I run the internal phishing program at Twitter. It was built from scratch and uses open source tools. It’s custom tailored to our organization. This talk will describe the objective of running an internal phishing program at your organization, what to track, how to measure, and how to grow the program. This is not an awareness program, this program is designed to imbue antibodies into the culture that will promote the growth of a security culture and help make people more security aware overall. Since the instantiation of this program at twitter we have seen dramatic changes that make the whole organization safer. There are some configurations an org can employ to dramatically decrease the influx of spam and phishing mails on top of a program such as this. If more orgs had a program like this, phishing would start to become much harder to do. The measurements that come from this program allow us to have a much better view of the risks attached to phishing as well, so we have a tangible, measurable result we can work with. You want to be the guy who designs attack models for your company, then lobs them at employees? This is how to do it.