The Most Underestimated Attack Vector

In a survey of major breaches between 2020 and 2025, social engineering was the initial access vector in 68% of cases. Not unpatched software. Not misconfigured infrastructure. People. Your technical controls can be perfect, and a single well-crafted phishing email can bypass all of them.

Social engineering assessments are uncomfortable. They reveal organizational culture gaps, not just technical ones. They also provide the most realistic picture of your actual susceptibility to real-world attacks.

What We Test

Phishing Campaigns

We craft targeted spear-phishing emails based on real OSINT about your organization — not generic “click here to reset your password” templates that anyone can spot. Our campaigns typically involve:

Research phase:
- LinkedIn mapping of target department
- Technology stack inference from job postings
- Recent company news and announcements
- Email format enumeration

Pretext construction:
- IT department system notification (most effective)
- Executive impersonation (highest risk scenario)
- Vendor/supplier impersonation
- Industry-specific pretexts (healthcare, finance)

Vishing (Voice Phishing)

Phone-based social engineering is criminally underassessed. We test:

  • Helpdesk: can an attacker reset MFA or credentials by calling your IT helpdesk?
  • Executive impersonation: will finance execute wire transfers on verbal instruction?
  • Vendor impersonation: can an attacker gain access to systems by claiming to be a support technician?

Physical Security Testing

For clients with physical premises, we test:

  • Tailgating and piggybacking into secure areas
  • Pretexting for physical access (maintenance worker, delivery person, IT technician)
  • USB drop attacks (will employees plug in found USB drives?)
  • Dumpster diving for sensitive documents (you would be surprised)
  • Badge cloning (proximity card vulnerabilities)

What We Do NOT Do

We operate with strict ethics:

  • No psychological manipulation targeting known mental health vulnerabilities
  • No testing of individuals we know are under significant personal stress
  • Immediate halt if a target becomes distressed
  • All activities documented and within agreed rules of engagement
  • No data is ever exfiltrated — we prove access, we do not use it

Metrics and Reporting

Social engineering reports go beyond “X% of employees clicked.” We provide:

  • Department-level susceptibility breakdown
  • Time-to-click metrics (how quickly employees clicked)
  • Post-phishing behaviour analysis (did they report it?)
  • Credential submission rate
  • MFA bypass success rate
  • Recommended training topics tailored to failure patterns

Building a Security Culture

The goal of a social engineering assessment is not to embarrass staff — it is to identify where additional awareness training, process controls, and technical controls are needed. We provide post-assessment training recommendations and can deliver security awareness workshops to address identified gaps.

The best technical security posture in the world is neutralized by one employee who holds the door open for a stranger in a hi-viz vest. Contact us to discuss a social engineering assessment for your organization.