Every Great Attack Starts With a Setlist
In July 2021, a single phishing email gave a threat actor access to credentials at a Florida IT management firm, triggering the Kaseya VSA ransomware attack that cascaded to over 1,500 businesses worldwide. One click. One employee. One email that someone didn't recognize as malicious. The attackers had a plan — a sequence of moves designed to maximize damage. Your security team needs one too.
That's where the concept of a phish setlist comes in. If you've ever seen the jam band Phish perform, you know the setlist is the backbone of the show — a deliberate sequence of songs chosen for flow, energy, and impact. A phish setlist in cybersecurity works the same way: it's the structured lineup of simulated phishing attacks your organization runs against its own employees to build real resilience against social engineering.
I've built dozens of these programs for organizations ranging from 50-person startups to enterprise environments. The difference between companies that reduce click rates and those that don't almost always comes down to whether they had a deliberate phish setlist — or just sent random emails and hoped for the best.
What Exactly Is a Phish Setlist?
A phish setlist is a planned sequence of simulated phishing emails, scheduled over weeks or months, that progressively tests and trains employees against realistic attack scenarios. Each "song" in the setlist is a different phishing template — varying in difficulty, attack vector, and social engineering technique.
Think of it like a training curriculum, not a gotcha game. The goal isn't to embarrass the people who click. It's to expose your workforce to the full range of tactics that real threat actors use — from crude mass-blast credential theft attempts to sophisticated spear-phishing with personalized context.
A well-designed phish setlist includes variation in these dimensions:
- Pretext type: Package delivery, password reset, invoice approval, HR policy update, CEO wire request
- Difficulty level: Obvious red flags early, subtle indicators later
- Attack goal: Credential harvesting, malware link, attachment execution, data exfiltration
- Timing: Spaced to avoid "simulation fatigue" but frequent enough to build muscle memory
- Targeting: Broad organization-wide sends mixed with department-specific or role-specific campaigns
The $4.24M Reason You Need a Structured Approach
IBM's 2021 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.24 million — the highest in 17 years. Phishing was the second most common initial attack vector, responsible for 17% of breaches. And here's the kicker: breaches initiated by phishing cost an average of $4.65 million, above the overall average.
Random, infrequent phishing simulations don't move the needle. I've seen organizations send one simulation per quarter and wonder why their click rates stay above 25%. That's like practicing guitar once every three months and expecting to play a concert.
The Verizon 2021 Data Breach Investigations Report found that 85% of breaches involved a human element, and social engineering was one of the top three attack patterns across every industry. You can read the full report at Verizon's DBIR page. The data makes it brutally clear: your people are the attack surface, and they need structured, repeated exposure to simulated attacks.
How to Build a Phish Setlist That Actually Works
Step 1: Baseline Your Organization
Before you plan the setlist, you need to know where you stand. Run one or two baseline phishing simulations across the entire organization. Use moderately difficult templates — not the easiest, not the hardest. Record click rates, credential submission rates, and report rates.
This baseline tells you the starting difficulty for your setlist. If 40% of your workforce clicks on a moderately convincing password reset email, you don't start with a sophisticated spear-phishing simulation. You start where they are.
Step 2: Map Your Threat Landscape
What phishing attacks actually target your industry? A healthcare organization faces different pretexts than a financial services firm. Pull data from real incidents. The FBI's Internet Crime Complaint Center (IC3) publishes annual reports with detailed breakdowns of business email compromise and phishing trends at ic3.gov.
Your phish setlist should reflect the actual threats your employees will encounter. If your industry sees heavy business email compromise attempts, your setlist needs invoice fraud and CEO impersonation scenarios. If credential theft targeting cloud platforms is the primary vector, build simulations around fake Microsoft 365 and Google Workspace login pages.
Step 3: Design the Progression
This is where the setlist metaphor really holds. A great concert doesn't open with the most complex song. It builds. Your phish setlist should follow a similar arc:
Weeks 1-4 (Opening Act): Start with easier simulations. Obvious misspellings, suspicious sender domains, generic greetings. These build early confidence and introduce the concept to employees who've never been tested.
Weeks 5-12 (Building Intensity): Increase sophistication. Use internal-looking sender addresses. Reference real projects or departments. Add urgency — "Your account will be locked in 24 hours." Introduce attachment-based simulations alongside link-based ones.
Weeks 13-20 (Peak Difficulty): Deploy spear-phishing scenarios. Use information that mimics what a threat actor could find on LinkedIn or your company website. Impersonate specific executives. Send simulations that look like replies to existing email threads. This is where you find out who's truly resilient.
Weeks 21+ (Sustained Operations): Mix difficulty levels. Keep employees on their toes with unpredictable timing and varied pretexts. Introduce new attack types as the real threat landscape evolves — for example, simulations mimicking COVID-related HR communications or vaccine policy updates, which have been heavily exploited throughout 2021.
Step 4: Pair Every Simulation With Training
A phish setlist without training is just a test. Every simulation should link directly to a learning moment. When an employee clicks, they should immediately see an explanation of what they missed — the suspicious URL, the mismatched sender domain, the urgency tactic designed to bypass critical thinking.
This is where having a solid security awareness training program matters enormously. Our cybersecurity awareness training course covers the fundamentals that every employee needs — from recognizing social engineering tactics to understanding why multi-factor authentication matters. Pair it with your simulation program and you create a feedback loop: test, teach, repeat.
For organizations that want a dedicated phishing-focused curriculum, our phishing awareness training for organizations goes deep on the specific skills employees need to identify and report phishing attempts in real time.
Step 5: Measure What Matters
Click rates are just one metric. A mature phish setlist program tracks:
- Click-through rate: Percentage of employees who clicked the malicious link or attachment
- Credential submission rate: Percentage who entered actual credentials on a fake login page
- Report rate: Percentage who used the phishing report button or forwarded to IT security
- Time to report: How quickly the first report came in after the simulation launched
- Repeat clicker rate: Percentage of employees who click on multiple simulations over time
The report rate is the metric most organizations ignore — and it's arguably the most important. An employee who spots a phishing email and reports it is actively contributing to your defense. CISA emphasizes reporting as a critical component of organizational resilience in their phishing awareness resources.
Common Mistakes That Wreck Your Phish Setlist
Punishing Clickers Instead of Training Them
I've watched organizations publicly shame employees who failed simulations. One company posted click rates by department on a lobby TV. The result? Employees stopped trusting IT, stopped reporting real suspicious emails, and morale cratered. Your phish setlist is a training tool, not a disciplinary weapon.
Running the Same Difficulty Every Time
If every simulation is a crude Nigerian prince email, your click rates will drop — but your employees won't be prepared for a well-crafted spear-phishing attack. If every simulation is impossibly sophisticated, employees get demoralized. Vary the difficulty intentionally.
Ignoring the Executive Suite
Executives are prime targets for business email compromise and whaling attacks. They're also the most likely to push back on being included in simulations. Include them anyway. The 2021 IC3 report identified business email compromise as the costliest cybercrime category, with adjusted losses exceeding $1.8 billion in 2020 alone. Executives with access to wire transfers and sensitive data need the most realistic simulations you can design.
No Connection to Zero Trust Strategy
Phishing simulations exist within a broader security architecture. If an employee clicks a credential harvesting link and enters their password, multi-factor authentication should stop the attacker cold. Your phish setlist should reinforce why zero trust principles and MFA matter — and your training should explain how these layers work together. Simulations that demonstrate "even though you clicked, MFA saved you" are powerful teaching moments.
How Often Should You Run Phishing Simulations?
Based on data from organizations I've worked with and industry research, the sweet spot is two to four simulations per month during the initial 90-day ramp-up, then one to two per month for ongoing operations. This frequency is enough to build recognition patterns without causing simulation fatigue.
Spread your sends across different days and times. Real phishing doesn't arrive on a predictable schedule. Some of the highest click rates I've seen come from simulations sent at 7:45 AM on Monday — before coffee, before critical thinking kicks in. Your phish setlist should exploit these realistic timing patterns.
Building the Setlist: A Sample 12-Week Plan
Here's a concrete example of a phish setlist for a mid-sized organization:
- Week 1: Generic package delivery notification (easy) — broad send
- Week 2: Password expiration warning from "IT Support" (easy-medium) — broad send
- Week 3: Training debrief + security awareness module assignment
- Week 4: Fake invoice from known vendor name (medium) — finance department targeted
- Week 5: Shared document link from "coworker" (medium) — broad send
- Week 6: HR benefits enrollment update with malicious attachment (medium) — broad send
- Week 7: Training reinforcement + results review with department managers
- Week 8: CEO impersonation wire transfer request (hard) — executive assistants targeted
- Week 9: Fake LinkedIn connection request with credential harvesting (medium-hard) — broad send
- Week 10: COVID vaccination survey from "HR" (hard) — broad send
- Week 11: Spoofed internal IT ticket system notification (hard) — IT-adjacent departments
- Week 12: Full program review, metrics analysis, setlist revision for next quarter
Notice the pattern: escalating difficulty, mixed targeting, training breaks integrated into the schedule, and a review cycle built in. This isn't random. It's deliberate.
From Setlist to Culture Change
The ultimate goal of a phish setlist isn't a low click rate on a dashboard. It's a workforce that instinctively pauses before clicking, hovers over links before trusting them, and reports suspicious messages as a reflex. That's a culture shift, and it doesn't happen with a single annual training video.
It happens when employees experience realistic simulations regularly, receive immediate constructive feedback, complete targeted training like our organizational phishing awareness program, and see leadership taking the same simulations they do.
A structured phish setlist transforms security awareness from a compliance checkbox into an operational capability. Your employees become sensors in your security architecture — the human layer that catches what your email gateway misses.
Start building your setlist today. Baseline your organization, map your threats, design the progression, and pair every simulation with real training. Your next data breach might depend on whether one employee recognizes the one email that matters.