You Can't Patch Your People. That's Why You Should Train Them First.

Disclosure: I'm the COO at Nanitor — a vulnerability management platform. I have every commercial reason to argue the opposite of what I'm about to argue. I'm writing this anyway, because the case for security awareness training is stronger than the CTEM industry wants to admit, and intellectually honest security practitioners should understand it.

Every CTEM tool produces a list of vulnerabilities your team can't fully remediate. Every organization has legacy systems that can't be patched, vendors who won't accept agents, and critical infrastructure that can't be taken offline. Your people, however, are everywhere — and they can be trained in 90 days.

I spent the last few years building a vulnerability management platform. I believe in the product and I believe in the category. But I've sat across from enough CISOs to know that the "fix your technical exposure first" argument, while theoretically correct, fails in practice for the majority of organizations that need security help most urgently.

Here's what the CTEM vendors — including the one I work for — don't lead with: most organizations that buy vulnerability management tools never fully act on what those tools find. The backlog accumulates. The findings get triaged and re-triaged. Eighteen months in, they're sitting on 4,000 open vulnerabilities, arguing about severity scores, and their patch cadence hasn't improved. Meanwhile, the employee who just wired $180,000 to a fraudulent account because of a convincing email never had a single hour of security training.

The Backlog Problem Is Real and Structural

Vulnerability management tools are only as useful as your team's ability to act on their output. For a mid-sized organization with a two-person IT team and no dedicated security function — which describes the majority of SMEs across Iceland, the Nordics, and Europe — a continuous vulnerability scanner surfaces findings faster than they can be remediated.

This isn't a tool quality problem. It's a resource constraint that no software product resolves. The average enterprise carries thousands of unpatched vulnerabilities at any given time. The DBIR's 180% increase in vulnerability exploitation sounds alarming — and it should — but the organizations that get breached via unpatched CVEs are typically those with the resources to run sophisticated threat programs but the organizational dysfunction to delay patching. That's a different problem than an under-resourced SME choosing between tools.

The CTEM reality check: Agent deployment requires IT buy-in, procurement cycles, compatibility testing, and ongoing maintenance. Full coverage takes months. Acting on findings requires security expertise most organizations don't have. The "fix technical exposure first" argument assumes a security team that doesn't exist in most organizations buying these tools.

Security awareness training, by contrast, deploys across your entire workforce in days. No agents. No compatibility issues. No patching windows. You upload your employee list, set a schedule, and your people start receiving training this week.

The Human Attack Surface Never Closes

Here is the structural advantage of investing in people: you can patch a CVE and remove it from your exposure permanently. You cannot patch the fact that your organization employs humans who receive email, answer phones, and make decisions under pressure.

Every vendor you work with, every accountant who has access to your systems, every new hire who hasn't been onboarded yet — they are all attack surface that no technical control reaches. Your security perimeter extends to every human who touches your business. A vulnerability scanner covers your managed endpoints. It does nothing for the supplier whose compromised email account sends your CFO a convincing invoice modification request.

"Quality training programs can reduce phishing susceptibility by up to 86% from baseline over 12 months." — KnowBe4 Phishing By Industry Benchmarking Report, 2025

Note: This data comes from KnowBe4’s own platform research — a competitor to AwareGO. Independent replication of similar effect sizes exists in academic literature, but the specific 86% figure is vendor-funded. Treat it as directionally correct rather than independently verified.

86% is not a marginal improvement. If your baseline phishing click rate is 34% — the industry average for untrained organizations — reducing it to under 5% through training means that mass phishing campaigns, which remain the dominant delivery mechanism for malware and ransomware in SME attacks, effectively stop working against your organization. That is a material risk reduction achieved without a single agent deployment or IT ticket.

Social Engineering Bypasses Every Technical Control. By Design.

Vulnerability management, configuration hardening, patch management — all of these controls operate on the assumption that attackers are attempting to exploit technical weaknesses. Social engineering is specifically engineered to avoid technical weaknesses entirely and target human judgment instead.

A well-executed business email compromise attack doesn't need an unpatched CVE. It needs an employee who receives a plausible request and acts on it without verification. Losses from BEC attacks globally exceeded $2.9 billion in 2023 according to FBI IC3 data — more than ransomware. No CTEM tool detects or prevents a fraudulent wire transfer instruction. A trained employee who pauses, verifies through a second channel, and escalates a suspicious request does.

86%

Phishing click reduction (12 months)

$2.9B

BEC losses (FBI IC3, 2023)

300%

Documented ROI from SAT programs

Days

Time to full workforce deployment

The organizations hit hardest by social engineering attacks are not the ones that failed to patch their systems. They're the ones whose employees had never been taught to question urgency, verify identities, or recognize the psychological pressure tactics that make these attacks effective. Training directly addresses the attack vector. Vulnerability scanning does not.

You Need SAT Regardless. The Compliance Argument Is Settled.

ISO 27001, the standard most European organizations are either certified to or working toward, explicitly requires documented security awareness programs in Annex A. NIS2, which applies to essential and important entities across EU member states, mandates training as part of the human resources security requirements. DORA, for financial entities, requires ICT security awareness training as a defined obligation.

The compliance argument for CTEM is real — vulnerability management evidences the technical controls DORA and NIS2 require. But so does security awareness training, and it's mandatory under the same frameworks. If you're building a compliance program and need to prioritize, SAT is the faster path to a defensible position because:

It deploys in days, not months
It produces auditable completion records immediately
It satisfies explicit mandatory requirements under ISO 27001, NIS2, and DORA
It requires no IT infrastructure changes
It covers your entire workforce, not just your managed endpoints

Regulators examining your NIS2 posture will ask for evidence of awareness programs. They will ask for that evidence before they ask for your vulnerability scan reports.

The Cost-per-Employee Math

Security budgets are finite. For most organizations, the choice between SAT and CTEM is not theoretical — it is a real budget conversation where one wins and one gets deferred.

A mid-market SAT platform covering 100 employees runs approximately €3-8K annually. It requires no infrastructure, no IT project, no agent deployment, no ongoing maintenance beyond scheduling. A CTEM platform covering the same organization costs substantially more and requires a security-competent person to interpret and act on findings — which, for most SMEs, means hiring or contracting someone at significant additional cost.

The SME reality: A 100-person company with one IT generalist gets more immediate, measurable risk reduction from deploying AwareGO across all 100 employees than from deploying a vulnerability scanner that produces findings the same IT generalist cannot prioritize and remediate at speed. The tool is only as useful as the team behind it.

Security awareness training scales to your entire workforce — including finance, HR, sales, and executives — for a fraction of the per-seat cost of technical security tooling. Those are exactly the people that attackers target first in social engineering campaigns, and exactly the people that no endpoint agent reaches.

The Comparison

Both categories are legitimate. Neither is sufficient alone. When forced to choose — as most organizations are — the question is which investment delivers the most risk reduction given your actual resources and constraints.

Factor	AwareGO (SAT)	Nanitor (CTEM)
Time to full deployment	Days — no infrastructure required	Weeks to months — agent rollout, tuning
Covers entire workforce	Yes — every employee regardless of device	Managed endpoints only
Covers vendor/supply chain risk	Partial — trains your employees to verify	Only your managed estate
Protects against BEC / fraud	Directly — trains verification behavior	Cannot detect or prevent
ISO 27001 / NIS2 compliance	Mandatory requirement satisfied	Supports technical requirements only
Measurable results in 90 days	Yes — phishing click rates, completion	Vulnerability count metrics, slower ROI
Requires security team to act on output	No — HR or compliance can manage	Yes — findings need security expertise
Reduces technical attack surface	Not directly	Core function
Works on unmanaged/BYOD devices	Yes	No

When to Choose CTEM Instead

This argument has limits I should be honest about. If your organization already has security awareness training in place and your people are trained — and you have the security staff to actually act on vulnerability findings — then CTEM delivers the risk reduction that SAT cannot. Technical exposure is a real and growing attack vector. The 180% increase in vulnerability exploitation in 2024 is not a number to ignore.

The case for prioritizing SAT is strongest when:

You have no dedicated security team to act on scanner output
You have legacy systems that can't be patched or agented
Your biggest unaddressed risk is social engineering, BEC, or phishing
You need demonstrable compliance progress quickly
You're a sub-500 employee organization with a generalist IT function

The case for prioritizing CTEM is strongest when you have the team to use it. For most organizations buying security tools for the first time, that condition isn't met.

The Bottom Line

CTEM tools find what's broken in your infrastructure. Security awareness training fixes what's broken in your human layer. Both matter. Neither is optional in a mature program.

But if you're a mid-market organization with limited security resources, choosing where to start: the tool that deploys in days, covers every employee including the ones no scanner ever reaches, directly addresses the attack vector responsible for $2.9 billion in annual losses, and satisfies mandatory compliance requirements — that tool is a strong first move.

You can't patch your people. You can train them. And in 90 days, you can prove it's working.

Start building a security-aware culture

AwareGO deploys across your entire workforce in days — no agents, no infrastructure changes, measurable results in 90 days.

Explore AwareGO →

Jon Taylor

COO at Nanitor. This post argues for a competitor's product category. I stand by it. Good security thinking requires holding both sides. Views are my own.

Share on LinkedIn Share on X