Home Compliance & Certification Phishing Simulation After-Action Report Guide

Phishing Simulation After-Action Report Guide

Last updated on Feb 01, 2026

1. Purpose of This Guide

This artefact proves that your organisation actively trains staff to recognise and respond to phishing, instead of just telling them “be careful” and hoping for the best.

Under PDPA Data Protection Essentials Clause 7.4, organisations must run phishing simulation exercises regularly and document the outcomes.

The After-Action Report shows:

  • The simulation actually took place

  • Staff awareness was tested in a realistic way

  • Lessons were identified and acted on

Auditors want to see learning and improvement — not perfect scores.

2. What You Will Submit

You will upload one completed Phishing Simulation After-Action Report.

It should include:

  • A written report (document or PDF)

  • Details of the phishing simulation exercise

  • Metrics from the simulation (e.g. clicks, reports)

  • Observations on staff behaviour

  • Clear recommendations for improvement

This is usually generated from:

  • Your phishing simulation tool (exported metrics + write-up), or

  • A completed internal template

3. How to Collect / Generate This Evidence

Coming soon: StrongKeep customers will be able to use the built-in phishing training platform to generate the reports.

Step 1: Run a phishing simulation

Use your phishing simulation platform (or email tools) to send a simulated phishing email to staff.
Examples:

  • Fake password reset email

  • Suspicious invoice attachment

  • Fake Microsoft or Google login alert

Keep it realistic, but safe.

Step 2: Capture simulation details

After the exercise, record:

  • Exercise date

  • Scope (number of users targeted)

  • Type of phishing scenario used

Step 3: Collect key metrics

Your report should clearly show results such as:

  • Click rate

  • Report rate (who reported the email)

  • Any credential submission (if applicable)

Screenshots or exported summaries from the tool are acceptable.

Step 4: Document observations and lessons

Add a short analysis covering:

  • How well staff recognised the phishing attempt

  • Common mistakes or patterns

  • Whether reporting processes were followed

Then list clear recommendations, such as:

  • Additional training for certain teams

  • Improving phishing reporting instructions

  • Running simulations more frequently

4. Evidence Format

  • Accepted file types: PDF, DOCX

  • Recommended naming format:

    YourCompanyName_PhishingSimulation_AAR_YYYY-MM-DD.pdf

    Example:

    AcmeCorp_PhishingSimulation_AAR_2025-07-01.pdf

5. What “Good” Looks Like

A strong Phishing Simulation After-Action Report includes:

  • Visible Element: Simulation date and scope
    Why it matters: Confirms the exercise was conducted and who was involved.

  • Visible Element: Measurable results (clicks, reports)
    Why it matters: Demonstrates real testing, not theoretical training.

  • Visible Element: Observations on staff behaviour
    Why it matters: Shows understanding of human risk, not just numbers.

  • Visible Element: Practical improvement actions
    Why it matters: Proves continuous improvement of staff awareness.

If an assessor can clearly see what happened, what you learned, and what you’ll change, you’re winning.

6. Tips from Sir Stonk 🗡️

  • Don’t name and shame. Focus on trends and learning, not individual blame.

  • Even high click rates are acceptable — as long as you document follow-up actions.