Help desk employees are the weakest link for credential-based attacks, but most security training is generic phishing email simulations, not live vishing (voice phishing) scenarios.
AI-powered voice and chat bots that periodically call or message help desk staff with realistic social engineering scenarios, score their responses, and generate training reports for managers.
subscription per org with usage-based pricing for simulation volume
The MGM breach cost $100M+ and was executed via a help desk vishing call. Every CISO with a help desk is now aware this is a real attack vector. The Reddit post with 843 upvotes confirms grassroots awareness. Regulatory auditors increasingly ask about vishing defenses. This is a top-3 attack vector that has almost zero automated tooling to defend against.
TAM is narrower than general security awareness (~$10B) because this targets orgs with meaningful help desk operations. Serviceable market is enterprises with 500+ employees that have IT/customer help desks — roughly 50,000-100,000 orgs globally. At $5K-$50K/org/year, SAM is $250M-$5B. Not a trillion-dollar market, but large enough to build a very successful company.
Security budgets are the last to get cut. Post-MGM, boards are specifically funding social engineering defenses. Enterprises already pay $15-26/user/year for email-only phishing sims. A specialized vishing/help desk product can command premium pricing ($30-50/user/year) because it addresses a gap auditors are now flagging. The consulting alternative (Social-Engineer LLC) costs $15K-50K per one-time engagement, making a $20-50K/year SaaS look like a bargain for continuous coverage.
Core tech stack is feasible: LLM-powered conversation engine + telephony API (Twilio/Vonage) + chat integration (Teams/Slack webhooks) + scoring/reporting dashboard. A strong solo dev can build a functional MVP in 6-8 weeks. However, voice quality and conversational realism are make-or-break — mediocre AI voice will get instantly detected by help desk staff, undermining the product's value. Prompt engineering for realistic pretexts requires security domain expertise. Telephony integration has edge cases. Scoring rubrics need careful design. Feasible but not trivial.
This is the strongest signal. Every major competitor is email-phishing-first. Vishing is either absent, a checkbox feature, or a $30K+ consulting engagement. Nobody offers AI-driven, adaptive, continuous voice/chat social engineering simulations targeting help desks as a self-service SaaS product. The gap between what exists (email sims) and what attackers actually do (call the help desk) is enormous and well-documented post-MGM/Caesars.
Natural subscription model. Security training is ongoing by nature — employees need periodic testing, new hires need onboarding simulations, compliance requires quarterly/annual assessments. Usage-based pricing for simulation volume creates expansion revenue. Enterprise procurement teams expect annual contracts. Churn should be low once embedded in security programs because removing it creates audit gaps.
- +Massive, well-documented gap in market — no one does AI-driven vishing simulation as SaaS
- +High-profile breaches (MGM/Caesars) created urgent buyer awareness and budget allocation
- +Strong regulatory tailwinds (PCI-DSS 4.0, SOC2, NIST) increasingly require vishing testing
- +Natural enterprise SaaS model with high retention and expansion revenue
- +AI/LLM capabilities have just now reached the quality threshold to make this viable — timing is ideal
- +Expensive consulting alternative ($15-50K/engagement) validates willingness to pay and provides pricing anchor
- !Enterprise sales cycles are 3-9 months — runway needs to account for slow initial revenue
- !Legal/compliance sensitivity: simulating social engineering attacks on employees requires careful legal framing, consent frameworks, and HR alignment. One botched simulation that causes employee distress could generate bad press
- !Voice AI quality is a hard bar — if the bot sounds robotic, help desk staff will detect it immediately and the product loses credibility. Requires continuous investment in voice realism
- !KnowBe4 or Proofpoint could ship a competitive feature in 6-12 months once they see traction — need to build defensible wedge fast
- !Telephony costs at scale (Twilio + LLM inference per call) could squeeze margins if pricing isn't structured carefully
World's largest security awareness training platform. Offers phishing simulations, training modules, and some vishing add-ons via their PhishER and AIDA products.
Enterprise security awareness training with phishing simulations, compliance training, and threat intelligence integration.
Boutique consultancy that provides managed vishing assessments — real humans call your employees using social engineering pretexts.
Security awareness platform offering phishing, smishing, and some vishing simulation capabilities with customizable attack templates.
Gamified phishing simulation and security behavior change platform using adaptive, personalized phishing attacks that get harder as employees improve.
Start with chat-only (Teams/Slack integration) social engineering simulations targeting IT help desks. Skip voice in MVP — chat is faster to build, cheaper to run, and still covers a real attack vector (Scattered Spider used both phone and chat). Build 5-10 realistic pretext scenarios (password reset requests, MFA bypass, new employee onboarding, VPN access, executive impersonation). Include a scoring engine that evaluates whether the help desk agent followed SOP (verified identity, used ticketing system, escalated appropriately). Ship a manager dashboard with per-agent scores and trend lines. Add voice (Twilio + ElevenLabs/OpenAI TTS) as the premium tier in v2 after validating demand with chat.
Free pilot (3 simulations for one team) -> Team plan $500/month (unlimited chat sims, 10 agents, basic reporting) -> Enterprise $2,000-$5,000/month (voice + chat, unlimited agents, SSO/SCIM, compliance reporting, custom scenarios) -> Scale via channel partnerships with MSSPs and security consultancies who resell to their clients
8-14 weeks to first paying pilot. Week 1-6: build chat-based MVP with 5 scenarios and scoring. Week 6-8: deploy with 2-3 design partners (find them in r/sysadmin, ISSA chapters, BSides conferences). Week 8-12: iterate based on feedback. Week 10-14: convert pilots to paid. First meaningful ARR ($10K+ MRR) likely at month 6-9 given enterprise sales cycles.
- “Everyone is susceptible to social engineering if the right lever is pulled”
- “an opportunity for more training”
- “my manager reiterated SOP”