Human risk, fully managed.
Build security habits across employees and leadership with curated, human-authored content. Measure effectiveness, identify human risk, and produce audit-ready evidence. Minimal internal overhead. Ready the same day.
How it works
Habits drive behaviour change. Compliance evidence and an organisation-wide campaign report turn that change into something you can defend to an auditor and discuss at the board.
Explore in detail

DESIGNED FOR REAL WORKDAYS
• Short, self-paced lessons - pick up where you left off • Works on any device • Secure passwordless login (email / OTP) • Respectful of people's time and attention spans
HABIT-BUILDING, NOT E-LEARNING
• Bite-sized lessons your brain can actually retain • Reflection prompts connect learning to real work situations • Light checks to reinforce key concepts • Self-checks to confirm understanding
WHITE-HAT GAMIFICATION
• Visual progress that actually motivates people • Builds genuine mastery and confidence • Gamification supports completion, not distraction • Positive reinforcement, not fear-based
Every habit is curated by a security practitioner with real-world cybersecurity and risk-management experience, not generated from a prompt.
Employee core habits
- 1.Know your security basicsCore
- 2.Protect your accountsCore
- 3.Handle data safelyCore
- 4.Spot and report phishingHigh focus
- 5.Keep devices and remote work safeCore
- 6.Know what to do when something goes wrongHigh focus
- 7.Use AI tools safelyHigh focus
Board and management governance
- 8.Cyber risk for board and managementDeep dive
- 9.Management oversight and KPIsDeep dive
- 10.Governance, liability, and continuous improvementDeep dive
Intentionally designed
- Structured as 7 employee habits and 3 governance habits (management & board complete all 10)
- Aligned with regulatory expectations
- Board members get real cyber risk literacy, not superficial awareness
Risk-based focus
- Security habits tailored to real-world risks
- High-impact topics get more time and depth (phishing, incidents, AI)
- Focused on real risk reduction, not compliance theatre
Based on recognised best practices
- Grounded in ENISA, CISA, and NIST guidance
- No jargon approach
- Delivers what auditors and regulators expect to see
Scenario-based, not theoretical
- Every habit is anchored in realistic workplace scenarios
- Reflection exercises connect learning to daily work situations
- Knowledge checks use real-world situations as close to actual attacks as possible
Mapped to major compliance frameworks
- National implementations of NIS2 Articles 20 and 21Belgium (CyFun), Czech Republic, Norway, Finland. Additional countries added as they come into force.
- SOC 2
- ISO 27001
- NIST CSF
Evidence you can actually use
- CSV and JSON exports available
- Built for internal review and external audits
- Acknowledgements, habit completions, and program completion records
- Pseudonymized by default, identified mode available
Most companies can show training completion. Few can show defensible evidence.
{
"schema_version": "1.1",
"generated_at": "2026-03-15T09:00:00Z",
"export_mode": "pseudonymous",
"campaign": {
"name": "Q1 2026 Security Foundations",
"organization": "NovaBridge Technologies BV"
},
"summary": {
"frameworks": [
"NIS2 Art.20", "NIS2 Art.21",
"ISO 27001 A.6.3", "SOC 2 CC2"
],
},
"evidence": [
{
"event_type": "acknowledgement_confirmed",
"user_identifier": "c7e2f1a4-8b3d-4e5f-...",
"timestamp": "2026-02-10T09:18:41Z"
},
{
"event_type": "habit_completed",
"metadata": { "quiz_score": 19, "quiz_total": 23 },
"timestamp": "2026-02-11T11:48:22Z"
}
]
}What leadership can see immediately
- Highest workforce risk areas by topic and severity
- Where confidence exceeds actual capability
- Trends between campaigns
- Participation and engagement gaps
- Prioritized next actions
Most companies manage technical risk. Few manage human risk with evidence.
Useful for human risk management, leadership reporting, internal audit, ISO 27001, SOC 2, and NIS2 governance evidence.
Baseline visibility from campaign one. Trends strengthen from campaign two onward.
| Credential compromise | Elevated |
|---|---|
| Social engineering | Elevated |
| Breach amplification | Elevated |
| Data exfiltration | Moderate |
| Incident Response | 58% | Weak |
|---|---|---|
| Phishing | 61% | Weak |
| AI Safety | 58% | Overconfident |
| Security Basics | 89% | Strong |
AI Safety confidence exceeds measured capability.
Your journey with SafeHabits
Evolve from compliance-driven awareness to measurable human risk management.
Stage 1
Become compliant
Establish a baseline security culture and ensure people know how to act.
You are here if
- Security awareness is ad hoc or newly introduced
- You need to pass an audit or meet a framework
- You need a reliable way to run awareness without internal overhead
- A single, fully managed campaign to establish your human-security baseline
- 7 core security habits for all employees
- Participation, completion and acknowledgment tracking
- Automated evidence generation for human-risk and security-awareness controls
- Upload-ready evidence package for GRC platforms such as Vanta or Drata
- Audit-ready evidence mapped to one selected framework: SOC 2, ISO 27001, NIS2 or NIST CSF
- Fully managed campaign delivery, including setup, onboarding, reminders and tracking
- Auditor-ready report and evidence export in CSV and JSON formats
Stage 2
Run a security program
Make security behavior visible and measurable for leadership.
You are here if
- Security awareness runs regularly but impact is unclear
- Leadership lacks visibility into effectiveness
- You need to meet NIS2 governance requirements
- Always-on awareness campaign that runs continuously, so employees can start anytime (e.g., new joiners and evolving teams)
- 7 employee security habits + 3 governance habits for leadership
- Coverage across SOC 2, ISO 27001, NIS2 and NIST CSF
- Effectiveness measurement based on understanding signals, not just completion
- Automated evidence generation for human-risk and security-awareness controls
- Upload-ready evidence package for GRC platforms such as Vanta or Drata
- Fully managed delivery, including setup, onboarding, reminders and tracking
- Leadership and board-level reporting on program effectiveness, including PPT-ready outputs
- Auditor-ready report and evidence export in CSV and JSON formats
Stage 3
Manage human risk
Turn human risk into a measurable, decision-ready security domain.
You are here if
- Human risk exists in isolation from your overall security and risk strategy
- Leadership cannot act on human risk data at board level
- You need to integrate human risk into your overall risk management and GRC stack
Available today
- All Stage 2 capabilities
- Continuous program delivery throughout the year (multiple campaigns and refresh cycles)
- Trend analysis and campaign comparison over time
- Board-level reporting on workforce risk exposure
- Human risk scoring, prioritization and actionable treatment plans
Enterprise capabilities in development
- Peer benchmarking across aggregated human-risk data
- Security champions and high-risk group insights
- Structured evidence exports and API-assisted delivery to major GRC platforms such as Vanta or Drata
- MCP server for AI-assisted GRC workflows, control mapping and evidence retrieval
- SSO / SAML for enterprise identity and access management
- Self-managed dashboards for larger programs and multi-team reporting
Stage 1 starts at €1,900/year.
Stages 2 and 3 are custom priced based on organization size and scope.
Why I built SafeHabits
I am building the security programme I would personally trust to roll out to my own teams, one that builds real understanding, ownership, and action.
As a security engineer, I have seen the same pattern repeat. Security awareness programmes that people rush through, learn little from, and quietly ignore. Most tools optimise for completion metrics, not for real understanding or ownership.
The problem is not that people are unaware of security. It is that they often do not fully understand what matters, what to look for, or what to do when something happens. As a result, security remains abstract, and responsibility stays unclear.
To challenge this, I built a methodology focused on habit-building, real understanding, and clear action. I first explored this approach by building a free consumer app focused on practical security habits(free.safehabits.eu). User feedback confirmed what I suspected. Short, respectful learning moments help people internalize security and act when it matters.
I am now bringing this approach into organizations, expanding it beyond individual behaviour to support security ownership, culture-building, and decision-making at scale. SafeHabits applies the same habit-driven principles while aligning them with modern regulatory expectations, including NIS2, SOC 2, ISO 27001, and NIST CSF.
The goal of SafeHabits is to change how organizations approach human security. To move from awareness to understanding, from understanding to action, and from action to shared ownership across the organization. Not compliance theatre, but a security culture that works in practice.
P.S. I write and curate every SafeHabits habit myself, drawn from real-world cybersecurity and risk-management experience. Not generated from a prompt.
Where does your journey to measurable human security begin?
Tell us where you are today, and we’ll identify the right next step for your organisation.



