Why it matters
Practical evidence, not scanner noise.
Attackers rarely rely on technical vulnerabilities alone. We help teams understand where awareness, verification processes, and escalation paths need improvement.
What we test
- Spear phishing with credential-harvesting scenarios
- Bulk phishing with click and open rate measurement
- Vishing against approved teams
- Business email compromise simulation
- SMS phishing where approved
- Help desk impersonation
- Executive impersonation
- Supplier or vendor pretexting
- Multi-stage phishing plus vishing scenarios
- Post-compromise persistence through staff access
What you receive
- Campaign metrics for opens, clicks, and submissions
- Department and role-level breakdown
- Anonymised individual risk scoring
- Tailored training recommendations
- Phishing template analysis
- Repeat campaign guidance to measure improvement
Methodology
How the engagement runs
- 01
Agree target groups, pretexts, safety language, and notification rules.
- 02
Build realistic but controlled campaign assets and infrastructure.
- 03
Run the campaign with monitoring and escalation controls.
- 04
Analyse response rates, reporting behaviour, and process failures.
- 05
Debrief leadership and provide targeted awareness recommendations.
FAQ
Common questions
Can this be run without shaming staff?
Yes. We recommend anonymised reporting and process-focused recommendations so the result improves resilience rather than creating blame.
Do you support vishing?
Yes. Phone-based pretexting can be included where approved and scoped with clear safety boundaries.
Can you test our help desk?
Yes. Help desk impersonation and reset-process testing are common social engineering scenarios because they reveal process weaknesses quickly.
Related services