Mirage — an AI phishing simulator,
delivered in five days.

Mirage is the first episode of our weekly series : an application invented and built with AI Studio, to make tangible what AI — framed by our methods — can deliver. Built in five days, compliant by design, and operated on our sovereign foundation.

The mission

Sector : cybersecurity. The starting point is simple — the most exposed link in any organisation is still the human one, and generative AI has made phishing emails almost indistinguishable from a legitimate message : no typos, the right tone, credible pretexts, in French as in Luxembourgish. If the attack improves, the training must keep up.

The mission we set ourselves : deliver a platform that lets a security team simulate realistic phishing campaigns and train staff at the right moment — without ever causing harm, without ever capturing a real password, and within a framework compliant with GDPR and Luxembourg labour law.

What we built

Mirage comes down to four building blocks, all assembled on existing AI Studio modules :

1. An AI scenario generator. From the organisation's context (sector, tools, language), the AI produces credible, localised campaigns — a fake expense note, a fake HR message, a fake Microsoft 365 support email — in FR, EN, DE and LU. The security team validates, tweaks, launches.
2. Safe landing pages. The click leads to an educational page : "this was a simulation". No credential is ever requested or stored. We measure the click, not the gullibility ; we teach, we don't trap.
3. Adaptive micro-training. Depending on behaviour (click, report, ignore), the AI offers two minutes of targeted training, contextualised to the scenario received — at the exact moment the lesson lands.
4. A risk dashboard. Click and report rates per campaign and per department, trend over time, aggregated indicators — designed to steer without singling out an individual.

The deployment, in full transparency

Five days, from scoping to an internal pilot. The retrospective comes down to three lessons :

• The legal framework first, not after. A phishing simulation touches labour law and employee data. We designed it from the start with prior information, a security purpose, aggregated measurement and short retention — exactly the rigour we apply to FXP and MySafeBox.
• "Realistic" does not mean "harmful". The subtlest trap of such a tool is to capture real credentials. Our architecture choice is unambiguous : the simulation page has no password field. We keep the realism of the lure, never the risk.
• Deliverability is an engineering problem. For a test to be useful, the email must arrive — without feeding the domain's spam reputation. Dedicated SPF / DKIM settings, an isolated sending domain : infrastructure work that AI does not do for you, and that our teams handled.

At every step, the AI generated the scaffolding ; our engineers reviewed every line before production. That is the AI Studio rule : AI produces, humans validate.

What we achieved

On what we thought impossible in a week :

• Five days from idea to a pilot in production, where a comparable custom project is counted in months.
• Dozens of credible, multilingual scenarios (FR/EN/DE/LU), generated and adjustable in minutes rather than written one by one.
• Compliance by design — information, aggregated measurement, zero credential capture — validated before the first send, not after.
• On our internal pilot, a markedly higher reporting reflex between the first and second campaign : proof that training received at the right moment changes behaviour.

What's next?

Mirage is a demonstration of what AI Studio makes possible : taking a precise business need and turning it into a compliant platform, in days. Next week, a new application, a new sector — business, IT or security software.

Do you have a need that would deserve its own platform ? A 30-minute scoping session is enough to find out whether AI Studio is the right approach.