not trivial. Closer to 8 weeks than 4.
This is the strongest signal. NO ONE is doing AI-driven, interactive, real-time voice social engineering simulation for help desks at SaaS scale. KnowBe4's vishing is pre-recorded. Social-Engineer LLC is manual/consulting. Hoxhunt is email-only. There is a massive, well-documented gap between cheap-but-static training and expensive-but-realistic human testing. The timing is perfect: LLM + voice AI tech just became good enough to fill this gap in 2024-2025, and the MGM breach created urgent demand. First mover with a credible product owns this category.
Textbook SaaS subscription model. Security training is inherently recurring — employees need continuous testing (not one-and-done), new hire onboarding creates ongoing demand, compliance requires regular assessment, and threat scenarios evolve constantly. The 'surprise test' model (like phishing sims) requires ongoing subscription by design. Low churn risk because (1) switching costs increase as historical data accumulates, (2) compliance/insurance mandates create sticky demand, and (3) the product becomes part of HR/security onboarding workflows.
- +Massive competition gap — no one offers AI-driven interactive vishing simulation at SaaS pricing, creating a clear category-creation opportunity
- +Urgent, well-documented pain validated by catastrophic real-world breaches (MGM $100M+) and grassroots practitioner demand (800+ upvote Reddit post)
- +Timing convergence: LLM + voice AI tech just reached quality threshold while demand spiked post-Scattered Spider attacks
- +Clear buyer with existing budget — CISOs and IT Directors already spend $15-45/user/year on inferior email-only training
- +Natural MSP distribution channel — a single MSP sale covers hundreds of help desk seats across their client portfolio
- +Strong acquisition exit potential — PE-backed KnowBe4, Proofpoint, and Arctic Wolf are actively acquiring in this space
- !Voice AI latency and naturalness: if the simulated calls feel robotic or have awkward pauses, the training loses credibility and staff won't take it seriously
- !Ethical/legal complexity: simulating social engineering attacks on employees requires careful legal framing, consent frameworks, and HR alignment — one bad rollout could generate backlash
- !KnowBe4 or Proofpoint could ship an AI vishing feature with their existing distribution and crush a startup before it scales — the window is open but not forever
- !Enterprise sales cycles are long (3-6 months) for security products, especially net-new categories that require educating the buyer
- !Regulatory risk around AI voice impersonation — some jurisdictions are tightening rules around synthetic voice, which could create compliance overhead
Largest security awareness training platform with a vishing simulation add-on. Sends pre-recorded or scripted simulated vishing calls to employees alongside their massive phishing simulation and training library.
Boutique firm founded by Chris Hadnagy
AI-adaptive gamified phishing simulation platform. Uses machine learning to personalize phishing difficulty per employee, with strong gamification and engagement mechanics.
Enterprise security platform with bundled awareness training. Offers phishing simulations and CBT modules. Vishing testing available only as a managed/professional services engagement.
Traditional penetration testing and red team firms that include phone-based social engineering of help desks as part of broader security assessments.
Web dashboard + Twilio-powered AI phone calls. MVP scope: (1) 5-7 pre-built help desk pretexting scenarios (password reset for a VP, MFA bypass request, emergency access, new employee onboarding, vendor impersonation), (2) AI caller powered by LLM + ElevenLabs TTS that adapts conversation in real-time using social engineering pressure tactics, (3) call recording with automated transcript and scoring (did they verify identity? did they follow SOP? where did they break protocol?), (4) simple admin dashboard showing pass/fail rates per agent and scenario. Skip: custom scenario builder, LMS integration, compliance reporting, chat channel — those are post-MVP. Launch to 3-5 design partners (MSPs or mid-market IT teams) for free in exchange for feedback.
Free pilot (3-5 design partners, 30-day trials) → $5/user/month for SMB/MSP self-serve → $8-12/user/month for mid-market with analytics and custom scenarios → Enterprise tier at $15+/user/month with API integrations, compliance reporting, and white-labeling for MSPs → Add-on licensing deals with KnowBe4/Proofpoint/Arctic Wolf as a channel play → Potential acquisition exit at $50-200M+ once category is established
8-12 weeks to MVP with free design partners. 4-6 months to first paying customer. The long pole is not the tech — it's getting the first 3-5 companies to trust an unknown vendor with running simulated social engineering attacks on their staff. MSPs are the fastest path because one relationship = many help desk teams. Target first revenue by month 5-6, $10K MRR by month 9-12.
- “he kept trying to push and guilt trip me”
- “the guy was a VP - social pressure to comply”
- “Everyone is susceptible to social engineering if the right lever is pulled”
- “an opportunity for more training”
- “my manager reiterated SOP”