A cohort is a named group of people who match a set of rules — for example, "engineers," "people who uploaded files to generative AI tools in the last 30 days," or "employees with access to production Snowflake." Cohorts let you see where human risk lives, target remediation (training, nudges, phishing simulations) so security resources focus on the highest-impact employees, and track whether behavior is actually changing over time.

Fable supports two styles of cohort:

• Behavior-based cohorts. Automatically populated from observed employee behavior (e.g., "clicked a phishing simulation in the last 90 days").

• Manually created cohorts. Populated by an admin — typically used for organizational groupings like "Finance VIPs" or "Customer-Facing Engineers."

Cohort list

The cohort list view groups behavior-based cohorts and risk-based cohorts separately, so the two types are clearly distinguished. Each row shows the cohort name, current member count, and links through to the cohort detail page.

Cohort detail

Membership-over-time chart). The cohort detail page is anchored by a membership-over-time chart at the top of the page. The chart shows how cohort membership has changed across the selected time window — useful for spotting growth, churn, and the effect of interventions on behavior-based cohorts.

Member list. Below the chart, the page shows the cohort's current members with their identifying information.

Getting Started

Open the Cohorts page from the left-hand navigation. The cohort list loads with behavior-based cohorts and manually created cohorts grouped separately. Click any cohort to open its detail page. To create a new cohort, use the New Cohort action at the top of the cohort list, or work with your TAM to build a more advanced cohort using the flexibility options above.

Example cohorts to try

1. Customer-facing engineers with production access

2. Finance contractors with cloud storage access

3. Accounts with compromised Okta passwords and unencrypted password storage

4. Developers using weak MFA

5. Suspicious sign-ins: high-risk countries and multi-location logins

6. Unmanaged and compromised device holders

7. Employees with multiple malicious URL click alerts

8. VIPs / executives with leaked credentials and vulnerable devices (misconfigured MFA, outdated OS, or unencrypted device)

FAQ

How often does cohort membership refresh?

Membership for behavior-based cohorts refreshes on a regular cadence as new employee actions are observed. Exact timing depends on your data volume.

Can I see how cohort membership has changed over time?

Yes. The membership-over-time chart at the top of the cohort detail page shows membership across the selected time window.

What data sources does Fable use to build cohorts?

Cohorts can draw on HR / directory data (Google Workspace, Entra, Active Directory, Workday), identity providers (Okta, Entra), endpoint (CrowdStrike), collaboration and email (Microsoft 365, Google), SASE (Netskope), email security (Proofpoint), and many more. The sources available for your cohorts depend on which integrations your tenant has connected.

Can I build composite cohorts that combine multiple rules?

Yes. Cohort rules can be combined with AND / OR logic (e.g., "VIPs AND uploaded to unsanctioned GenAI in the last 30 days"). Composite cohorts are currently configured in partnership with your TAM.

Can I build custom cohorts myself?

Yes, you can create cohorts yourself through our cohort builder. Please see this help center document for more information.