Human Factors

Your people are your last line of defence.

Our social engineering assessments test the human layer of your security through bespoke phishing campaigns built around real-world pretexts relevant to your organisation, measuring employee awareness and your organisation's resilience to manipulation.

Get in Touch View Our Methodology

What we deliver

Testing the human layer.

Phishing Simulations

Targeted email phishing campaigns designed to mirror real-world attack techniques, from credential harvesting to malware delivery, measuring click rates and credential submission rates.

Bespoke Phishing Scenarios

Custom phishing campaigns built around real-world pretexts relevant to your organisation, from industry events and supplier communications to internal announcements.

Credential Harvesting & Reporting

Realistic login page replicas to measure credential submission rates, providing clear data on employee susceptibility to credential harvesting attacks.

Scope

Areas we can test.

Email Phishing Campaigns

Targeted spear-phishing and broad-based phishing campaigns measuring click rates and credential submission rates.

Credential Harvesting Pages

Realistic login page replicas to measure employee susceptibility to credential harvesting attacks, providing clear data on submission rates across the organisation.

Malware Simulation & ClickFix Attacks

Safe, non-destructive payload delivery including ClickFix-style attacks, simulating real-world malware delivery techniques to test email gateway and endpoint detection controls.

Bespoke Pretext Development

Custom scenarios built around real-world pretexts relevant to your organisation, such as industry events, supplier communications, or internal announcements.

Adversary-in-the-Middle (AiTM) Phishing

Advanced phishing techniques that proxy real login pages in real-time, capturing session tokens to bypass multi-factor authentication and demonstrate the limitations of MFA alone.

Campaign Analysis

Detailed analysis of click rates and credential submission rates across the campaign.

How we work

Our assessment methodology.

Step 01

Scoping

We agree the engagement scope, including email whitelisting requirements, whether OSINT should be used to source targets, or if a full user list and email addresses will be provided.

Step 02

Scenario Design

We build realistic, targeted scenarios based on your sector, publicly available information, and agreed rules of engagement.

Step 03

Campaign Execution

Controlled delivery of phishing campaigns using the agreed pretexts, conducted safely with no real harm to systems or individuals.

Step 04

Analysis & Reporting

Reporting on campaign metrics including click rates and credential submissions, along with details of any access gained during the assessment.

Step 05

Awareness Reporting

Detailed findings on human vulnerability exposure with training recommendations and suggested awareness programme improvements.

What you receive

Engagement deliverables.

Campaign Results Report

Quantitative metrics on campaign performance: click rates, credential submission rates, and details of any access gained.

Awareness Training Recommendations

Targeted training recommendations based on campaign findings, helping you focus awareness investment where it matters most.

Consultant Debrief

A debrief session to walk through the results, answer questions, and discuss next steps for strengthening employee awareness.

Repeat Assessment Discount

Discounted rates on follow-up campaigns to measure improvement after awareness training is delivered.

FAQ

Frequently asked questions.

Will employees know they are being tested?

No. The value of a social engineering assessment depends on employees not being forewarned. We agree the scope and scenarios with senior stakeholders in advance, but the campaign is designed to be as realistic as possible. After the assessment, we recommend using the results as a positive learning opportunity rather than a punitive exercise.

What types of phishing do you simulate?

We focus on email-based phishing campaigns using bespoke pretexts tailored to your organisation. This includes targeted spear-phishing using real-world scenarios, credential harvesting pages, adversary-in-the-middle (AiTM) attacks that capture session tokens to bypass MFA, and ClickFix-style malware delivery simulations.

Can we run repeat campaigns to measure improvement?

Yes. Running repeat campaigns over time is one of the most effective ways to measure whether awareness is genuinely improving. We can run follow-up campaigns using different pretexts and compare click rates and credential submission rates against your previous results to track progress and identify areas that still need attention.

How are phishing scenarios created for our organisation?

We research your organisation to build realistic pretexts that employees would encounter in their day-to-day work. This could include referencing industry events your company has attended, mimicking communications from known suppliers, or replicating internal announcements. The more realistic the scenario, the more valuable the results in understanding your actual exposure.