Services / Social Engineering

Social Engineering Assessment

Your technical controls can be perfect and still fail if an employee clicks the wrong link or opens the door to the wrong person. Social engineering assessments measure and quantify your human attack surface — with results your security awareness program can act on.

Assessment types

Spear-phishing campaign — targeted emails with credential-harvesting lures or payload delivery, themed to your organization and industry
Vishing (voice phishing) — pretexting calls to employees targeting credential handoff, remote access approval, or sensitive information disclosure
Pretexting / impersonation — in-person or remote impersonation of vendors, IT staff, or executives to test information disclosure controls
USB drop — staged USB devices placed in target areas to test whether employees plug in unknown media
Combined campaign — multi-vector engagement using digital and physical social engineering simultaneously

What you get

Campaign metrics: emails sent, open rate, click rate, credential submission rate, reporting rate
Department and role breakdown — which teams were most susceptible
Specific pretext and lure analysis — what worked and why
Awareness gap findings — what training topics the results indicate are missing
Recommendations for training curriculum, reporting culture, and technical controls (MFA, email filtering)
Before/after comparison if this is a repeat or follow-up engagement

How a phishing campaign works

1 · Scoping & pretext design

We review your industry, vendors, and internal communication patterns to design a realistic pretext. Lure emails match the look and feel of communications your employees already receive — not generic "you've won a prize" templates.

2 · Infrastructure setup

Operator-controlled phishing infrastructure with a convincing lookalike domain and credential capture page. All activity hosted on infrastructure we control — no third-party SaaS platforms that could leak your employee list.

3 · Campaign execution

Emails delivered in batches to avoid spam filter triggering. Interaction tracked per recipient — open, click, credential submit, or report to IT. No actual credentials stored; only the fact of submission is recorded.

4 · Victim handling

Employees who click are shown an immediate education page explaining the simulation. This converts a potential embarrassment into an in-the-moment learning opportunity without humiliating individuals.

5 · Metric compilation

Campaign results compiled by department, role, and time of click. Correlation with prior training completion, tenure, and technical controls (MFA, conditional access) documented where data is available.

6 · Reporting & debrief

Results presented to HR, security, and leadership with benchmarks against typical industry rates. Specific recommendations for training topics, reporting culture improvements, and technical email security controls.

Best for

Organizations measuring the effectiveness of their security awareness training
Pre/post training measurement — run before training and 90 days after
Compliance requirements with a human-layer testing component (HIPAA, PCI, FFIEC)
High-risk departments: finance, HR, executive assistants, help desk
Post-incident root cause — a phishing email was the initial access vector

Find out where your human firewall has gaps

Tell us your employee count, target departments, and any prior training history and we'll design the right campaign.

Request a consultation All services