68% of breaches involve the human element. The security awareness training industry built a billion-dollar business on that number. What they don't tell you: the attacks that cause material damage weren't waiting for your employees to click the wrong link.
The Verizon 2024 Data Breach Investigations Report puts the human element in 68% of breaches. That statistic is real, it's consistent year over year, and security awareness training vendors are right to cite it. Where they go wrong is the implication: that training the humans is the primary lever for reducing breach risk.
It isn't. And organizations that treat it as one are spending security budget in the wrong order.
What "Human Element" Actually Means
Read the DBIR more carefully. "Human element" includes errors, misuse, and social engineering — but the category that has exploded in recent years is vulnerability exploitation. The 2024 report showed a 180% increase in breaches involving vulnerability exploitation compared to the prior period.
That's not a phishing problem. That's a patch management problem. A configuration management problem. An asset visibility problem. Training your employees to recognize phishing emails does nothing for the CVE that's been sitting unpatched on your edge device for 60 days.
"Vulnerability exploitation grew 180% as an initial access vector in 2024, driven largely by the MOVEit and other zero-day campaigns targeting perimeter devices." — Verizon Data Breach Investigations Report, 2024
The adversaries causing the most damage — ransomware operators, state-sponsored groups, organized financially-motivated attackers — are not relying on your employees making mistakes. They are scanning for exposed vulnerabilities, finding unpatched systems, and walking in through the front door. The phishing email, when it does appear, is often just the first step in a chain that only succeeds because of an underlying technical weakness.
The Problem with Training as a Primary Control
Security awareness training works in a specific, narrow context: it reduces the rate at which non-targeted employees make baseline security errors. If your main risk is an opportunistic mass-phishing campaign, training measurably helps.
That's not where most material damage comes from in 2026.
Sophisticated attackers don't send generic phishing emails and hope someone clicks. They research their targets. They identify the CFO's assistant, find her LinkedIn, pull her colleagues' names from conference speaker lists, craft an email that references a real event she attended last week, and send it from a domain registered two days ago that looks like a supplier she actually uses. No awareness training program trains against that — because no training program can anticipate the specific context an adversary has built about your organization.
There is also the participation problem. Technical controls are agent-based and always-on. They don't require employee engagement, completion rates, or quarterly refreshers. They work at 2am when your team is asleep. Awareness training is only as effective as the percentage of your workforce that retains it under pressure — which, as any incident responder will tell you, drops sharply when the pressure arrives.
What Continuous Threat Exposure Management Actually Does
Nanitor is a CTEM platform. That means it continuously discovers what's in your environment, assesses what's exposed, prioritizes what matters, and tracks remediation over time. Not a quarterly scan. Not a point-in-time assessment. Continuous visibility into the vulnerabilities, misconfigurations, and policy violations that create the attack surface adversaries exploit.
The practical difference: a CTEM platform tells you that three of your Linux servers are running a kernel version with a known exploitable CVE, that your Windows fleet is missing a patch that has been in CISA's Known Exploited Vulnerabilities catalog for 11 days, and that one of your domain controllers has a configuration that deviates from CIS Level 2 benchmarks in a way that enables privilege escalation. Your awareness training program tells you that 74% of employees completed module 4.
Both numbers matter. One of them closes attack surface. The other does not.
The Right Order of Operations
This is where most organizations get it wrong, and it's worth being direct about why. Security awareness training is easy to procure, easy to measure (completion rates, simulated phishing click rates), and easy to report to a board. "We trained 340 employees, 92% passed the phishing simulation" looks like security progress. Regulators notice it. Auditors check a box for it.
Continuous vulnerability management is harder to buy, harder to implement, and harder to explain to a board. But it's the work that actually reduces the probability of a breach.
- Know what's in your environment — asset discovery, continuous inventory (Nanitor)
- Know what's exposed — vulnerability detection, CVE correlation, KEV tracking (Nanitor)
- Harden your configurations — CIS benchmarks, policy compliance, drift detection (Nanitor)
- Train your people — phishing awareness, secure behavior, social engineering recognition (AwareGO)
- Test your people — simulated campaigns, behavioral metrics (AwareGO)
Organizations that jump to step 4 without completing steps 1 through 3 are training staff to identify fires while leaving the gas on. Their people get better at recognizing danger. Their attack surface stays wide open.
The Comparison
AwareGO and Nanitor are not direct competitors — they solve genuinely different problems. The comparison is worth making explicitly because organizations often face a budget decision between the two categories, not between specific products.
| Capability | Nanitor (CTEM) | AwareGO (SAT) |
|---|---|---|
| Reduces technical attack surface | Core function | Out of scope |
| Continuous vulnerability detection | Agent-based, always-on | Not applicable |
| Configuration hardening (CIS) | 111 benchmark directories | Not applicable |
| Patch management visibility | Integrated, prioritized | Not applicable |
| DORA / NIS2 technical evidence | Built for this | Partial (awareness only) |
| Works without employee action | Yes — agent-based | Requires participation |
| Human behavior risk reduction | Out of scope | Core function |
| Phishing simulation | Out of scope | 40+ scenarios, 18 languages |
| Security culture measurement | Out of scope | Human risk scoring |
A mature security program needs both. The question is which one to build first — and which one to reach for when you can only fund one at a time.
The Regulatory Reality for European Organizations
DORA came into force for EU financial entities in January 2025. NIS2 was transposed across member states through 2024. Both impose obligations that go well beyond awareness training.
DORA requires demonstrable ICT risk management, continuous vulnerability identification, and documented resilience testing. NIS2 requires technical and organizational measures proportionate to identified risk — with specific emphasis on asset management, vulnerability handling, supply chain security, and incident response capability.
Iceland is not yet an EEA member for DORA purposes, but Icelandic financial firms operating in EU markets, and any Icelandic company with EU customers or suppliers under NIS2 scope, are already working through their obligations. The compliance tailwind for CTEM platforms is significant and growing.
The Bottom Line
Security awareness training is a real control. AwareGO builds it well. If your organization has solid vulnerability management in place — continuous detection, regular patching, configuration benchmarking — then layering awareness training on top makes your program genuinely comprehensive.
But most organizations haven't done that work yet. Their vulnerability backlogs are growing. Their patch cycles are measured in months, not days. Their configuration drift is invisible. And they're spending budget on phishing simulations.
Attackers don't wait for your employees to make mistakes. They exploit what's already exposed. Fix that first.
See what's exposed in your environment
Nanitor gives you continuous visibility into vulnerabilities, misconfigurations, and compliance posture across your entire estate.
Book a Demo →