Your client’s next breach has a first name.

Somewhere inside every client you manage, there is a Sam. Sam is not malicious. Sam is busy. Sam reuses one password everywhere, approves prompts without reading them, downloads the attachment because the invoice looked urgent. Verizon’s 2026 DBIR puts the human element in 62% of breaches, but that number hides the part that matters for an MSP: the risk is not spread evenly across a client’s staff. It concentrates in a few specific people. You cannot patch a person. The question is whether you can measure one.

62%
of breaches involve the human element (Verizon DBIR 2026)
19,500
employees in UCSD's eight-month randomized trial
75%
closed the embedded training within one minute
50%+
of staff clicked a phishing link by month eight

For twenty years the official fix for Sam has been awareness training, and we finally have hard evidence of what it accomplishes. Researchers at UC San Diego ran an eight-month randomized trial across more than 19,500 hospital employees with ten phishing campaigns. Employees who had just completed their annual training clicked at the same rate as employees who had none. By month eight, more than half the workforce had clicked at least one phishing link. And when embedded training popped up after a mistake, 75% of users closed it within a minute.

This does not mean education is worthless. It means education as commonly delivered, one generic annual slideshow for everyone, disconnected from anything the employee actually did, measurably does not change behavior. The client keeps paying for it because it satisfies a checkbox, and the MSP keeps deploying it because nothing in the stack offers a better handle on the human problem.


Here is the uncomfortable exercise. Pick any client and ask: which five employees are most likely to cause their next security incident? Not which department, which five people. Then ask what evidence you would base the answer on.

DNS filtering can’t tell you. EDR can’t tell you. The email gateway can’t tell you. Each of them watches infrastructure, and this is a question about behavior. The result is that most providers manage their clients’ biggest breach factor by anecdote: everyone gets the same policies, the same training, the same attention, and Sam gets exactly as much scrutiny as the colleague who has never clicked a bad link in her life.

Employees now spend most of the workday inside a browser, which makes it the one honest vantage point on behavior. DefensX runs more than 30 data probes in the browser while people simply do their jobs, and turns what it sees into a per-user Cyber Resilience score across four categories: password hygiene, social engineering exposure, malware-prone behavior, and sensitive data handling. Every score drills down to the specific events that moved it, so “Sam is risky” becomes “Sam reused a breached password on two SaaS logins and spent Tuesday on look-alike domains.”

DefensX does this as measurement, not surveillance: the analysis of sensitive inputs happens on the device, breach checks use k-anonymity, and no password ever leaves the endpoint. What the MSP receives is a ranked, evidence-backed picture of exactly where the human risk sits, per client, per user, updated continuously.


Scoring alone would just be a prettier way to worry, so DefensX puts the score to work twice.

01

First, it coaches.

Auto Pilot watches each user’s resilience scores against thresholds and automatically delivers short, personalized micro-trainings to the people whose behavior earned them, in the moment that matters rather than at annual-compliance time. Sam gets coached on the thing Sam actually does. The colleague with clean scores is left alone. As scores improve, the training backs off on its own, with no extra workload landing on your technicians.

02

Second, it enforces.

The same browser layer that measures Sam also protects him while he learns: it controls where a corporate password can be entered so the look-alike login page gets a policy instead of a credential, inspects suspicious pages at the moment of the click, and governs what flows into unsanctioned AI tools. Coaching bends the curve over weeks; enforcement covers the gap today. A human risk program that only trains is a forecast. One that trains and enforces is a defense.

That is the piece the slideshow era got backwards. Training was never the product. Changed behavior, proven by a number that moves, is the product.


For an MSP, this changes two conversations. In the QBR, “we blocked 40,000 threats” becomes “your organization’s risk score improved 22 points this quarter, here are the three users we coached and the incidents that never happened.” DefensX rolls that up per client from one multi-tenant console, so the report that proves your value is generated, not assembled, and it quietly answers the questions cyber insurers have started asking about human risk controls. And in the prospect meeting, running this snapshot for a potential client walks you in with something no competitor’s pitch deck contains: the actual distribution of their human risk, with names on it.

Your client’s next breach has a first name. The only question is whether you learn it from a risk report, or from an incident report.


Ready to enhance your data security strategy?

Contact DefensX today to learn how AI-powered web DLP can protect your business!

Contact Us