Cyberattacks Are Up 1,000% Since ChatGPT – Lectures Won't Fix It

01 /The Concept

Since ChatGPT's launch, cyberattacks targeting employees have increased by over a thousand percent – and become dramatically more sophisticated, arriving as convincing emails from familiar-looking senders that are almost impossible to resist clicking.

Riot built a platform where companies can train their employees to resist those tactics and protect both personal and corporate information from attackers trying to get in through the human door.

At the center of the platform is an AI coach named Albert, who drops into employee messaging apps periodically, asks if they have a minute, runs a short training module on a cybersecurity topic, and then quizzes them on it.

All training activity and results are logged, giving administrators a clear view of which employees have completed which modules and how they performed.

The most interesting part isn't the quizzes – it's the simulations. Administrators can send employees realistic-looking phishing emails at any time to test whether the trained behaviors actually stick in practice. The platform includes a curated library of phishing templates; admins can select topics manually or let the system automatically send targeted simulations based on each employee's training history.

Employees are expected not just to ignore suspicious emails, but to actively report them to the platform – whether they're training exercises or real attacks. Reports of genuine threats are routed to the company's security team and shared with other employees who may be targeted next.

Employees earn points for every security-positive action: enabling two-factor authentication, passing a training module, reporting a phishing attempt (real or simulated). Administrators can see an at-a-glance security readiness score for the entire company, broken down by department or individual.

A separate AI assistant answers employee security questions at any hour and sends proactive reminders – for instance, flagging when a password is due for rotation or alerting employees to newly active threat types.

Companies with fewer than 10 employees can use the platform for free. For teams between 11 and 150, it's $5.83 per employee per month. Larger organizations get custom pricing.

Riot currently serves 1,500 client companies with more than 1 million employees connected to the platform. Notable clients include Intercom, L'Occitane, Deezer, and Y Combinator – which the startup went through in 2020.

In 2024, Riot crossed $10 million in annual revenue, continuing a pattern of year-over-year multiplication. The company just raised a new $30 million round, bringing total funding to $71.8 million.

02 /Why It Matters

Last summer a very similar platform – built by CultureAI ([related review](/review/vot-istochnik-90-problem)) – was covered here, having raised $23.5 million.

What's interesting: CultureAI was founded five years before Riot. Riot apparently looked at an existing category, built a near-identical product, went through Y Combinator anyway, and has now raised $71 million. "This already exists" is clearly not a disqualifying objection when the market is big enough and demand for the product type is real.

Which is a good reason to keep scanning for startup ideas that work and asking whether they can be replicated or improved upon.

And this market is genuinely large. Every company that handles sensitive data – which is most of them – has reason to care about what happens when an employee clicks the wrong link. According to Forrester, 90% of data breaches in 2024 involved a human element. In the vast majority of those cases, the employee wasn't acting maliciously – they were fooled. A phishing email here, a credential entered on a fake login page there.

This has pushed the category of Security Awareness and Training (SA&T) into its own discrete market, projected to reach $10 billion by 2027.

The key insight – one that both Riot and CultureAI have built around – is that theoretical training isn't sufficient. You can make employees pass courses and ace tests, and they'll still click the wrong thing under pressure. Behavior has to be trained at the reflex level. That's why simulated phishing attacks are the core of the product, not a feature: they drill the right responses until they become automatic.

03 /Opportunities

The most direct opportunity here is building a platform similar to Riot or CultureAI.

The demand is real – 1 million employees connected to Riot alone proves that. Investor appetite is clearly there. The SA&T market is growing toward $10 billion. There's room for multiple platforms in a category this size. The window before the space fills up is still open.

The broader opportunity is more interesting: educational platforms whose value proposition isn't just knowledge transfer, but measurable behavior change – and that have built-in mechanisms to verify whether the change actually happened.

For Riot and CultureAI, that verification mechanism is the simulated phishing attack. Other corporate learning startups are moving in the same direction.

Stride ([reviewed here](/review/tema-mikro-dengi-makro)) built a digital coach designed to shift employee behaviors around leadership and collaboration – raising $1.5 million, part of which came after its review.

Cloverleaf ([covered here](/review/bolshe-uchit-no-menshe-vkladyvatsja)) built another employee digital coach with explicit behavior-change goals, raising $18.1 million.

But declaring the goal of changing behavior is easier than proving you achieved it. The real question is: what exactly are you training people to do, and how will you demonstrate that their behavior has actually shifted?

Answer both of those – the "what" and the "how you verify it" – and you have the blueprint for a genuinely effective corporate learning startup.