When organizations talk about cybersecurity, they usually talk about the tools: EDR, SIEM, AI detection, automation.But behind nearly every breach, one constant remains: people still click. For decades, the industry has tried to fix that with templated phishing simulations that are often outdated, unrealistic, and far removed from the real attacks employees receive daily. But what if cyber security awareness could finally match reality? That’s the thinking behind OutKept, the Belgian startup reinventing human risk management through a global community of ethical phishers: people competing to create the most effective, local, and credible phishing emails possible. In this episode of Scaling Cyber, Simon Bauwens shares the journey behind this unconventional approach, the impact of hyper-local content, and why community + incentives may be the missing piece in cybersecurity awareness. 🎧 Listen to the full conversation on Scaling Cyber: YouTube | Spotify | Apple Podcasts The Problem No One Talks About: “Bad Awareness Creates Bad Reflexes” Simon puts it simply: “If you do phishing simulations poorly, you’re actually making people worse at spotting attacks.” Most platforms rely on generic templates: * outdated brands * broken language * AI-translated content * little connection to local culture * scenarios attackers stopped using years ago Employees learn to spot these emails, not the ones that actually hit their inbox. OutKept’s answer?👉 Create a system where phishing emails evolve as fast as attackers do. Not through algorithms.Not through templates.But through a community of humans competing — and getting paid — to craft the most credible phishing campaigns possible. Inside the Ethical Phishing Community The idea sounds bold because it is. Inspired by bug bounty logic, OutKept built a marketplace where: * ethical “phishers” submit phishing emails * emails are ranked by real-world success * high-performing ones get paid more * the best content survives, like natural selection Local specificity is the superpower.Phishers create content tied to regional storms, elections, strikes, banks, slang, holidays, and all the cultural nuance attackers exploit. The result is training that looks dangerously real because it’s created by the same kind of minds who would write real phishing campaigns, just operating ethically. Europe’s Linguistic Chaos: A Hidden Advantage One of the biggest complaints about phishing platforms?Language quality. In Europe alone: * Belgium has three official languages * Flemish ≠ Dutch (Netherlands) * Walloon French ≠ France French * Baltic languages have tiny populations * AI still misses regional nuance and tone Big vendors don’t prioritize small languages.Communities do. That’s why OutKept’s model resonates from Poland to Spain to the Baltics — markets where cyber vendors often deliver poor localized training. Sometimes, being born in fragmented Europe is actually an advantage.It forces you to build global-first from the start. Building a Cyber Startup in Belgium’s Rising Tech Ecosystem Simon didn’t start in cybersecurity.His background spans sociology, automation, and consulting.He wanted a product, a co-founder, and a big problem to solve. COVID brought him together with Dieter, who had a cybersecurity background.Their brainstorming sessions blended ideas on community, automation, and human behavior, eventually converging into what became OutKept. Belgium wasn’t the reason they started in cyber, but being in Ghent helped them grow.A vibrant tech ecosystem, increasing attention to cybersecurity, and proximity to European markets made expansion easier. Today, OutKept already delivers simulations in 86 countries — proof that European cyber companies can scale far beyond their borders. Competing in a Red-Ocean Market Human risk is one of the noisiest cybersecurity categories.Huge incumbents.Aggressive competitors.Crowded feature sets. Simon learned quickly: * competitors get hostile when they feel threatened * legal letters and targeted ads are part of the game * “thicker skin” is a necessary founder trait * but collaboration still exists — and matters At industry events, founders take selfies and share insights.Behind closed doors, they battle for market share. OutKept’s differentiation — community, gamification, local realism — gives them a unique angle in a market crowded with commoditized products. AI vs Human Creativity: What Happens Next? Everyone in cybersecurity is asking the same question:Will AI disrupt awareness training? Simon’s view is pragmatic: * Real attackers already use AI. * So do OutKept’s phishers. * AI can generate content, but not context. * The future belongs to humans using AI as a tool, not the other way around. Instead of building one “AI phishing engine,” OutKept enables hundreds of people to use AI creatively, competing to outsmart each other. Community beats templates — and may beat pure AI too. Scaling OutKept Across Europe (and Beyond) OutKept is expanding thoughtfully: * Partners in Belgium and Poland (including a distributor assigning dedicated account managers) * Early traction in Spain * Growing interest across the Baltics, Central Europe, and Ukraine * Preparing to cover more of Southern Europe & the Netherlands Their strategy is clear:Awareness alone rarely works as a standalone tool.Strong channel partners integrate OutKept into a broader security service offering — combining local relationships with OutKept’s global platform. Advice to Other Cyber Founders Simon’s message to other founders is one that many overlook: “Get out of your office. Go to events.The conversations give you energy and the best market intelligence.” When the bank account looks scary…When competitors send legal threats…When a deal is lost at the last minute… Meeting real people who believe in what you’re building gives you the momentum to keep going. That psychological fuel often matters more than strategy frameworks or pitch decks. The Opportunity Europe Shouldn’t Miss Europe loves regulations — sometimes too much.But Simon sees a silver lining: * NIS2 is pushing organizations toward real cybersecurity maturity * Regulation creates opportunity for startups that can help companies comply * Just like GDPR became a global benchmark, NIS2 may shape global awareness standards The challenge?Europe regulates faster than it innovates and invests.To truly compete with the US and China, it needs both. About the Episode This conversation is part of Season 1 of Scaling Cyber — the show spotlighting founders and leaders building cybersecurity companies outside the US/Israel bubble. Host: Ignacio Sbampato — cybersecurity executive, former Chief Business Officer at ESET, and founder of BridgerWise.Guest: Simon Bauwens, CEO & Co-Founder of OutKept. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit scalingcyber.substack.com
