1
Scope and rules
Goal, group, timing, and what is in-scope and out-of-scope.
Phishing tests that show real risk
Related: Phishing tests and Security awareness training.
Controlled phishing simulations for teams. We measure clicks, reporting, response time, and follow-up - not just a number.
What you get
- Clear scope and rules, agreed upfront
- Safe setup, no credential capture and no payloads
- Metrics that matter: reporting rate, time to report, time to close the loop
- Simple report with practical actions for people, process, and settings
- Optional retest to prove improvement
Blind spot: optimizing for a low click rate alone can reduce reporting. Reporting and follow-up is the real win.
Service options
High level only, no abuse instructions.
Email phishing simulation
Measure clicks, reporting, and time to report, per scenario and target group.
Smishing simulation
Mobile-focused scenarios, measuring escalation and reporting behavior.
Vishing awareness test
Test verification steps and how people handle phone-based requests.
Reporting process test
Where does a report land, who owns follow-up, how fast does the loop close.
Report and improvement plan
Results in plain English, plus concrete improvements for people, process, and settings.
Awareness training, based on results
Training topics based on what actually went wrong in your test results.
What we measure
- Click rate and repeat clicks (trend over time)
- Reporting rate (how many people report, and how fast)
- Time to first report, and time to close the loop
- Which teams and scenarios create the most risk
- Where reports end up (mailbox, ticketing, SOC) and how they are handled
Blind spot: if you only chase a lower click rate, you can train people to stay quiet. Reporting and follow-up is the goal.
How it works
2
Scenario design
Realistic, safe scenarios aligned to your environment.
3
Run and measure
Controlled execution, monitoring, and measurement.
4
Report and actions
Clear results and practical changes you can implement.
FAQ
Answers to the questions we get most.
Do you capture passwords?
No. We do not collect credentials. The goal is behavior and reporting, not tricking people into handing over secrets.
Is this safe for staff?
Yes. Scope and rules are agreed upfront. No malware, no harmful attachments, no panic content.
Will this blame people?
No. Results are used to improve habits and process. We focus on what to change, not who to shame.
How long does it take?
Usually a short intake, then scenario setup, then the run. Timing depends on scope and number of groups.
Can you test the reporting process too?
Yes. We can measure if reports land in the right place, and whether follow-up happens.
How often should we run this?
A sensible start is quarterly, plus after major changes like new joiners, new tooling, or new processes.