Social Engineering Testing & Phishing Simulations
Your technical defences mean nothing if an employee clicks the wrong link or holds the door open for a stranger. We run realistic, measurable social engineering campaigns that expose human risk before real attackers exploit it, phishing simulations, executive whaling, vishing, pretexting, USB drops, and physical access testing, all delivered by a CREST-certified principal consultant with 20+ years of enterprise technology and cybersecurity experience.
Social engineering testing measures the human attack surface of your organisation, through targeted phishing, spear phishing, vishing, USB drop attacks, pretext-based intrusion, and physical access testing. CSPI engagements are principal-led and tailored to your industry threat model: Bay Street financial services see counterparty-impersonation phishing; Ontario healthcare sees ransomware-precursor credential harvesting; SaaS organisations see executive whaling tied to wire-transfer authorisation. Engagement length is 2-6 weeks depending on attack vectors in scope. Deliverables include click-rate metrics, credential-capture statistics, response-time analysis, dwell-time measurement, and detection-gap mapping for your SOC. Aligned to NIST SP 800-115, MITRE ATT&CK Initial Access, and PCI-DSS social engineering requirements. Includes blue team debrief.
Why Human Risk Is Your Largest Attack Surface
Industry data consistently shows that the majority of successful breaches begin with a human, not a software vulnerability. Attackers invest heavily in social engineering because it works: a convincing pretext bypasses firewalls, EDR, and MFA alike. Social engineering penetration testing gives you an objective, evidence-based measurement of your organisation's susceptibility before a threat actor runs the same campaign for real.
At Cyber Security Pentesting Inc., every social engineering assessment is scoped and executed by Arturs Stay, principal consultant, CREST-certified, OSCP/OSEP credentialed, and 20+ years of enterprise technology and cybersecurity experience. We build custom pretexts, register lookalike domains, clone portals, and craft voice scripts tailored to your industry and threat landscape. You receive per-department risk scores, department-level click and credential metrics, and a prioritised security awareness roadmap that your HR, IT, and executive leadership teams can act on immediately.
Attack Campaigns We Run
Every campaign uses real attacker tradecraft. We do not rely on off-the-shelf phishing platforms with default templates. Each engagement is built from scratch to reflect the threats your organisation actually faces.
What We Measure
Social engineering testing without rigorous measurement is theatre. Every campaign we run produces quantified, benchmarkable data that your CISO, security team, and board can act on. The metrics below are tracked at the individual, department, and organisational level.
Deliverables
Every social engineering engagement concludes with a structured report package designed for three audiences: your technical security team, your HR and L&D function, and your executive leadership or board. Findings are never sent by email, we deliver reports in a secure debrief session and walk through every metric, scenario outcome, and recommendation.
- Executive Summary, Non-technical narrative of campaign scope, key findings, overall human risk rating, and strategic recommendations for leadership and audit committees.
- Per-Department Risk Scores, Composite risk rating for every department tested, with individual breakdown by campaign vector: phishing click rate, credential submission rate, vishing susceptibility, and physical access outcomes. Includes comparison to prior engagement baselines if available.
- Individual Interaction Log, Timestamped record of every tracked interaction (link click, credential entry, USB plug-in, call response) with anonymisation options available to comply with your HR policies.
- Campaign Technical Appendix, Full technical detail on every pretext built, domain registered, landing page deployed, and payload used, with screenshots and source artefacts for your security team's review.
- Security Awareness Recommendations, Tailored, prioritised training programme recommendations for each department and risk tier, including suggested content, delivery format, and re-test timeline. Mapped to real-world threats facing your industry.
- Physical Intrusion Evidence Package, Photographic documentation of every physical access control bypassed, with timestamps, access path narrative, and remediation recommendations for your facilities and physical security teams.
- Remediation Roadmap, Prioritised list of technical and process controls to implement, email gateway tuning, MFA enforcement, physical access hardening, and reporting workflow improvements, each with a recommended implementation timeline.
- Re-Test Baseline Data, All campaign metrics retained in a structured format to enable direct comparison in future engagements, demonstrating measurable improvement in your security culture over time.
Methodology References
Our social engineering assessments are grounded in established industry standards and frameworks. We do not invent our own methodology, we apply the standards your auditors, regulators, and insurers recognise.
- NIST SP 800-61 r3, Incident Response Handling, Informs how we structure time-to-report measurement and evaluate your organisation's detection and escalation capabilities in the context of a live social engineering incident.
- Social-Engineer Penetration Testing (SET, Social Engineering Toolkit), The industry-standard open-source framework for phishing infrastructure, credential harvesting portals, and payload delivery. Deployed alongside custom tooling developed in-house.
- MITRE ATT&CK, Initial Access (TA0001), Campaign TTPs are mapped directly to MITRE ATT&CK Initial Access techniques including T1566 (Phishing), T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link), T1091 (Replication Through Removable Media), and T1200 (Hardware Additions). Findings reference specific technique IDs to enable threat intelligence and detection engineering alignment.
- PTES, Penetration Testing Execution Standard, Social Engineering Section, Governs our engagement scoping, rules of engagement documentation, and campaign execution phases.
- OWASP Testing Guide, Identity Management and Authentication Testing, Applied to credential harvesting analysis and MFA bypass scenario design.
Combine Social Engineering with Other Assessments
Social engineering is most powerful when combined with technical testing. Threat actors chain human and technical attacks, your assessment programme should too. These services pair directly with social engineering testing.
Tell us your industry, headcount, and what you are most concerned about. We will scope a social engineering testing programme sized to your organisation, agree rules of engagement that satisfy your legal and HR teams, and deliver measurable results within a clearly defined timeline.
Request a Social Engineering Assessment →Frequently Asked Questions
What types of social engineering campaigns do you run?
Email phishing at multiple sophistication levels, executive whaling against named targets, voice phishing (vishing) against support and helpdesk paths, SMS phishing where in scope, pretexting against specific business processes (vendor impersonation, IT impersonation, finance request impersonation), and physical access testing where the engagement scope includes site visits. Campaigns can be standalone or chained as the initial-access vector for a larger red team engagement.
How do you obtain and document authorization before a campaign?
Every social engineering engagement begins with a written rules-of-engagement document signed by an authorised executive sponsor. The document specifies in-scope targets, out-of-scope individuals, permitted techniques, communication channels for active campaigns, escalation paths, and explicit authorisation to send simulated phishing emails and receive captured credentials. No campaign begins without this document in place.
How are captured credentials handled under PIPEDA?
Captured credentials are treated as personal information under PIPEDA Schedule 1, Principle 7. They are stored encrypted in an engagement-specific data vault, never sent in plaintext over email, and destroyed at engagement closure. We do not retain captured credentials after the engagement except as required to support the report and remediation re-test, and even then only in aggregated form rather than individual records.
How do you measure success in a phishing campaign?
Click rates and credential-entry rates are surface metrics, but the meaningful measurement is detection and response. Did the security team see the campaign? How long did it take from first phishing email to first alert? Were the captured credentials used against real systems before they were reset? Did users report the email through the right channel? Reports cover all four dimensions, not just the headline click rate.
Do you train users after the engagement, or just test them?
Testing is the primary deliverable. We do not run user awareness training as a service. Engagement reports include the data needed for the customer awareness team to design targeted interventions: which roles fell for which lure, which detection paths worked, and which controls (mail filtering, browser warnings, MFA prompts) caught what. The customer existing training program then becomes evidence-based.
How long does a social engineering engagement take?
Standalone email phishing campaigns typically run two to four weeks including reconnaissance, lure development, sending windows, follow-up data collection, and reporting. Vishing and multi-channel campaigns add one to two weeks. Engagements chained into a larger red team operation run inside the parent engagement window rather than as a separate timeline.
Related reading
Explore further
Prefer email? Send a scoping request and we will respond with next steps.