case study

Automated incident response and the chemistry of resilience

Client logo

The European leader in its chemical manufacturing category.

Industry: Chemical manufacturing
Employees: About 20,000


After moving beyond their ineffectual and clumsy security awareness training (SAT) tool, the enterprise chemical manufacturer adopted Hoxhunt and achieved enterprise-scale security behavior change. But their threat feed swelled with more threat reports than they were capable of analyzing without adding more SOC full-time equivalent resources.


The Hoxhunt incident reponse platform did the work of at least 3 SOC FTEs a month as threats were automatically categorized and data was orchestreated in real-time, accelerating incident response to a new level of capability.

Key takeaways:
Featured image


  • Real threats detected and reported

Increased 100x, from 20/month to 2000

  • Threat feed noise reduction

Down from 2000 to 100/month

  • SOC analysis saved

3 FTEs and counting

  • 26,880 suspicious emails reported
  • 3,000 malicious emails reported and remediated
  • 71% of active users detected a phishing email with Hoxhunt button

Adopting security behavior change on a human risk management platform

The threat landscape was becoming too sophisticated for the enterprise chemical manufacturing company’s legacy SAT tool to handle. Weak results led them to look beyond traditional SAT models and adopt the security behavior change and human risk management model.

Immediately, their phishing simulation results improved dramatically. Engagement soared, and employees reported far more simulations while failing far fewer.

On average, 60% of active Hoxhunt participants report a real email threat within one year of commencing training. This enterprise chemical manufacturer has a 71% rate. There's no better proof of behavior change training actually working, and having a real-world impact.

That’s when they encountered an enviable problem: too much threat intelligence. The behavior change program worked too well. Employees were detecting and reporting so many suspicious emails, the SOC team didn’t have the resources to analyze them in a timely manner.

The information security team considered adding 3 more SOC analysts, or trying Hoxhunt’s AI-enabled, automated SOC response platform.

Adding more analysts wasn’t sustainable. As the company grew, and employees produced more and more threat reports, the infosec team couldn’t continuously add more SOC full-time equivalents.

They opted for the Hoxhunt Response Platform. And they’ve never looked back, as the exponential rise in quantify of threat intelligence has been matched by new levels of quality in their threat analysis.

Hoxhunt provided a one-stop solution for security awareness, behavior change, and human risk management, including a phishing reporting process. We introduced the Hoxhunt button for users to report suspicious emails, which improved the reporting results to unprecedented levels. Previously, people were supposed to use our ticketing system, which was cumbersome, and many suspicious emails went unreported.” Awareness and behavior change program leader

Exchanging the legacy SAT model for security behavior change

The SAT model required a lot of effort and produced paltry results. Previously, the team in charge of security awareness would manually operate sporadic phishing simulation campaigns, supplemented with global email communications covering security awareness topics and best practices.

But they weren’t measurably reducing risk.

Their phishing and awareness campaigns’ engagement levels were low and stagnant. Simply explaining what phishing attacks looked like didn’t stir enthusiasm or build cyber skills. The SAT model was simply ineffective compared to repeated practice with realistic simulations.

Upon deploying Hoxhunt, engagement and overall enthusiasm changed within a matter of weeks.

The training metrics were excellent. Fail rate and the rate of missed phishing simulations plummeted, while success rate—the successful reporting of a phishing simulation—skyrocketed. This demonstrated a new level of human cyber-skill and a hardened human layer.

The AI-driven adaptive learning model, deployed within a gamified platform, is designed to keep training within individuals’ zone of proximal development. That’s the sweet spot of learning where it’s not too hard, and never too easy. As people got better at spotting and reporting phishing emails, the adaptive learning model upped the difficulty level of the simulations to match users’ skill.

“The program reached much higher levels of engagement and success than we’d ever seen before with our previous security awareness tools.” Awareness and behavior change program leader

100 times more real threats detected and reported

People learned to report suspicious emails and phishing attacks almost too well. The number of real threats detected and reported to the Security Operations team skyrocketed from 10-20 a month to 2000 a month. While there’s no better proof of security behavior being changed or of risk being reduced than an upswell in detected threats, the swollen threat feed was overwhelming to the SOC team.

“It's fascinating to see the impact of the response platform along with the increased reporting behavior within the organization. Before implementing Hoxhunt, we used to receive only around 10 to 20 emails per month, but after introducing the platform and encouraging employees to report any suspicious or spam emails, the number significantly increased. The streamlined process of simply clicking a button to report an email made it more convenient for employees to report potential threats.”

A threat report is a terrible thing to waste. The security team scrambled to make the most of their upswell in human threat intelligence. At first, they considered adding 2-3 more SOC analysts, but that was deemed unsustainable. They couldn’t keep adding more analysts as the company—and employee threat intelligence—grew.

They needed an automated solution. And Hoxhunt delivered.

Threat feed noise was reduced by 99%, as the AI-enabled Hox Response engine orchestrated reported threats into categories, and prioritized incidents for escalation. This accelerated SOC response significantly.

Enter Hoxhunt’s automated incident response platform: 3 FTEs of SOC resources were immediately saved

Threat reporting became a cultural habit that was celebrated and rewarded. The Instant Feedback feature let users choose whether to report an email as SPAM or malicious. If they’d reported a malicious email, Instant Feedback would let them know in real time whether they’d caught a live threat, and reward them for doing so. Furthermore, the security team could whitelist internal communications campaigns, so even if employees reported them, the legitimate emails wouldn’t go to the threat feed.

“With the Hoxhunt button and the subsequent introduction of the response platform, things improved. Initially, all emails went to our security operations team, including spam reports. This overwhelmed them, as they had to process around 2000 emails per month. However, the response platform, with its machine learning algorithm, filtered out potential true positives, reducing the number of emails our team had to handle. Now, we receive around 100 emails per month, which is a significant improvement. And these are the emails that are of the highest incident response priority.”

Time is of the essence

The determining factor between contained incidents and data breaches is time. Before Hoxhunt, sometimes it took a week for the SOC team to analyze a reported email. And that was when threat reporting activity was minimal. This, they realized, was problematic. They wanted incident response to happen in terms of minutes and hours, not days or weeks.

“When it comes to security incidents, time is of the essence. If it’s a phishing email, and the threat actor is able to either steal user credentials or deliver a malicious piece of software, the more time you give them the more damage they can do. Time is critical. You really need to contain the damage as quickly as possible, ideally in under a few hours. We can now contain incidents within a matter of hours or minutes, or in real-time, as opposed to days or weeks.

A turnaround time of a week will lower the security team’s standing with users, who are waiting for a response to their threat report, while letting the damage spread. Being in a state of overwhelm can damage the effectiveness of SOC analysis.

There is no better proof of a good behavior change training's impact than a swollen threat feed. The automated threat feed data orchestration accelerated incident response for greater resilience with fewer SOC resources.
Hoxhunt Response had an impact not only on the speed of our analysis, but it impacted the quality of the analysis as well. The SOC team was rushing through analysis before. Because of their workload, they might classify something as spam that if they had had more time would have been classified as a fraud attempt and blocked.  But now they are focusing where it matters and we are measurably reducing our risk profile as a result.”

Table of contents

Want to match these results?
Hoxhunt adaptive phishing training dramatically increases training engagement and security resilience.
Request a demo