H.I.G. Capital replaces one-size-fits-all modules with user adaptive security training powered by Dune Security

About H.I.G. Capital

H.I.G. Capital is a leading global private equity and alternative assets investment firm with over $59 billion of equity capital under management. The firm has offices across North America, Europe, and South America, and a staff of over 1,300.

• Seamless integrations quickly designed and deployed for supporting email security tools.
• Real-time line-manager oversight and reporting provided through the Dune Security platform.
• Risk quantification enabled for over 1,300 employees, from department-level down to the individual.

Challenge

Legacy security awareness training created friction and drained resources

For Marcos Marrero, CISO at H.I.G. Capital, the monthly security reports told a frustrating story. Despite years of mandatory security training for all 1,300+ employees, the same patterns kept emerging — and he knew why. Their previous SAT vendor employed a “cookie-cutter” approach to security awareness, with no way to push boundaries or modernize their strategy. 

“It was entirely one-size-fits-all,” explains Anthony Granada, Cyber GRC Analyst at H.I.G. Capital. In his words, “Everyone got the same training, month after month. There was no user adaptive logic and no learning curve — just repetition.”

This created problems that rippled throughout the organization. Low-risk users sat through repetitive training content that offered minimal new value, while higher risk users who needed more targeted education received too little attention. Over time, employees grew fatigued and disengaged, treating training as a formality, not a learning opportunity. 

And behind the scenes, their GRC team was drowning in manual work. “We were managing campaigns ourselves,” recalls Marcos. “It wasn’t sustainable, especially when the content wasn’t even dynamic.” As a result, the security team spent countless hours building campaigns, scheduling delivery, and tracking participation, which forced higher-priority initiatives like incident response and risk analysis to fall by the wayside.

Critically, the team also lacked the data to prioritize their efforts. Without behavioral telemetry or risk scoring capabilities, they had no way to identify which departments or users posed the greatest security risk. “Without data, there’s nothing to act on,” he explains. “You can’t focus your efforts if you don’t know where the risk is.” That visibility gap undermined the team’s ability to measure progress or demonstrate program effectiveness.

To top things off, even as the threat landscape evolved with increasingly sophisticated attacks, H.I.G.’s training content remained unchanged. There were no simulations for advanced phishing vectors, and no way to adapt the curriculum to address new attack types as they emerged.

Marcos knew he needed to break away from the conventional thinking around security awareness. Their existing vendor’s traditional approach wasn't keeping pace with the realities of modern attacks or addressing the range of risks within H.I.G.'s own workforce. 

So, he began exploring modern options that could fundamentally transform their SAT approach — something adaptive, data-driven, and capable of breaking the mold of static, one-size-fits-all solutions. That’s when he found Dune Security.

/quote-1

Solution

Risk adaptive training, seamless integrations, and a responsive enterprise partnership with Dune

The firm worked hand-in-hand with Dune from day one, participating in multiple demos and providing ongoing feedback as the product matured over several months. This gave H.I.G. the unique opportunity to collaborate on the platform's development while Dune deployed critical enterprise features, including SCIM support and a vast content catalog.

“We’ve given Dune a lot of requests and they’ve exceeded every expectation,” says Anthony. “The platform today is incredibly advanced compared to what it was in 2024,” Marcos adds. “It’s ready for the biggest companies, even in highly regulated companies like Financial Services.”

For example, all employees were previously trained to report suspicious emails via a dedicated button. While Dune’s mobile reporting capability was still in the works, Anthony expressed that “not having this feature on mobile would have been a big obstacle." So, Dune’s team took action. Within weeks, they built and deployed their Watchtower button for Outlook mobile. "That showed us they were truly listening — not just checking boxes," he says.

With core features like this in place, H.I.G. was ready to go all-in. Setup was both lightweight and straightforward. Identity integration with Entra ID took just a few steps, yet delivered exactly what they needed: automatic provisioning and user-level risk scoring based on essential telemetry data. Meanwhile, the content evolves with the threat landscape, offering simulations that reflect the latest phishing techniques — a stark contrast to the static modules the firm left behind.

As implementation continues to take shape, Marcos has found even more opportunities to leverage the platform's flexibility. Specifically, H.I.G. now uploads internal IT orientation videos directly into Dune, streamlining new-hire education for employees and contractors alike. “That shows us they’re in it for the long haul,” says Marcos. “They didn’t just plug in and disappear. They partnered with us to build what we actually needed.”

Plus, support has been so hands-on that Dune’s onboarding lead now feels like an extension of H.I.G.’s team. “Every time we reach out, Dune’s support team comes back with real answers and a fast turnaround,” says Anthony. “That kind of support is rare.”

{{cta}}

Best of all, the firm is finally shifting from static, one-size-fits-all training to a dynamic model that adjusts in real time. Dune automatically aligns training intensity and content with each employee’s risk profile, reducing noise for low-risk users while increasing engagement where it matters most.

/quote-3

Results

Time savings, cost reduction, and a path to risk-aware training at scale

H.I.G. is already reaping the benefits, operationally and strategically. One of their immediate wins has been time savings. Previously, every employee spent 30 minutes per month on generic training, regardless of their risk profile. With Dune’s adaptive model, that figure is dropping by as much as 60%, especially for users with lower risk scores who now receive fewer and more targeted interventions.

Those time savings extend to the GRC team as well. Manual scheduling of training modules and phishing simulations has been replaced by automated workflows driven by user behavior. Instead of coordinating campaigns, the team can now focus on higher-impact work — analyzing risk trends, improving policies, and strengthening controls. “It’s all automatically done by the platform,” says Marcos. “We’re no longer spending hours building and managing campaigns.”

Critically, H.I.G. has already unlocked substantial five-figure cost savings – replacing their expensive legacy vendor with a platform that lowers total cost of ownership while delivering more value in return. Switching to Dune has laid the foundation for a smarter, more responsive training program grounded in real behavioral telemetry. Instead of treating all employees the same, the team can focus attention where it’s most needed and reduce unnecessary friction for everyone involved.

To Marcos, this partnership is the beginning of a longer-term cultural shift. The immediate goal is to establish a clear baseline of cyber risk across the organization, then use Dune’s adaptive tools to help reduce that risk over time across every department.

/quote-4