Services  /  Social Engineering

Your
Weakest
Link Is Human

Firewalls don't stop a convincing email. We simulate the exact tactics real threat actors use — spear-phishing, vishing, pretexting, and physical intrusion — to find out how far an attacker gets before someone notices.

Launch Simulation See Results →
91%
of breaches start with a phishing email
— Verizon DBIR 2024
~60s
median time to first click on phishing link
— Proofpoint State of the Phish
3.4×
more likely to click after one prior simulation
— SANS Security Awareness Report
What we simulate

Attack Vectors

Every engagement is custom-built around real threat actors targeting your industry — not generic templates.

// 01
📧
Spear Phishing

Highly targeted email campaigns crafted with OSINT on your employees — referencing real projects, colleagues, and internal terminology to maximise click-through rates and credential harvesting.

Email Credential Harvest Payload Delivery
// 02
📞
Vishing

Voice-based social engineering using caller ID spoofing and scripted pretexts — impersonating IT support, vendors, or executives to extract credentials, MFA codes, and sensitive internal data over the phone.

Phone Caller ID Spoof MFA Bypass
// 03
💬
Smishing

SMS-based phishing campaigns delivering malicious links via text message — targeting mobile devices with fake IT alerts, parcel delivery notifications, and urgent account security warnings.

SMS Mobile Link Delivery
// 04
🎭
Pretexting & Impersonation

Building fabricated scenarios to manipulate employees — impersonating auditors, new hires, contractors, or executives to gain information, system access, or physical entry through social trust.

Identity Trust Abuse Info Gathering
// 05
🏢
Physical Intrusion

On-site testing of physical security controls — tailgating, badge cloning, dumpster diving, and impersonating delivery personnel or maintenance staff to gain unauthorised access to secure areas.

On-Site Tailgating Badge Clone
// 06
💾
Baiting & USB Drops

Deploying weaponised USB drives and physical media in car parks, reception areas, and common spaces — measuring how many employees plug in unknown devices and trigger simulated payloads.

USB Drop Physical Media Payload Exec
How we operate

Engagement Methodology

Every simulation follows a strict authorised engagement process — realistic enough to test real behaviour, controlled enough to keep operations safe.

// PHASE 01

OSINT & Target Profiling

Collect open-source intelligence on employees, org structure, technology stack, and recent company events. Build realistic pretexts using LinkedIn, company websites, job postings, and social media to maximise believability.

// PHASE 02

Infrastructure Setup

Deploy dedicated phishing infrastructure — cloned login pages, custom domains with aged reputations, email servers with SPF/DKIM/DMARC configured, and C2 payloads with AV evasion. All isolated per engagement.

// PHASE 03

Campaign Execution

Launch phishing, vishing, smishing, or physical campaigns against defined target groups. Track opens, clicks, credential submissions, callback rates, and time-to-report across the entire employee population.

// PHASE 04

Escalation & Post-Access

Where scope permits, escalate successful initial access — demonstrating the full attack chain from phishing click to domain compromise, data exfiltration simulation, or physical access to sensitive areas.

// PHASE 05

Awareness Debrief

Reveal the simulation to employees who were compromised — explaining exactly what red flags they missed and how to identify similar attacks in future. Converts a failure into a high-impact learning moment.

// PHASE 06

Reporting & Recommendations

Full campaign report with per-department click and submission rates, risk heatmaps, comparison against industry benchmarks, and a tailored security awareness training roadmap to close identified gaps.

Our arsenal

Tools Used

Custom infrastructure combined with industry tooling — every campaign uses dedicated domains and servers, never shared infrastructure.

GoPhish Evilginx3 Modlishka CredSniper SET (Social-Engineer Toolkit) King Phisher Maltego theHarvester Shodan SpiderFoot Recon-ng O365 Spray MailSniper Rubber Ducky Hak5 USB Ninja Proxmark3 (RFID) Flipper Zero Caller ID Spoofer Custom Phishing Pages Custom OSINT Scripts
What you receive

What You Get

📊

Campaign Analytics Report

Detailed breakdown of click rates, credential submission rates, time-to-click, and time-to-report — segmented by department, role, and seniority with industry benchmark comparisons.

🗺️

Risk Heatmap

A visual heatmap of your highest-risk departments and individuals — giving security leadership a clear picture of where targeted awareness training is most urgently needed.

🎬

Attack Narrative

A full documented narrative of the attack chain — from initial OSINT through to post-access actions — showing leadership exactly how far a real attacker would have gotten.

📋

Training Roadmap

A tailored security awareness training plan addressing the specific weaknesses uncovered — including recommended modules, frequency, and measurable improvement targets.

🏆

Compliance Certificate

Signed assessment certificate mapped to ISO 27001 Annex A.7, PCI DSS Requirement 12.6, and GDPR Article 32 security awareness obligations for auditors and regulators.

🔐

Strict Authorisation & NDA

All engagements operate under a signed Rules of Engagement document and mutual NDA. All phishing infrastructure and captured data is fully decommissioned post-engagement.

// Find out before attackers do

How Far Would
They Get?

Most organisations discover their human layer is compromised after a real breach. We find out first — safely, with full authorisation, and with a clear plan to fix what we find.

Request Simulation See Past Results