Security Testing
Realistic email, SMS and voice attack simulations that measure who clicks, who discloses — and who reports.
You can buy every technical control on the market and still be one convincing email away from an incident. A phishing assessment gives you the number your board actually wants: when a realistic attack lands in your people's inboxes, phones and headsets, what happens next?
Our phishing assessments simulate realistic email attacks using scenarios designed around your sector, brand and current threat landscape — IT helpdesk requests, HR notifications, supplier invoices, delivery notices, credential resets. Campaigns track link clicks, credential submissions and attachment executions, and just as importantly, reporting actions — because staff who raise the alarm are your best early-warning system. Realistic landing pages can be included; real malware never is.
Email is only one channel. Smishing assessments send SMS messages to agreed recipients and track click and response rates. Vishing assessments go further: our consultants call your staff impersonating plausible third parties — IT support, HMRC, a supplier, a bank fraud team — and test what gets disclosed, whether unsafe instructions are followed, and whether the call gets escalated. These are the channels most awareness programmes underrepresent, and attackers know it.
Results are broken down by cohort — department and location — so you can see exactly where susceptibility concentrates, and delivered through Sentry as a full report with susceptibility rates, per-scenario breakdowns, an executive summary and recommended actions, followed by a debrief. Channels can be run separately or combined into a single engagement, and the debrief focuses on practical next steps: which cohorts need attention, which processes failed and what to change first.
Everything is agreed in writing before any activity begins: scenarios, recipients, rules of engagement, signed Statement of Work. Many clients repeat the exercise quarterly or bi-annually to benchmark improvement — and when you are ready for continuous, automated simulation and training, our Human Risk Management platform takes over from there.
Pretexts tailored to your sector and brand — supplier invoices, IT resets, delivery notices — not generic templates.
Phishing, smishing and vishing tested separately or combined, covering the channels attackers actually use.
We track who raised the alarm as well as who fell for it — your reporting rate is a defence worth measuring.
Results by department and location show where awareness effort will pay off most.
Realistic landing pages and pretexts with nothing dangerous behind them, under signed authorisation.
Quarterly or bi-annual repeats measure improvement against your baseline.
A questionnaire and scoping call establish your objectives, then we design realistic scenarios tailored to your sector, brand and threat landscape. Rules of engagement are agreed and the Statement of Work is signed before any activity begins. Typically one to two weeks.
Campaigns, calls or on-site attempts run within the agreed window, with every interaction documented in real time so nothing rests on anecdote.
We analyse the results and deliver a report and executive summary through Sentry, followed by a debrief session. For recurring programmes, each round is benchmarked against your baseline so you can evidence improvement.
Straight answers to what prospective clients ask us most.
Results are reported at cohort level — by department or location — to drive improvement rather than blame. What we measure includes positive actions like reporting, so the exercise recognises good behaviour as well as gaps.
No. Campaigns use tracked links, safe attachments and optional realistic landing pages — nothing that could harm a device or your network. The realism comes from the scenario design, not from dangerous payloads.
Yes. The three channels can run as separate engagements or one combined assessment — combining them shows whether staff who are sharp on email stay sharp when the same pretext arrives by text or phone call.
This is a point-in-time, consultant-designed measurement of how your people respond to realistic attacks. Ongoing automated simulation and training is a different job — that is what our Human Risk Management service provides, and the two work best together.
An initial assessment sets your baseline; quarterly or bi-annual repeats show whether awareness investment is working. We benchmark each round against the last so the trend is visible, not anecdotal.
Get a fixed-scope quote, usually the same working day.