Fable Security: Interview With CEO Nicole Jiang About The Human Risk Management Platform

By Amit Chowdhry • Yesterday at 6:25 PM

Fable Security is a human risk management platform that uses AI to analyze employee data, detect risky behaviors, and deliver automated, real-time interventions and coaching to help employees build better cybersecurity habits and prevent breaches. Pulse 2.0 interviewed Fable Security CEO Nicole Jiang to learn more.

Nicole Jiang’s Background

Could you tell me more about your background? Jiang said:

I’ve spent my career at the intersection of data, product, and security. Before founding Fable, I led product at Abnormal Security, and before that I was at Palantir, Microsoft, and Mixpanel. At Abnormal we built AI-driven systems to stop advanced email attacks. That experience gave me a front-row seat into how sophisticated attackers have become, and how—despite having the most sophisticated tools—so many enterprises are still vulnerable to simple human error.

But the most formative part of my background traces back to adolescence. When I was an early teen, I emigrated from China with my family and we settled in Toronto, Canada. Despite being well-educated and hardworking, my parents didn’t easily find work. For about a year, I was the only person in my family who held a job. I went to school during the day and spent my afternoons and evenings at our neighborhood hamburger spot—mopping floors, scrubbing toilets, scraping the grill. It was unglamorous, hands-on work, but it taught me discipline and how to find pride in small details.

Formation Of The Company

How did the idea for Fable Security come together? Jiang shared:

While leading product and data science at Abnormal Security, my cofounder, Dr. Sanny Liao, and I worked closely with large enterprise customers who invested heavily in cutting-edge security. They were ostensibly well-protected, but not from human error.

This became painfully clear when we were on a work trip to see a customer of ours in Las Vegas,when they had a breach. We were at one of their resort properties when an attack unfolded. The atmosphere shifted instantly: front desks were overwhelmed, guests couldn’t access their rooms, elevators stopped working, slot machines went dark. The whole place just…went quiet. It was horrible. This wasn’t some abstract cyber incident. It was a business catastrophe happening in real time, and we couldn’t do a thing to help them. They had the best security stack money could get by, and yet an attacker was still able to bypass that with a simple vishing call to the IT helpdesk. No technical control could have prevented that. It was human error.

When we took a look at what the the market had produced to address this risk, it was awareness training, and we were underwhelmed. We saw a line-up of old-school offerings that were generic and uninspired. And when we asked security leaders, we heard a chorus of, “You can’t change behavior.” 

But my cofounder, Sanny, had an educational background in behavioral science and professional experience in adtech. She had a front-row seat to behavior change. Nobody knew more than she how behavior could be segmented, targeted, and optimized over continued experiments. Her mantra became, “If you can get someone to spend $150 on shoes with an online ad, surely you can get them to secure their account.” 

Fable was born from that conviction: you can measure human risk, and you can certainly change behavior—not through shame or generic training, but through getting them the right message at the right time,  right where they work.

Favorite Memory

What has been your favorite memory working for the company so far?

My favorite memories have been seeing the Fable team will our product into existence—and doing it side-by-side with our customers. There’s something incredibly special about building not just for customers, but with them. 

One example that stands out is how we iterated with major a financial services organization  to create our phishing simulation product. It wasn’t a static roadmap item; it was a collaborative process. We listened closely to what they needed, tested ideas, refined the experience, and worked through challenges together until it truly served their vision.

Seeing that kind of partnership—where our team is deeply committed, creative, and relentless, and where customers trust us enough to co-build with us—has been incredibly meaningful. It’s those moments when you realize we’re not just shipping features but shaping something real.

Core Products

What are Fable Security’s core products and features? Jiang explained:

At Fable Security, we deliver a modern human risk platform. It’s designed for simplicity and enterprise scale, and uses AI to shape behavior directly. The platform aggregates behavioral and security signals from identity, workspace, and security tools to synthesize human risk and prioritize interventions. Following a similar approach to how adtech influences buying behavior, we segment employees by role and behavior, understand their risk, target them with highly-relevant interventions (short, 60-120-second, AI-generated videos and crisp, 30-ish word nudges in Slack, Teams, GChat, or email) with specific calls to action, track the resulting behavioral changes, and deliver executive and board-ready reporting for visibility and compliance.

We offer four main products:

  • Phishing simulations (realistic, AI-generated campaigns that target by role and risk and automate follow-up training) 
  • Awareness training (mass-customized training that engages, drives awareness, and delivers compliance)
  • Behavioral interventions (agentic interventions (video briefings and nudges) that shape behavior in the moment and over time)
  • Risk reporting (insight into organizational, departmental, and individual human risk trends, drivers, and reduction over time)

Evolution Of The Company’s Technology

How has the company’s technology evolved since launching? Jiang noted:

At launch, we focused on risk assessment and targeted, behavioral interventions and measuring them in a closed-loop process. Since then, we’ve both expanded in two directions: deepening our human risk management moat as well as filling in some of the foundational capabilities that help our customers achieve baseline compliance requirements—awareness training and phishing simulations. 

To expand our human risk management leadership, we’ve deepened our integrations across identity, workspace, and security systems, enhanced our AI models to incorporate deep security and threat analysis expertise, built a series of agentic workflows to automate content creation, policy decisioning, program recommendations, and threat analysis, and increased the fidelity of our closed-loop, validated programs of measuring behavior change, applying them to a variety of behaviors, from data handling to device hygiene to authentication practices. 

We’ve also strengthened executive reporting—giving CISOs and boards transparent, defensible human risk metrics.

Significant Milestones

What have been some of the company’s most significant milestones? Jiang cited:

Some of the company’s most significant milestones haven’t just been product or revenue moments—they’ve been converting prospects and customers into believers, and seeing them get value from Fable: converting customers from skeptics into believers. Early on, many organizations were unsure whether a behavior-first approach to security would truly work. Seeing those same customers become advocates for Fable—and champion our approach internally—has been a defining moment for us. 

Another major milestone has been watching customers adopt our human risk capabilities, especially using us to shape behavior in their organizations. Seeing a financial services company change the way developers log data into observability tools, reducing incidental PII exposures by 60% in one month and then taking exposures to zero with Fable. Or seeing employees at a mortgage company rotate compromised credentials in four hours instead of five days to avoid exposure with Fable, saving more than 100 hours for the security team on that one campaign alone. These are meaningful milestones to us. It’s especially meaningful because we’re not just delivering a product to them, but building it alongside them. Seeing that joint vision come to life—where security becomes embedded in daily habits, not just policies—has validated both our strategy and our mission. 

Finally, seeing employees positively respond to our content and actively learn how to better protect themselves has been incredibly impactful. Our average employee feedback score on our interventions is 4.8 out of 5 stars, largely because we deliver very short, hyper-targeted video briefings (1-2 minutes) that replace multi-hour legacy trainings. We get all kinds of incredible feedback—comments like, “I loved that the video was specific to me and what I do.” When we see real engagement, mindset shifts, and measurable behavior change, it reinforces that we’re driving tangible security outcomes—not just awareness.

Customer Success Stories

Can you share any specific customer success stories? Jiang highlighted:

  • Fintech company BILL reduced phishing clicks by 86% vs. the control group after deploying Fable’s targeted interventions.
  • With Fable, a major financial services org reduced time-to-behavior-change for a critical security issue by 97%, from 5 days to 4 hours.
  • The DNC drives 99% OS compliance with Fable 
  • Dayton Children’s Hospital used Fable to fortify human defenses against a regional ransomware attack that hit a sister hospital.
  • A financial services company was alerted to PII improperly logged in observability tools. Fable helped them drive down the behavior by 60% in a month, and 100% thereafter, with no recidivism over the next 11 months. 

Funding/Revenue

Are you able to discuss funding and/or revenue metrics? Jiang revealed:

We’ve raised $31M across seed and Series A rounds led by Greylock and Redpoint Ventures. We’re currently below $10M ARR with strong triple-digit growth.

Total Addressable Market

What total addressable market (TAM) size is the company pursuing? Jiang assessed:

Estimates for the total market size range from $3 billion to $10 billion with a 12–20% CAGR, depending on the source. The market is undergoing massive disruption, with enterprises reaching a tipping point: they’re fed up with legacy platforms and are demanding modern, flexible, outcome-driven ones.

We have five key differentiators:

Fable Security

Future Company Goals

What are some of the company’s future goals? Jiang emphasized:

Looking ahead, our goals center on expanding our impact and deepening the outcomes we drive for customers. First, we want to protect more organizations. There is still a significant gap in how companies approach human risk, and we would like to see more enterprises adopt this adtech-style way of approaching behavior change. This takes a lot of evangelism because the industry has been approaching human risk in a basic way until now—measuring training completion rates, and phishing failures/reports. These metrics are useful to understand engagement and social engineering susceptibility, but they don’t measure real risk reduction. 

Second, as threats evolve and traditional technical controls struggle to keep pace, helping more organizations operationalize human risk management is a core priority for us. One core workstream is honing our threat feeds and AI models to provide very precise guidance to our customers about which emerging threats apply to humans, which role and risk cohorts they target, and what specific messaging they should include in their employee briefings.

Third, we’re focused on innovation, especially around measurable behavior change. We want to help customers move beyond awareness training into campaigns that are truly closed-loop, with validated behavior change. We want to guide our customers to identify the most relevant risks and deliver the right playbook so they can target the right cohorts, drive specific actions, and validate that change occurred. Supporting customers as they progress along the human risk maturity curve—from general awareness to targeted interventions to measurable behavior outcomes.

Finally, we’re excited to continue learning from our customers. Every organization has a slightly different perspective on human risk, shaped by its culture, industry, and threat landscape. We want to partner closely with them, understand their vision, and evolve our product to serve their real-world needs. Our future growth isn’t just about building more features; it’s about building the right capabilities that make human risk management practical, measurable, and impactful.

Additional Thoughts

Any other topics you would like to discuss? Jiang concluded:

One important theme we hear all the time from CISOs: human risk management is their brand. What they deliver for training is their face to the business. For most employees, it’s the only experience they have with the security team. It can be negative and punitive, boring and irrelevant, or not credible and erode trust. With all the other security tools in their world using AI to up their game, human risk’s relative lack of innovation has been underwhelming. CISOs and their teams are really disenchanted with the tools and ready for a change. They are excited to have a modern platform that actually helps them understand human risk in a data-driven way and intervene in the moment with super-crisp, modern video briefings that engage, save time, and drive behavior change.