The Challenge
The company had grown from 120 staff to 800 over three years. Security training had not kept pace. The original approach — a vendor-managed annual programme that had served a smaller organisation reasonably well — was showing the cracks that tend to appear when a company scales faster than its operational processes.
The company's Head of Engineering had flagged the training problem eighteen months before the LimitedView engagement began. The immediate prompt was a tabletop exercise run by the company's external security consultancy. The exercise simulated a data breach notification obligation under GDPR: a third party had reported finding what appeared to be company customer data in an exposed storage bucket. The tabletop participants were drawn from across the business: product, engineering, customer success, legal, and the two-person internal security team.
The tabletop results were instructive. Staff who had completed the annual security training within the previous three months performed at roughly the same level as staff who had completed it eight months ago. Neither group performed well. Participants had difficulty recalling the notification timeline, the internal escalation path, and the documentation requirements. The legal team member knew the GDPR obligations. The engineering participants largely did not.
The security consultancy's report noted that annual training, regardless of completion rate or assessed score at delivery, typically produces functional retention in the range of 12 to 18% at the six-month mark. The company's vendor had confirmed that its benchmark for assessed recall at 30 days was approximately 15% for annual delivery formats.
That number was not acceptable to the company's CTO, who had personal accountability for the SOC 2 Type II audit the company was targeting before its Series C raise. SOC 2 auditors review not just whether training happened but whether staff can demonstrate knowledge of the security practices they were trained on. A 15% retention rate does not support a strong SOC 2 narrative.
The company terminated the contract with its existing training vendor and ran a procurement process. LimitedView was selected on the basis of the retention methodology and the ability to integrate with the incident response playbook rather than running a separate parallel programme.
The Approach
The engagement started with a review of the company's existing incident response playbook. The playbook was well written but disconnected from the training programme. Incidents were handled by the security team and relevant engineering staff. Training was managed by the people team and delivered to everyone on a schedule. The two systems did not communicate.
LimitedView's recommendation was to treat every incident classification — regardless of severity — as a training trigger for the staff populations relevant to that incident type. An engineer exposing a database credential in a code commit would trigger a module for the engineering team. A phishing attempt reaching the customer success team would trigger a module for the commercial functions. A third-party security notification would trigger a module covering supply chain and third-party risk.
This required the company to classify incidents more systematically than it had been doing. Previously, smaller incidents were handled informally: fixed, noted in a Slack channel, and moved on. The triggered training model required a lightweight classification step — incident type, affected population, severity — that fed into the LimitedView trigger queue.
The classification step took four minutes on average. The security team did not find it burdensome, and it produced a secondary benefit: a running log of all security events that became the most complete incident record the company had maintained.
The first triggered module was deployed following a credential exposure incident in the fifth week of the engagement. The module reached 91% of the engineering team within twenty-four hours. It covered the specific patterns that led to the exposure, the correct handling of credentials in development environments, and the internal reporting path.
Thirty days after delivery, LimitedView administered a five-question scenario-based assessment. The engineering team's retention rate across the assessed knowledge areas was 73%.
The company's previous vendor's benchmark was 15%.
Over the following four months, seven further triggered modules were deployed across different staff populations. The triggers included a phishing simulation that identified genuine susceptibility in the customer success team, an NCSC advisory relevant to the company's infrastructure stack, and two genuine low-severity incidents.
The security team also worked with LimitedView to build incident response knowledge into the triggered content explicitly. Rather than treating the playbook as a separate document, specific playbook steps were embedded in the relevant modules as the content that staff were expected to recall. This aligned the training programme and the incident response procedure into a single coherent system.
The Results
At the five-month mark, the company had deployed eight triggered modules across five distinct staff populations.
The headline figure was the 30-day retention rate: 73% across all assessed modules, measured by scenario-based recall assessments administered by LimitedView. This compared with the previous vendor's stated benchmark of 15%.
The 73% figure held consistently across staff populations that might be expected to perform differently. Engineering participants, product managers, and customer success staff all fell within a 68 to 78% range. The consistency suggested the methodology rather than subject familiarity was the primary driver.
Voluntary completion of triggered modules, without a mandatory deadline or management prompt, averaged 88% within the first 48 hours of deployment. The highest-engagement module reached 94% within 24 hours.
The company's internal security event log, which the classification step had been building since the engagement began, showed that the number of self-reported near-misses — staff flagging potential issues before they became incidents — increased by 41% compared to the prior five-month period. The security team attributed this partly to the training increasing staff confidence in what constituted a reportable event, and partly to the cultural shift that comes when security training is visibly connected to real events rather than abstract scenarios.
For the SOC 2 audit, the company was able to provide training completion records, assessed retention scores, and a full incident classification log. The auditors noted it was an unusually complete evidence package.
What Changed
The CTO described the most significant change as the integration between incidents and training. Previously, a security event produced two separate responses: an operational response from the security team and a note to consider updating training content at the next annual cycle. The triggered model collapsed those two responses into one. The incident happened, the training happened, the retention data came back. The loop was closed in thirty days rather than twelve months.
The Head of Engineering noted a change in how the engineering team talked about security events. The previous culture treated minor incidents as mildly embarrassing and best handled quietly. The triggered training model reframed them as learning moments that produced documented improvement. Reporting increased because the act of reporting visibly led to something useful.
The company used the SOC 2 evidence package in its Series C materials. The security section of the data room included the LimitedView retention benchmarks alongside the audit report. The CFO noted that two investors specifically referenced the 73% retention figure in due diligence conversations as evidence of a mature security culture for a company at that stage.
