top of page
Search

Interview with Dan Thornton - Co-Founder and CEO of Goldphish


Here's how it went down.


We recently did an interview with Dan Thornton, Co-Founder and CEO of Goldphish, a company shaking up the cybersecurity awareness space.


With roots in the UK’s Royal Marine Commandos and deep experience in corporate risk management, Dan has seen firsthand how traditional security training often fails to engage.


Frustrated by boring, jargon-heavy programs, Dan set out to create something radically different: a training platform that’s short, sharp, fun, and truly human-focused. Dan shares how Goldphish is tackling today’s evolving cyber threats, the power of partnerships, and why the human element is still the most critical factor in cybersecurity success.



What inspired you to co-found Goldphish, and how has your background influenced the platform’s mission and approach to cybersecurity awareness?


Goldphish was born out of frustration — and a bit of madness.


I came from the UK’s Royal Marine Commandos, then spent years working in corporate security risk management. That gave me front-row seats to some of the worst cybersecurity training you could imagine — death-by-PowerPoint, awful instructors, and content so dry you could cry.


Meanwhile, cyber threats were exploding. And the biggest vulnerability wasn’t the tech. It was the people.


I was constantly helping teams change behaviour around physical AND digital security, and it became painfully obvious: the human side of cybersecurity was being completely neglected, or at best, badly mishandled.


So, together with a former Royal Marine, we built Goldphish. We saw a massive need for training that didn’t suck — training that actually made people care, engage, and remember what they learned.


And that’s been the mission ever since: cut the corporate BS, keep it short, sharp, and human-focused, and build a platform that actually helps people stay safe online.



Goldphish emphasises bite-sized, engaging content. How do you ensure training remains effective without overwhelming or boring users?



We keep it short, simple, and human.


People don’t want to sit through long training sessions, especially when they’ve got a dozen other things fighting for their attention. So we deliver content in bite-sized formats, designed to be quick, engaging, and easy to complete. Think 2–3 minutes, not 30. That’s how people learn now, and we built the platform to match that behaviour.


We also cut out the jargon. Most cybersecurity training is packed with technical language that just confuses people. We explain things in plain English, no acronyms, no fluff, so everyone understands what’s at stake and what to do about it.


And we make it personal. Instead of lecturing people on protecting company data, we show them how to protect their own accounts, their families, and their identity. That’s when it clicks. When they care about it personally, they bring that behaviour back into the workplace.


Finally, we make it fun. Not corporate - fun. Actual fun. Our content has personality, sarcasm, and the occasional well-deserved piss-take, because when people enjoy the training, they’re way more likely to remember it.



What makes Goldphish different from other security awareness training platforms on the market?



Three things set us apart:


  • First, our content actually gets used. It’s engaging, it’s popular, and people talk about it. We’ve already explained why: it’s short, sharp, no-jargon, and doesn’t treat users like idiots. That alone makes it stand out in an industry full of boring, checkbox-style training.


  • Second, we’ve made it ridiculously simple for training managers to roll out. No bloated features. No confusing dashboards. Just a clean platform that lets them deploy training and phishing simulations quickly, easily, and without needing a manual or a help desk ticket.


  • Third, we built Goldphish with MSPs in mind. Most platforms bolt on MSP support as an afterthought. We started with it. Our platform makes it easy to deploy, manage, and track training across dozens or hundreds of customers at scale.


    And the bonus point? Everything is built in-house: the content, the platform, the updates. That means no third-party bloat, no unnecessary costs, and we can offer a price point that actually works for SMBs. We’re not chasing enterprise whales. We’re here for the businesses that need proper security training without breaking the budget.



Can you explain how your phishing simulations and Phish Reporter tool work together to change employee behaviour over time?



Training teaches people what to look for — what a suspicious email looks like, where the red flags are, and what actions to take. That’s all important, and it’s something we cover thoroughly in our modules.


But real learning happens when they’re not in a training session.


It’s when that dodgy-looking email lands in their inbox on a busy Tuesday afternoon, when they’re under pressure, distracted, or half a coffee short of functional. That’s where phishing simulations come in. We send realistic, unpredictable phishing emails to test how users behave in the real world, not the classroom. No warning, no safety net, just real decisions with real consequences (minus the data breach).


That’s when the training starts to stick. And that’s the behaviour we’re trying to shape.

The other key part is reporting. Not clicking is great. But reporting is even better. That’s the action we want to encourage: spotting something suspicious and flagging it. Our Phish Reporter tool makes that a one-click job, and it’s available across Microsoft and Google environments.


So yes, we track click rates, how many people fall for a phish. But we also track reporting rates — how many people are actively spotting and raising alarms. That’s the real metric of progress: fewer clicks, more reports. Less panic, more awareness.



You’ve partnered with organisations like Munich Re and StickmanCyber. What role do these collaborations play in scaling your impact?



From day one, partnerships have been key to our growth strategy.


We’ve built a strong SaaS product for delivering security awareness training, and we’ve teamed up with some incredible partners across the MSSP, MSP, and cyber insurance space who are helping us scale it globally.


Our MSP and MSSP partners use Goldphish to deliver managed training services to their customers, embedding it into their broader security offering. It’s a win-win; they get a high-quality, easy-to-manage platform, and we get distribution at scale across their networks.


On the insurance side, partners like Munich Re are leveraging Goldphish as a risk management tool. They offer it to policyholders to help reduce human risk — the stuff that drives most claims in the first place. It’s about prevention, not just protection.


These partnerships allow us to focus on what we do best, building great training and a rock-solid platform, while they help us reach businesses in over 25 countries and counting.



What trends are you seeing in human-targeted cyber threats, and how is Goldphish evolving to meet those challenges in the next few years?



The threats are getting smarter — and more personal.


We’re seeing a huge rise in AI-driven social engineering. Phishing emails are more convincing. Voice notes and deepfake videos are being used to impersonate people. Attackers are now crafting messages that feel hyper-targeted and incredibly real, and that’s making it harder than ever for users to tell what’s legit.


But the delivery method? Still the same. Email is still the top way attackers get in. So phishing remains a massive risk, and human error remains the biggest vulnerability.


That’s why Goldphish is constantly evolving. Our content is always being updated to reflect the latest threats and tactics we’re seeing in the wild. We stay on top of industry best practices and adapt our simulations to make them harder, smarter, and more relevant. This isn’t a one-and-done course, it’s an ongoing process of education and behaviour change.


Our focus hasn’t changed: educate, raise awareness, and help users build habits that actually keep them safe. But how do we do it?


That’s always adapting — because the threats are, too.


Comments

bottom of page