Hack the Human.
Before Attackers Do.

Social Engineering Testing is a controlled security assessment that simulates the psychological manipulation techniques used by real attackers — phishing, vishing, pretexting, baiting, and physical intrusion. Unlike technical penetration testing, it targets human behaviour and decision-making to measure your organisation's human-factor risk.

We simulate spear phishing, mass phishing, vishing (voice calls), smishing (SMS), USB baiting, tailgating and physical intrusion, pretexting scenarios, business email compromise (BEC), CEO fraud, and OSINT-based reconnaissance. Attack scenarios are customised to reflect the specific tactics most likely to target your industry.

Phishing sends generic fraudulent emails to large groups. Spear phishing is highly targeted — attackers research specific individuals and craft personalised messages referencing their role, colleagues, or recent activities to make the deception convincing. Spear phishing accounts for the majority of successful breaches and requires specialised testing techniques.

Employees who interact with simulated attacks are immediately redirected to a brief, non-punitive educational page explaining the warning signs they missed and the correct response. This "teachable moment" approach is far more effective than post-campaign group training. Managers receive anonymised departmental reports; individual results are handled sensitively per your HR policy.

Properly scoped engagements have minimal operational disruption. Phishing and vishing tests occur during normal working hours with no system impact. Physical assessments are conducted with senior management authorisation and defined rules of engagement. All testing is governed by a signed statement of work that defines scope, timing, and safety boundaries.

Key metrics include: phishing click rate, credential submission rate, report rate (employees who flagged the attack), mean time to report, and susceptibility by department, role, and seniority. Repeat campaigns measure improvement over baseline, with most organisations achieving a 60–80% reduction in susceptibility within six months of continuous testing.

Social engineering testing satisfies security testing requirements in ISO 27001 (A.7.2, A.12.6), PCI DSS (Requirement 11.3), NIST SP 800-53 (AT-2, CA-8), SOC 2 (CC6), and HIPAA security rule (§164.308). We provide detailed, timestamped reports and certificates of testing suitable for direct submission to auditors.

We recommend continuous low-frequency phishing simulations (monthly or bi-monthly) combined with one to two comprehensive full-scope campaigns per year that include vishing, physical, and pretexting vectors. This cadence maintains vigilance, catches new hires early, and provides the trend data needed to demonstrate measurable security improvement to stakeholders.