Security Testing
Measure how your people respond to realistic phishing, phone and in-person attacks — with evidence, not blame.
Attackers long ago worked out that it is easier to deceive a person than to defeat a firewall. Social engineering testing measures how your organisation actually responds when someone tries — with realistic, authorised simulations across email, SMS, telephone and in person.
We deliver three assessments, separately or combined. Phishing assessments simulate realistic email attacks tailored to your sector and threat landscape. Smishing and vishing assessments cover SMS and telephone — the channels most awareness programmes underrepresent, and the ones fraudsters increasingly favour. Physical security assessments test whether your premises, visitor procedures and staff would stop an intruder with a convincing pretext.
The scenarios are never generic. A phishing campaign against a law firm looks nothing like one against a logistics business, so every engagement begins with scenario design built around your sector, your brand and the threats you actually face — supplier invoice fraud, IT helpdesk impersonation, HR notifications, delivery pretexts and credential resets. Voice scenarios impersonate the plausible third parties criminals use every day: IT support, HMRC, suppliers and bank fraud teams. Realism is what makes the measurement meaningful.
Every engagement is designed to measure, not to catch people out. You get quantified susceptibility rates, cohort breakdowns by department and location, and — just as importantly — data on positive behaviours: who reported the phish, who challenged the visitor, who escalated the suspicious call. That evidence tells you where awareness effort and process changes will make the most difference.
Nothing happens without your written authorisation. Scenarios, rules of engagement and boundaries are agreed and the Statement of Work is signed before any activity begins; our consultants carry authorisation letters on-site, use no real malware, and cause no damage, force or distress. Results are documented in real time and delivered through Sentry with a full report, executive summary and debrief.
The outputs double as compliance evidence for the human and physical security controls in ISO 27001 and PCI DSS, and give boards an honest measure of human risk. Many clients run recurring quarterly or bi-annual programmes to track improvement against their baseline — and when you want continuous, automated simulation and training rather than point-in-time assessment, our Human Risk Management service picks up exactly where these engagements leave off. Because these assessments deliberately exclude technical exploitation, they also pair cleanly with penetration testing: one measures your systems, the other your people, and together they cover the two ways every real attack begins.
Susceptibility rates, disclosure rates and escalation behaviour measured with real data, not assumptions.
Pretexts built around your sector, brand and current threat landscape — the attacks you would actually face.
Email, SMS, telephone and in-person testing, run separately or combined into one programme.
Signed authorisation before any activity, no real malware, and no damage, force or distress — ever.
Reporting, challenging and escalation are tracked alongside failures, so you see what is working too.
Results support the human and physical security requirements of ISO 27001 and PCI DSS.
A questionnaire and scoping call establish your objectives, then we design realistic scenarios tailored to your sector, brand and threat landscape. Rules of engagement are agreed and the Statement of Work is signed before any activity begins. Typically one to two weeks.
Campaigns, calls or on-site attempts run within the agreed window, with every interaction documented in real time so nothing rests on anecdote.
We analyse the results and deliver a report and executive summary through Sentry, followed by a debrief session. For recurring programmes, each round is benchmarked against your baseline so you can evidence improvement.
Straight answers to what prospective clients ask us most.
No. Reporting is at cohort level — by department or location — because the goal is to improve controls and awareness, not to blame individuals. The strongest outcomes come from treating results as an organisational measure, and we will help you position it that way.
Yes, when properly authorised — which is exactly how we run it. Scenarios and rules of engagement are agreed in writing before any activity, consultants carry authorisation letters during physical assessments, and no engagement uses real malware or causes damage or distress.
A one-off engagement gives you an honest baseline; recurring quarterly or bi-annual programmes show whether your awareness investment is working, with each round benchmarked against the last. For continuous automated simulation and training, our Human Risk Management service is the natural next step.
No — these engagements measure susceptibility and produce targeted recommendations, which is deliberately separate from training delivery. Our Human Risk Management service provides the ongoing training and simulation side, informed by what the assessments find.
Get a fixed-scope quote, usually the same working day.