Wire training into your security stack

Yes. RansomLeak exposes a REST API secured with per-tenant bearer tokens and scoped access. You can manage users, teams, campaigns, and assignments, and pull analytics, and the endpoint reference ships with OpenAPI documentation.

Tokens are generated in the admin console, and a key only reaches the scopes you grant it.

Eleven event types, including exercise and course completions, badge awards, certificate renewals and expirations, learning-path assignment and completion, and campaign assignment, deadline, and completion milestones.

Every webhook is signed with HMAC-SHA256 using a per-endpoint secret, retried with exponential backoff if your endpoint is briefly unavailable, and recorded in a delivery log you can inspect.

Yes. RansomLeak has dedicated apps for Jira Service Management, Freshservice, and ManageEngine ServiceDesk Plus. When a security-relevant request comes in, the app assigns a short module to the affected employee, then writes the assignment and its completion back onto the ticket as a comment or note.

An admin maps each request type or category to a lesson, picks who counts as the affected user, and the apps are idempotent, so a repeated update never double-assigns and a re-delivered completion never double-posts.

Yes. RansomLeak for PagerDuty assigns a module to an incident responder and posts completion back as a note on the incident. For SOAR, a Cortex XSOAR content pack and a reusable Tines story let a playbook assign the matching lesson and read the result back.

All three call the same assignment API, so a phishing, insider-risk, or access playbook can end with coaching for the person involved and a completion you can act on.

Yes. An open-source Grafana data source plugin queries RansomLeak live, so per-team human-risk score, completion rate, overdue assignments, and phishing click and report rates chart next to your other panels. A ready-made Human Risk dashboard ships with it.

A New Relic quickstart adds pre-built dashboards and alert conditions for the same training and phishing events plus a human-risk-score gauge, streamed in with no agent to run.

Yes, in two ways. For channels, post completion alerts, overdue reminders, and campaign milestones into a Slack or Microsoft Teams channel through an incoming webhook. You create the webhook in your workspace, paste the URL, and send a test message.

For people, install the RansomLeak app for Slack. It direct-messages each employee when they have training assigned or due, with a one-click link to the lesson and a button to mute reminders. The Microsoft Teams app is on the way.

A workspace admin connects it once from the RansomLeak console, under Admin → Integrations → Slack → Connect Slack, and approves the requested permissions. There is no per-employee setup.

After that, anyone with assigned training gets a direct message carrying an Open training button and a Mute reminders button. Employees can pause, resume, or check reminders themselves with /ransomleak mute, /ransomleak unmute, and /ransomleak status. The app only messages people who have training to complete, and never posts to channels.

Yes. A dedicated export endpoint returns training and security events as JSON or CSV, filterable by event type and date range, so your SIEM can poll it on a schedule and ingest awareness data alongside its other sources.

It is a pull-based export API rather than a CEF or syslog connector, which keeps the data on a path your team controls.

Yes. When a Datadog detection rule fires on risky user activity, a workflow action assigns the matching RansomLeak exercise to the people involved, and training and human-risk events stream into Datadog so you can watch them in your SOC pipeline.

The assignment runs as a Datadog Workflow Automation action, so it fits the detection rules and playbooks your team already maintains, and the response includes coaching rather than just an alert.

Yes, and it is live. Connect Vanta over OAuth, and training completions and user-account status flow in automatically as evidence for SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and CCPA controls.

The sync runs hourly and on every completion, so your control evidence is current whenever an auditor asks.

Yes. Completed modules stream into Drata as records on a Custom Connection, and a Custom Test maps them to your security-awareness controls.

That keeps training evidence for SOC 2, ISO 27001, HIPAA, PCI DSS, and NIS2 current between audits, with no manual export.

Yes. Connect HiBob over its native OAuth, or reach Workday, ADP, Rippling, BambooHR, and 80-plus other systems through a single Merge connection. RansomLeak reads your directory on a read-only pull and turns it into a training lifecycle: new hires are provisioned and enrolled in onboarding, role and department changes reassign the matching curriculum, departures disable access while keeping the training history, and rehires are reactivated.

People are matched by work email, so your HRIS and SCIM provisioning stay in step rather than working against each other. The first sync records your existing workforce as a baseline, so only genuinely new hires receive onboarding afterward. Setup is in the HiBob guide.

RansomLeak supports SAML 2.0 single sign-on and SCIM 2.0 provisioning with Okta, Microsoft Entra ID, and any standards-compliant identity provider. Because SSO and SCIM govern access to the platform itself, they live with the Cloud LMS. Step-by-step setup is in the Okta SSO, Okta SCIM, Entra SSO, and Entra SCIM guides.

If your HR system is the source of truth instead, RansomLeak syncs the employee lifecycle straight from your HRIS through HiBob or Merge, covered above.