CASE FILE // PC-2026-04
Status: Open


Filing 05.04.00Field 27 APR 2026Classification PublicStatus Open

Hoxhunt cost: $32 to $90 per user per year, behaviour-change positioning

Hoxhunt is the Helsinki-based phishing-training platform whose Phishing Trends Report and AI-vs-human red-team benchmarks helped drive the AI-phishing-economics-inversion narrative across the industry. Pricing premium reflects per-user behaviour-tracking analytics and AI-adaptive simulation content. All figures estimated from public RFP awards and buyer-community reports as of 2026.

Exhibit A

Why Hoxhunt prices above KnowBe4 and Proofpoint


Hoxhunt pricing in 2026 sits at an estimated $32 to $90 per user per year, the highest of any major awareness-training platform on average. The price premium versus KnowBe4 ($20-$60) and Proofpoint PSAT ($25-$70) reflects three structural factors that make Hoxhunt distinct in the market.

First, Hoxhunt's pricing model emphasises per-user behaviour-change measurement rather than content-library access. The platform tracks individual-user phishing-resilience scores over time, adapts simulation difficulty per user to maximise behaviour change, and reports outcomes at the individual-user level for risk-management purposes. The measurement-driven approach is more expensive to operate at the vendor side because every user effectively gets a personalised simulation programme rather than a uniform content rotation. The pricing reflects the per-user-personalisation cost.

Second, Hoxhunt's simulation content includes AI-generated lures that match the sophistication of modern attacker output. The legacy training platforms (KnowBe4, PSAT, older Cofense) traditionally rely on human-written templated lures that are easier to recognise than current attacker-side AI-generated lures. Hoxhunt's investment in AI-generated simulation content is one of the highest-leverage product differentiators in the category for 2024-2026 and is reflected in pricing.

Third, Hoxhunt's brand positioning emphasises Finnish-engineering quality, GDPR-native data processing, and behavioural-science methodology. The positioning resonates particularly well with European enterprise buyers and increasingly with US enterprise buyers in regulated industries. The brand premium is real but is a smaller factor than the per-user-personalisation and AI-content factors. Mid-market organisations typically see pricing in the $40 to $60 per user range; enterprise organisations typically see $60 to $90.[USASpending + GovSpend Hoxhunt contract records 2023-2025 + Hoxhunt product literature + buyer-community pricing threads]

Exhibit B

Hoxhunt's AI-phishing research: what the vendor actually measures

REFERENCE

Hoxhunt's distinctive contribution to the AI-phishing-economics debate is its red-team benchmarking. In a March 2025 benchmark, Hoxhunt found that fully automated AI spear-phishing agents had become roughly 23 percent more effective than elite human red teams (a 2.78 percent failure rate for AI versus 2.25 percent for humans), with AI's relative performance improving about 55 percent between 2023 and 2025. The headline is the crossover: AI-generated phishing now outperforms the best human social engineers, not just average attackers.

Hoxhunt's Phishing Trends Report separately recorded a 14x spike in AI-generated phishing during the December 2025 holiday season (rising from roughly 4 percent to 56 percent of reported attacks, and still near 40 percent into January 2026). Two figures often attributed to Hoxhunt in fact originate elsewhere and are kept correctly sourced on this site: the 54-versus-12 percent click-through comparison is from a controlled Harvard study (Heiding, Lermen and Schneier, 2024, where AI-automated lures matched human experts at 54 percent against a 12 percent arbitrary-phishing control), and the 1,633 percent Q1 2025 deepfake-vishing surge is from Keepnet's 2025 State of Vishing Report (Q1 2025 versus Q4 2024, see /by-attack/vishing).

The implication for buyers is that Hoxhunt's measurement infrastructure is itself a product feature. The per-user behavioural-tracking that powers its public benchmarks is the same infrastructure that produces the per-user risk-scoring and customer-level outcome reporting buyers receive in their own program. Buyers evaluating Hoxhunt should request a sample report at the level of detail they would expect to use internally; the reporting depth is a material part of what justifies the price premium.[Hoxhunt AI-vs-human red-team benchmark (Mar 2025) + Hoxhunt Phishing Trends Report 2026]

Exhibit C

Worked examples by organisation profile


Organisation profileLikely tierPer-user costAnnual total
500-employee mid-market mature programStandard$50$25,000
2,000-employee mid-marketStandard$48$96,000
5,000-employee upper mid-marketEnterprise$55$275,000
10,000-employee enterpriseEnterprise (volume)$50$500,000
25,000-employee large enterpriseEnterprise (deep volume)$42$1,050,000
50,000-employee Fortune 500 (EU-HQ)Enterprise (EU-residency)$38$1,900,000

Examples use midpoint negotiation outcomes. Hoxhunt's pricing-versus-volume curve is steeper than KnowBe4's, meaning that smaller organisations pay relatively more per-user than larger ones. EU-residency requirements typically come at no premium because Hoxhunt's default deployment is EU-hosted.[Triangulated from Hoxhunt public contract records + reseller catalogue data]

Exhibit D

The behaviour-change pricing model in practice


Hoxhunt's behaviour-change pricing model is operationally different from the content-library model that KnowBe4 emphasises. The platform delivers individual-user simulation campaigns at adaptive difficulty: each user starts at an entry-level simulation, the platform measures their response, and subsequent simulations escalate in difficulty for users who handle the entry-level well or remain at simpler levels for users who continue to struggle. The personalisation produces measurable behaviour change at the user level rather than the aggregate-organisation level.

The practical benefit is that the program can identify and target high-risk individuals for additional intervention. A finance-team member who consistently struggles with BEC-type simulations can receive additional targeted training focused on wire-instruction-change recognition. A platform engineer who consistently misses AitM-style lures can receive additional training on URL-inspection patterns. The intervention-targeting is mechanically impossible in content-library-based platforms that deliver the same simulation rotation to everyone.

The honest caveat is that the per-user-behaviour-tracking depth raises privacy and HR-policy questions that some organisations have struggled with. Tracking individual-user phishing-resilience scores over time produces sensitive data that some works-councils (particularly in Europe) and some HR teams have pushed back on. Buyers should evaluate the data-handling and reporting-visibility configuration carefully and ensure that the per-user scoring is used for targeted intervention rather than performance management. Misuse of the scoring for HR-discipline purposes will undermine the trust-building that the program needs to succeed.[Hoxhunt product literature + customer behaviour-change case studies 2023-2025]

Exhibit E

The EU-data-residency and GDPR-native posture


Hoxhunt's Finnish base and EU-default data processing create a clean GDPR posture that is attractive for organisations with European data subjects. Default deployment hosts user data in EU data centres, processing is documented for GDPR Article 28 controller-processor compliance, and the Standard Contractual Clauses are configured by default. The posture is meaningful versus US-based competitors who require explicit configuration steps and contract addenda to achieve equivalent GDPR alignment.

For US-headquartered organisations with EU operations, the Hoxhunt EU-native posture removes a contract-negotiation step that frequently delays competing-vendor procurement. For organisations under the EU NIS2 directive or DORA framework, the posture aligns with the broader cyber-control expectations on data handling and supplier-of-record location. The differentiation is small in absolute terms but adds up over a multi-year procurement-process consideration set, particularly for buyers with active EU regulator-relationships.

The competing vendors are increasingly responsive on this dimension. KnowBe4, Proofpoint PSAT, and Cofense all offer EU-hosted deployment options for buyers who require them, with varying degrees of operational maturity. The Hoxhunt advantage is that the EU-hosted option is the default rather than a special configuration, which is a procurement-velocity benefit even when the underlying capability is comparable. For US-only organisations without EU operations the differentiation does not apply and Hoxhunt's pricing premium has to be justified on the per-user-behaviour-tracking and AI-content dimensions alone.[Hoxhunt EU-data-residency documentation + GDPR Article 28 conformance materials + competing-vendor EU-hosting options 2024-2025]

Exhibit F

What buyers should ask before signing the Hoxhunt contract


What is the per-user pricing including any volume discount?

Hoxhunt's pricing-versus-volume curve is steeper than KnowBe4's. Get the offered per-user price and compare against KnowBe4 Diamond and Proofpoint PSAT enterprise pricing at the same volume.

What is the per-user behaviour-tracking output detail?

Confirm what risk-scoring data the program produces, how it is exposed to the security team, and how it is exposed to HR (if at all). Confirm with HR and legal before deploying.

What is the AI-content simulation rotation?

Hoxhunt's distinguishing capability versus competitors is AI-generated lure content. Confirm the rotation cadence and the lure-pattern coverage to ensure you are paying for the capability you intended to buy.

What is the data-residency configuration?

Default EU-hosted. Confirm US-hosting option if required, and confirm the SCC and Article 28 conformance materials. EU-default is a procurement-velocity benefit.

What is the customer-success engagement model?

Hoxhunt's customer success has historically been higher-touch than KnowBe4's self-service model. Confirm what level of engagement is included.

What is the multi-year discount structure?

3-year and 5-year commitments yield meaningful discount. Compare against optionality cost. Hoxhunt's product roadmap is well-funded but the field is moving rapidly, which suggests caution on long-term lock-in.

Exhibit G

Frequently filed questions

ON RECORD

How much does Hoxhunt cost?[open]

Estimated $32-$90 per user per year. Mid-market typically $40-$60; enterprise $60-$90. Premium pricing reflects per-user behaviour-tracking analytics, AI-adaptive simulation content, and Finnish-engineering brand positioning.

Why is Hoxhunt more expensive than KnowBe4?[open]

Pricing emphasises per-user behaviour-change measurement rather than content-library access. AI-generated simulation content is more expensive to operate at vendor side. Premium also reflects Finnish-engineering brand positioning.

Is Hoxhunt better against AI-grade phishing?[open]

Yes, materially. Hoxhunt simulation content includes AI-generated lures that match modern attacker sophistication. Click-rate reduction against AI-grade lures is roughly 30-40% for Hoxhunt versus 15-20% for legacy platforms.

Where is Hoxhunt based?[open]

Helsinki, Finland. Default deployment is EU-hosted. GDPR-native data processing. Attractive for organisations with EU operations or under NIS2/DORA frameworks.

What does Hoxhunt's research show about AI phishing?[open]

Hoxhunt's March 2025 benchmark found AI spear-phishing agents about 23% more effective than elite human red teams, and its Phishing Trends Report logged a 14x spike in AI-generated phishing in December 2025. The widely-quoted 54% vs 12% click-through is from a Harvard study (Heiding et al., 2024); the 1,633% Q1 2025 deepfake-vishing surge is from Keepnet, not Hoxhunt.

Is Hoxhunt worth the price premium?[open]

For organisations facing material AI-spear-phish exposure (tech, financial services, professional services), generally yes. For SMBs primarily exposed to bulk phishing, KnowBe4 Silver is likely more cost-effective.

What are the privacy considerations with per-user tracking?[open]

The per-user scoring data is sensitive. Confirm data-handling configuration with HR and legal before deploying. Avoid using scores for HR-discipline purposes; misuse will undermine trust.

Updated 2026-04-27