Before we start
What awareness
actually means
The security industry has been trying to deliver awareness for decades. Modules, posters, phishing simulations, intranet campaigns, newsletters, lunch-and-learns. An entire infrastructure built around a single goal: make people aware.
The word has been doing two jobs at once, and nobody noticed. "Awareness" describes both the thing organisations run (the programme) and the thing they're trying to produce (the state). So when someone says "we have a security awareness programme," they mean the training. When they say "our people need better security awareness," they mean the outcome. Same word. Completely different things. And yet the industry has built an entire infrastructure around it without ever stopping to ask whether one was actually producing the other.
That confusion has cost the industry twenty years of progress.
Here's what we mean when we say awareness. Awareness is not a module someone completes. It is not a percentage on a report. It is not the ability to identify a phishing email in a multiple choice question under no pressure with unlimited time.
Awareness is the state of being genuinely attuned to risk, in the moment, under real conditions, and doing something about it.
It is the person who pauses before clicking. Not because they remembered a policy. Because something in them, trained by experience, flags it as wrong before they've consciously processed why. It is the colleague who escalates the unusual request instead of quietly dealing with it, because the culture around them has made that feel like the obvious thing to do. It is the instinct that holds up under pressure, distraction, and the kind of social engineering that is specifically designed to bypass conscious thought.
That version of awareness cannot be delivered. It can only be built.
Awareness is what you have when the right conditions exist. You can't deliver it. You can only design for it.
It is the product of three things working together: genuine engagement that makes people pay attention, a culture that makes good behaviour feel normal, and instinct that embeds the right responses so deeply they run without effort. That is the Behaviour Cycle. And awareness is what you have when it works.
How we think about this
The Behaviour Cycle: Three stages. One outcome.
Engagement
The price of entry. Nothing else works without it. If people aren't paying attention, everything else is expensive wallpaper. Engagement isn't about making training fun, it's about making it impossible to ignore.
Culture
Where behaviour becomes normal. You can run the best session in the world and people can leave genuinely fired up, then walk straight back into an environment that undoes all of it before the week is out. Culture is what people do when nobody is watching.
Instinct
The bit nobody talks about, probably because most programmes never get close to it. Instinct is behaviour that no longer requires effort. The right call, made before conscious thought has fully caught up, because the pattern is so embedded it just runs.
Awareness
Not a programme. Not a percentage. The actual state of being attuned to risk and acting on it. You can't manufacture it directly. You can only build the conditions that make it inevitable.
Read the full argument on The Behaviour Cycle page, or take the free Behaviour Cycle Check to see where your programme is losing people.
The Basics
No. Though we understand why it looks like one from the outside.
The escape room format is a delivery mechanism, not the point. What we're actually doing is placing people inside a realistic, high-pressure scenario and making them practise the decisions that determine whether your organisation gets breached or doesn't. The story is fiction. The behaviours it rehearses are entirely real.
There's a meaningful body of research behind why this works. Immersive, experience-based learning produces measurably better retention, higher confidence in applying skills, and more durable behaviour change than any instruction-based alternative. The game isn't the gimmick. The game is the science.
Cost & Value
Fair question. Let's actually look at it.
Your current training costs less per head. It also doesn't change what people do. So what you're actually paying for is the audit trail, not the outcome. That's a defensible position for compliance. It's a bad position for risk reduction.
Immersive training costs more to deliver because it does more. The organisations that benchmark it properly find that the cost difference is marginal against the savings from incidents that didn't happen, breaches that didn't escalate, and response times that improved because people had already practised. IBM's 2025 data puts the average cost difference between organisations with tested security programmes versus those without at approximately £1.2 million per breach.
We're not cheap. We're also not a line item you complete and forget.
THE FINANCIAL CASE FOR BETTER TRAINING →
IMMERSIVE LEARNING ROI CALCULATOR →
Logistics & Practicalities
Yes. And the short answer is: a programme that only works at HQ isn't a programme.
Every product in our ecosystem is either fully digital and solo-capable, ships to wherever your people are, or is specifically designed to pull distributed teams into a shared narrative even when they're not in the same room. SHIFT delivers immersive, narrative-led scenarios through a browser with no downloads, no setup, and no facilitation required. ALT works solo or as a group on people's own devices. CTRL+Vish is location-agnostic by design. ESC is a physical kit that ships to any location with a team and a table. With a train-the-trainer programme in place, regional offices run their own sessions without waiting for central coordination.
There's also a pre-engagement layer worth knowing about. Before a live event runs, distributed teams can be pulled into the narrative through digital challenges, in-character communications, and cross-location missions that require teams in different sites to coordinate. By the time the main experience kicks off, remote colleagues aren't watching from the outside. They've already played their part.
Remote isn't a constraint. It's a design problem we've already solved.
Does it fit us?
Because knowing and doing are different things.
Your programme might be telling people what a phishing email looks like. That's information. Behaviour is what happens when a message that looks almost right arrives at 4pm on a Friday, when someone's halfway through something else and not paying close attention. That gap is where incidents happen. And information alone doesn't close it.
We're not asking you to stop what you're doing. We're asking you to be honest about what it's achieving. If your incident data is improving, great. If completion rates are the main thing going up, that's a different story.
Still got a question we didn't answer?
Book a call and we'll give you a straight answer.
No pitch, no pressure.