Baseline through deepfake, governed end to end.

Humans remain the most reliably exploited attack vector. Phishing and social engineering drive the majority of initial access in real breaches — including the ones that become ransomware events and regulatory notifications. Simulation programmes measure actual susceptibility, deliver training at the moment it is most effective, and generate the documented awareness evidence that compliance frameworks require.

NIST SP 800-50 Rev. 1SANS Security Awareness Maturity ModelPCI DSSISO 27001SOC 2HIPAA

All campaigns operate under HR and legal-approved governance, defined targeting policy, and documented consent. No payload execution in production environments. Participant data handled with minimal collection and defined retention.

WHAT WE RUN

From baseline lures to deepfake scenarios.

Campaign Types

  • Baseline phishing generic lures (delivery notifications, IT helpdesk, password reset) to establish an organisation-wide susceptibility baseline before targeted campaigns begin
  • Spear-phishing personalised lures using OSINT-gathered context (name, role, manager, recent activity) targeting high-risk individuals: executives, finance, HR, and system administrators
  • Business Email Compromise (BEC) simulation of executive impersonation, vendor invoice fraud, and payroll redirect scenarios; the highest-cost social engineering attack type
  • Multi-stage attack simulation phishing lure → credential harvest → simulated MFA push fatigue or MFA bypass → lateral access request; tests the full attack chain, not just the first click
  • AI-generated and deepfake scenarios LLM-crafted personalised lures and, where approved, voice cloning / deepfake video impersonation of known contacts or executives
  • Vishing (voice phishing) phone-based social engineering testing helpdesk, finance, and executive assistants against pretexting and urgent authority scenarios
  • Smishing (SMS phishing) SMS-based lures targeting MFA-fatigue, package-delivery, and helpdesk-impersonation scenarios; scoped with explicit telecom-regulatory and works-council review where applicable

Governance & Safety

  • HR & legal approval targeting policy, scenario review, and acceptable use boundaries signed off before any campaign launches
  • Opt-out criteria defined exclusions for medical leave, bereavement, recent onboarding, and other circumstances where targeting is inappropriate
  • No production payload execution simulation stops at click, credential entry, or download — no actual malware or ransomware executed
  • Pseudonymised reporting individual results are pseudonymised in standard reports; named data accessed only by those with documented authorisation under agreed policy
  • Communications plan pre-campaign leadership briefing and post-campaign employee communication drafted and approved in advance
  • Defined data retention limits and certified secure disposal of campaign artefacts
MEASUREMENT

Real improvement, not just click rates.

A phishing programme without rigorous measurement is just a compliance tick-box. We track metrics that reflect real security improvement.

Susceptibility Metrics

  • Open rate, click rate, and credential-entry rate per campaign and cumulatively
  • Phishing susceptibility score (PSS) by department, role, and tenure cohort
  • Repeat-offender rate: individuals with multiple click events across campaigns
  • Improvement rate: change in susceptibility score between consecutive campaigns

Response Metrics

  • Report rate percentage of simulation emails reported through official channels; a high report rate is the primary positive outcome
  • Mean time to first report (MTFR) how quickly the organisation detects and reports a simulated phishing email after delivery; reported separately from SOC MTTR (mean time to respond) to avoid metric collision
  • SOC/helpdesk escalation rate and false positive burden from simulation reports

Programme Metrics

  • Training completion rate following just-in-time triggers
  • Trend line across campaigns: overall susceptibility trajectory
  • SANS Security Awareness Maturity Model level progression over time
  • Compliance coverage: documented awareness evidence mapped to PCI DSS, ISO 27001, SOC 2, and HIPAA requirements
INTEGRATION

Wired into your SOC and your training programme.

SOC & Helpdesk Integration

  • Phish-report button deployment one-click reporting integrated with major email clients; reports routed directly to SOC triage queue
  • Deconfliction SLA simulation emails reported to SOC are confirmed as exercises within an agreed window, preventing unnecessary incident escalation
  • SIEM integration simulation campaign metadata fed to SIEM for correlation; enables SOC to distinguish simulation from genuine attack during active campaign windows
  • Detection rule recommendations based on lure types used, improving real-attack detection

Just-in-Time Training

  • Immediate educational landing page on click — explains the specific red flags present in the lure that was used, not generic advice
  • Micro-lessons (2–4 minutes) targeting the exact technique demonstrated: urgency tactics, domain spoofing, lookalike sender addresses, and credential request patterns
  • Repeat-offender escalation path: additional targeted training for individuals who click in multiple campaigns
  • Training completion tracked and reported for compliance evidence
DELIVERABLES

What lands per campaign and per quarter.

Per Campaign

  • Campaign plan: scenario rationale, targeting scope, timing, and governance approval record
  • Technical delivery report: infrastructure used, send confirmation, and delivery rates
  • Results dashboard: click rates, credential-entry rates, and report rates by department and role
  • Department heatmap highlighting highest-susceptibility cohorts

Executive Report

  • Non-technical narrative: what was tested, what was found, and what it means for organisational risk
  • Trend analysis across campaigns with improvement trajectory
  • Comparison against industry benchmarks where available
  • Board-ready risk summary with recommended investment priorities

Compliance & Remediation

  • Compliance evidence package: campaign records, training completion rates, and metrics mapped to PCI DSS, ISO 27001, SOC 2, and HIPAA requirements
  • Remediation plan: technical controls (email gateway tuning, MFA enforcement), training interventions, and process changes
  • Repeat-offender action plan and escalation recommendations for HR
ACTIVE INCIDENT?