Skip to content
Offensive · Service

Phishing Simulation & Security Awareness

Train the click, not the fear.

Realistic phishing simulations designed to assess employee preparedness against social engineering attacks.

Request a scope All services
35%→4%
Typical click rate in 6 months
12 lures
Rotated per quarter
90 sec
Avg. micro-training length
GDPR-safe
No individual shaming
Overview

Structured security-awareness programs enhance organizational resilience by promoting secure user behaviour and threat recognition. Campaigns are customized to your company context and delivered with just-in-time coaching.

What you receive
  • Campaign design & calendar
  • Per-employee risk scoring
  • Manager dashboards
  • Quarterly awareness review
  • Just-in-time micro-training module
Cadence
7-day setup · quarterly campaigns
Compliance mapping
PCI DSS 12.10ISO 27001 A.6.3SOC 2 CC2.2HIPAA §164.308(a)(5)NIST SP 800-50
Outcomes
  • Measurable reduction in click rate and time-to-report
  • Behaviour-based risk score per department
  • Evidence package for auditors and cyber-insurance renewal
  • Culture shift from 'don't click' to 'report fast'
Methodology

How the engagement runs. Phase by phase.

PHASE 01

Baseline assessment

Unannounced baseline campaign establishes honest click/report rates per department.

2 weeks
PHASE 02

Segmentation

Risk scoring by role, tenure, and previous incidents; define tiers.

1 week
PHASE 03

Campaign design

Quarterly calendar with 3–4 lures per tier, aligned to your threat model.

2 weeks
PHASE 04

Launch & training

Staggered sends, just-in-time micro-training, manager visibility dashboards.

Ongoing
PHASE 05

Quarterly review

Cohort comparison, trend analysis, program tuning, board-level summary.

Every 90 days
Tools & stack

What we actually use. No secrets.

Every tool earns its place. We publish our stack so your team can audit, review, and integrate with what we bring.

GO GoPhish (hardened build)
GoPhish
MI Microsoft Defender for Office 365
Microsoft Defender for Office 365
KN KnowBe4 / Proofpoint (optional)
KnowBe4
CU
Custom lure library
EV Evilginx2 (scoped)
Evilginx2
DM DMARC / DKIM / SPF tooling
DMARC
PO Power BI / Looker dashboards
Power BI
LM LMS integration (SCORM)
LMS integration
GO GoPhish (hardened build)
GoPhish
MI Microsoft Defender for Office 365
Microsoft Defender for Office 365
KN KnowBe4 / Proofpoint (optional)
KnowBe4
CU
Custom lure library
EV Evilginx2 (scoped)
Evilginx2
DM DMARC / DKIM / SPF tooling
DMARC
PO Power BI / Looker dashboards
Power BI
LM LMS integration (SCORM)
LMS integration
Platform
  • GO GoPhish (hardened build)
    GoPhish (hardened build)
    Campaign orchestration, landing pages, tracking
  • KN KnowBe4 / Proofpoint (optional)
    KnowBe4 / Proofpoint (optional)
    Enterprise training library integration
Integration
  • MI Microsoft Defender for Office 365
    Microsoft Defender for Office 365
    Attack simulator + report-phish button wiring
Content
  • CU
    Custom lure library
    50+ industry-specific templates (vendor, HR, IT)
Advanced
  • EV Evilginx2 (scoped)
    Evilginx2 (scoped)
    MFA-aware reverse-proxy phishing for red-team ops
Email
  • DM DMARC / DKIM / SPF tooling
    DMARC / DKIM / SPF tooling
    Sender reputation and deliverability validation
Analytics
  • PO Power BI / Looker dashboards
    Power BI / Looker dashboards
    Departmental risk trends, cohort comparison
Training
  • LM LMS integration (SCORM)
    LMS integration (SCORM)
    Auto-enroll clickers into targeted micro-courses
Techniques

How we do the work. Not just what.

T.01

Graduated difficulty

Start with obvious lures and escalate to plausible spear-phishing that matches your vendor landscape.

T.02

Context-aware pretexts

Lures reference real vendors, recent company news, and quarterly events, not generic Nigerian-prince templates.

T.03

Report-first incentives

Reward reporting behaviour, not just non-clicking. A reported phish is worth more than an ignored one.

T.04

Just-in-time coaching

Clickers see a 90-second micro-lesson immediately. Retention is 6× higher than quarterly training.

T.05

Executive tier

High-risk roles (finance, execs, admins) get separate, harder lures aligned to BEC playbooks.

T.06

MFA-aware lures (optional)

For red-team engagements: Evilginx-based reverse proxy to test MFA fatigue and token replay detection.

From the field

Real problems. Real fixes.

Anonymized incidents from actual engagements: what broke, why it mattered, and how we fixed it.

01
Problem

Executive team refused to participate. They saw simulations as 'gotcha' exercises.

Impact

The highest-value targets were excluded, so BEC risk remained unmeasured.

Resolution

Reframed program around team reporting rates (not individual shame). Ran a closed-door exec tabletop first. Participation went from 0 to 100% once leaders saw the dashboard focused on team learning, not blame.

02
Problem

First campaign's click rate was 42%, risk of a morale crisis.

Impact

HR leadership wanted to pause the program after week one.

Resolution

Shifted the narrative: the 42% was already happening with real attackers. The program now made it visible. Paired with a 2-week reporting-championship and the rate dropped to 18% by month two.

03
Problem

Client's email gateway marked our sends as phishing, skewing delivery.

Impact

Campaigns looked effective only because emails never arrived.

Resolution

Whitelisted our sending domain at the gateway and measured raw delivery vs. user behaviour separately. Later simulations tested whether the gateway catches our lures. Gap became a separate finding.

Data model

Campaign telemetry flow

Every event (delivered, opened, clicked, reported, trained) is captured and de-identified for aggregate reporting.

input
process
store
output
if clicked Lure design Campaign send User interaction Micro-training Event warehouse Manager dashboard Quarterly review
Metrics we ship against

Targets, not promises.

Metric
Our target
Baseline (industry avg)
Click rate
< 5% by month 6
Industry avg start: 28–35%
Report rate
> 40% of delivered lures
Industry avg: 11%
Repeat-clicker reduction
> 70% after 2 campaigns
Untrained: ~0%
Mean time to report
< 4 minutes from delivery
Industry avg: 18 minutes
Questions we hear

Answered plainly.

Have something we didn't cover? Ask us directly →

Will employees feel punished?
No. Our program design explicitly avoids individual shaming. Dashboards are team-level; coaching is positive and private.
Can we integrate with our existing training platform?
Yes. SCORM/LMS integration is standard, and we work with KnowBe4, Proofpoint, and Microsoft Attack Simulator.
Is this GDPR / PIPEDA compliant?
Yes. We process aggregate behaviour data; personally identifiable data stays within your tenant. A DPA is included.
How do you handle MFA-aware phishing?
For red-team scenarios we can simulate MFA-fatigue and reverse-proxy lures to test token replay detections. This is scoped separately with explicit written authorization.
Next step

Scope a phishing simulation engagement.

30-minute scoping call. You'll talk to an operator, not a BDR.

Request a scope All services
Often paired with
Vulnerability Assessment & Penetration Testing
Comprehensive identification, analysis, and controlled exploitation of security weaknesses across infrastructure, applications, and networks.