Skip to main content

Help us improve the Digital Marketplace - send your feedback

Hut Six

Cyber Awareness Training and Simulated Phishing

Train, test and track your organisation's cyber security awareness with automatically customised training and phishing simulations in one platform. Hut Six specialises in high quality, interactive and engaging training. Create your own phishing attacks or leverage our pre-built templates in unlimited campaigns. Comprehensive, flexible reporting integrates training and phishing metrics.


  • Comprehensive security awareness course with animated and voiced tutorials
  • Phishing Simulation, automated campaigns and configurable email templates
  • Add custom questions to assess your workforce
  • Real-time reporting dashboards or save custom reports
  • Automated scheduling, notifications and alerts
  • Single Sign On and Active Directory Integrations
  • Learning Management System, built in-house, designed for information security training
  • Mobile and tablet compatible
  • Fully accessible and conformant with WCAG 2.1 level AA
  • Integrations into existing Learning Management Systems


  • Change user behaviour through increased information security awareness
  • Assess your staff against the latest phishing threats
  • Demonstrate understanding of security policies through custom questions
  • Meet compliance obligations such as ISO27001, Cyber Essentials, GDPR
  • Simplify the security audit process with easily readable training metrics
  • Measure and reduce the cyber security risk of your organisation
  • Engage users with scenario-based training that adapts to their actions
  • Regular and concise training maintains awareness in your organisation
  • Create a secure culture within your organisation
  • Manage your awareness and phishing campaigns in one platform


£4 to £16 a user a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

2 3 4 2 8 3 7 2 4 7 1 3 5 0 6


Hut Six Simon Fraser
Telephone: 07960605233

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Hut Six shall use commercially reasonable endeavours to make the Services available 24 hours a day, 7 days a week, except for:
(a) planned maintenance carried out during the maintenance windows of 8:00 am to 10:00 am Saturdays, Sundays and Mondays UK time; and
(b) unscheduled maintenance performed outside Normal Business Hours, provided that the Supplier has used reasonable endeavours to give the Customer at least 3 Normal Business Hours' notice in advance.
System requirements
  • Any supported web browser
  • An internet connection

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 9 working hours (excluding weekends and bank holidays) where a working hour is between 9am-5pm, Monday-Friday.
User can manage status and priority of support tickets
Phone support
Web chat support
Onsite support
Support levels
Hut Six provides email support to all end users 9am-5pm Monday-Friday, excluding bank holidays.

Clients will have a dedicated Customer Success Specialist.

Technical support is provided by our Product Team or Software Engineers.
Support available to third parties

Onboarding and offboarding

Getting started
Clients are onboarded by their dedicated Customer Success Specialist.

Upon first use of the platform users are taken through a simple tutorial.

Super users have access to a comprehensive knowledgebase and support articles.
Service documentation
Documentation formats
  • PDF
  • Other
Other documentation formats
Hosted Knowledge-base
End-of-contract data extraction
An Electronic form of the database (.csv)
End-of-contract process
(a) Hut Six may destroy or otherwise dispose of any of the Customer Data in its possession unless they receive, no later than ten days after the effective date of the termination of the contract, a written request for the delivery to the Customer of the then most recent back-up of the Customer Data. Hut Six shall use reasonable commercial endeavours to deliver the back-up to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination). The Customer shall pay all reasonable expenses incurred by Hut Six in returning or disposing of Customer Data; and (b) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Service interface
User support accessibility
WCAG 2.1 AA or EN 301 549
Description of service interface
Each user is authenticated individually and has their own dashboard where they can complete training, access resources and see their own metrics.

Super users also have access to the Management Dashboard, Reporting and Administrative functions.

Flexible integration options for our Learning Management System.

APIs available for reporting and administrative operations.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Worked directly with users of assistive technology within our public sector customer base to ensure all users are able to fully benefit from our training.

Internal testing completed with screen readers and other assistive technology.
What users can and can't do using the API
Flexible integration options for our Learning Management System.

APIs are available for all reporting and administrative operations.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Hut Six's awareness platform enables easy customisation at scale. All modules, release schedules and notifications are configurable.

Our training is automatically customised to end user and organisation. With placeholders that populate policy and contact information, names, branding and logos.

Customisations to the tutorial content can be made through the management dashboard by Super Users. This ensures that the training that is delivered to a user is directly relevant and meets requirements.

In addition, Hut Six has built optional content segments that can be enabled. These segments are used to cover common differences in policies between organisations in topics such as password security.

Hut Six’s Second & Third Year content uses branching scenarios to customise the learning experience for individual users. Each action the user takes impacts the narrative.

This multiyear approach keeps users engaged, focusing on personal reasons for secure behaviour and reinforces past knowledge without feeling repetitive.

Phishing attacks can be customised and edited by super users for use within campaigns.

Reports can be customised to analyse and draw out key security awareness metrics.


Independence of resources
The service is hosted in Amazon Web Services, which provides the ability for the system to dynamically scale with usage.


Service usage metrics
Metrics types
The Management Dashboard creates a snapshot view of the security awareness across organisations.

Training campaigns are monitored on key metrics including score, completion and progress.

Metrics are tracked across configurable Users Groups, typically mapping department, team and job role or by Courses enabling clients to identify topics that users struggle with.

Automated alerts reduce manager workload and bring attention to problem areas in the organisation.

Three-stage phishing attacks provide metrics on open rates, click rates and data submissions. Reports are generated analysing the performance of templates and users.

Clients can track metrics in their existing LMS through our xAPI integration.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Users can export organisation metrics relating to the training from the platform in the form of a (.csv) database record file.

If a user wishes for all of their data to be exported as part of a GDPR subject access request, they must email Hut Six directly and will be supplied with a (.csv) database record file of all their data.

Some reporting functions generate easy to read .pdf files in addition.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats
  • Azure Active Directory Integration
  • Direct form data entry
  • XAPI

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Hut Six shall use commercially reasonable endeavours to make the services available 24 hours a day, seven days a week, except for:
(a) planned maintenance carried out during the maintenance windows of 8:00am to 10:00am Saturdays, Sundays and Mondays UK time; and
(b) unscheduled maintenance performed outside Normal Business Hours, provided that Hut Six has used reasonable endeavours to give the Customer at least 3 Normal Business hours' notice in advance
Approach to resilience
Available on request
Outage reporting
E-mail alerts, general error page in case of scheduled downtime or unscheduled service outage.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication
API tokens
Access restrictions in management interfaces and support channels
1. Only Authorised users can access the management dashboard for access to end user analytics and metrics
2. Support channels are available for use by any end user should they require it.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Description of management access authentication
API tokens

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
No audit information available
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
We are currently Cyber Essentials certified and are working toward an ISO 27001 Accreditation.

Our information security policy reflects the guidelines set out by ISO 27001
Information security policies and processes
Hut Six's information security is managed by the CTO who reports to the Executive Team (our information security committee) on any and all security risk matters. The CTO is responsible for the instruction of all Hut Six employees in the policies and procedures of the company.

Security policies and objectives are established and made available to all employees.
Risk Assessments and controls are put in place to test these.
Security Assessments training is delivered to all employees.
Monitor and review our ISMS.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes to components in the service are processed through issue tracking software and before any changes are committed they are analysed for security flaws.
Builds are created by a continuous integration server, and each build is stored indefinitely.
In the event that a security flaw is introduced, the system can be rolled back to the previous version while a fix is developed.
Before any change is made to the production environment, they must be verified by the Technical Director for any potential security issues.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The mitigation of the companies vulnerabilities are handled in-house by our development team.
Potential threats to our services are diagnosed, ranked on severity and prioritised accordingly.
We look to fix security bugs as soon as possible within a 24 hour window. Potential threats come to our attention through customer feedback and an open source vulnerability scanner.
Protective monitoring type
Protective monitoring approach
Hut Six uses a protective monitoring system to track potential compromises. Incidents are responded to appropriately as quickly as possible within a 24 hour window.
Incident management type
Incident management approach
Users report incidents to a dedicated email address. The support and development team handle these incidents on a case-by-case basis, prioritising the most severe cases.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks

Social Value

Tackling economic inequality

Tackling economic inequality

Hut Six is an ambitious cyber company based in Newport, South Wales and a graduate of the Alacrity Foundation Entrepreneurship Programme which was established to help attract entrepreneurs and graduates to South Wales. The founders of Hut Six continue to provide support and mentorship to current Alacrity members and alumni through talks, regular meetings and advice.
Equal opportunity

Equal opportunity

Hut Six have strived to make our training fully accessible to all potential trainees.

We have established a diversity and inclusion committee to review our content and ensure that all persons are properly represented in our materials without bias.


Cyber crime can be just as emotionally distressing as physical crime.

When people are the victims of cyber attacks through common scams, social engineering, phishing or simply the loss of their personal data in a breach that wasn't their fault, there can be feelings of shame, anxiety, depression and anger.

At Hut Six we specialise in reducing the risk of these human error led cyber attacks and give people the skills they need to avoid scams at work and in their personal lives.

A great deal of the feedback we receive from clients is orientated around how useful our training and resources have been in their end users' personal lives; also helping their friends and families.

Hut Six have published public training materials to help engage the wider public with security awareness and improve their resilience against cyber crime.

We strive to build a strong culture of security awareness within our clients without attributing blame. So that suspicious behaviour can be caught and true visibility is achieved without the stigma of reporting on colleagues.


£4 to £16 a user a year
Discount for educational organisations
Free trial available
Description of free trial
We offer a free 14 day demo instance that supports up to 5 users.

The trial includes limited access to the training materials.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.