Social Engineering Assessment

Frequently, real-world attacks gain their initial foothold into an organisation not through exploiting exposed technical vulnerabilities but rather through their staff. Yet people are not the weakest link in security because they are careless. They are the most-targeted link because manipulating a person is so often easier than defeating a control - and because, in too many organisations, a single human mistake is allowed to be catastrophic. The Social Engineering Assessment measures how your organisation withstands that manipulation, using realistic, ethically-conducted campaigns built on intelligence about your actual organisation rather than generic templates.

Realistic Campaigns, Real Pretexts

Depending on scope, an engagement may include spear phishing tailored to specific roles using pretexts drawn from genuine organisational context, whaling targeted specifically at executives and leadership, vishing in which we telephone staff under a constructed pretext, smishing over SMS, and physical or hybrid pretexting. We might attempt to harvest credentials, prompt the execution of a benign tracking payload, or simply persuade someone to break a process - whichever objective best reflects the threat you actually face.

A staff member who might never fall for a standard scam might well prove susceptible to a phishing attempt crafted using information about your organisation specifically. The most convincing campaigns are informed by an OSINT Assessment, which supplies the names, relationships, and context a believable pretext depends on; as such, these services are natural complements. If you do not wish for an OSINT Assessment, we will instead base our social engineering campaigns on information you choose to share with us in a consultation meeting.

A Test Of Your Controls, Not Just Your People

A click should not be the end of the world, and so this is as much a test of the safety nets behind the human as of the human themselves. We observe whether your mail filtering flagged the lure, whether multi-factor authentication blocked the harvested credentials, whether the stolen session cookies actually permitted access, whether endpoint controls stopped the payload - and whether anyone reported the attempt, and how quickly. It also doubles as a live test of your incident process, since a reported phishing email is only useful if someone is positioned to triage and act on it quickly.

There is no such thing as perfect security, and nowhere is this more true than in human security, where the targets in question - humans - are inherently somewhat unpredictable. As such, the ability to withstand and respond to a successful phishing attack is as important as avoiding falling for phishing in the first place; both are critical aspects of a defence-in-depth strategy for your organisation's human security.

What This Assessment Is Not

No one wants to be the person who clicked on the link in the dodgy email, but our phishing simulations are not a trap laid to catch and embarrass individuals, and our Social Engineering Assessments are not intended to be exercises in naming-and-shaming employees who fall for phishing attempts. Every pretext is developed with you and approved before use, and we draw firm ethical lines: we avoid manipulations that would cause genuine distress, such as fake redundancies or bereavement lures. We are also mindful of the rights of employees and will not conduct tests that would violate laws around privacy, employment or harassment. Our goal is to strengthen your people and build security culture, not to instil fear. An employee who falls for a well-crafted lure has been failed by a process, not personally, and our reporting reflects that.

What You Receive

You receive a report on campaign outcomes - engagement rates, credential submission, reporting behaviour, control effectiveness - alongside specific, practical recommendations spanning awareness, process, and the technical measures that make human mistakes survivable. For organisations that further wish to contract a Staff Training service from us, we are glad to fold the results straight into such training, so the exercise becomes education rather than a one-off scare. The most valuable version is longitudinal: a baseline campaign, targeted training, then a follow-up that demonstrates measurable improvement in click and reporting rates.