Offensive Security

    Social Engineering

    Social engineering testing is a controlled assessment of how vulnerable your employees are to manipulation tactics such as phishing, vishing, and physical deception: the human attack vectors that technical security tools cannot block.

    In-depth and realistic. Our social engineers simulate real attacks, test human behaviour and decision-making, and expose weaknesses where context, pressure, and deception truly make the difference in practice.

    Request AssessmentSecurity Awareness Training

    Which social engineering tests are there?

    Phishing Test

    Fake emails that test if employees recognize fraudulent messages and suspicious links.

    More Information

    Vishing Test

    Phone calls where we try to deceive employees and extract sensitive information.

    More Information

    Smishing Test

    Fake text messages via SMS that test if your team is alert on mobile too.

    More Information

    Mystery Guest Test

    Our experts attempt to gain physical access without an access pass, testing your reception and security.

    More Information

    USB Drop Test

    We deliberately drop USB drives and see who plugs them in. Test your employees' curiosity.

    More Information

    Targeted at executives

    Specific social engineering attacks on executives are the most valuable targets for hackers.

    More Information

    How social engineering is evolving

    The techniques attackers use have evolved faster than most awareness programs. Testing against current methods is the only way to know where your real exposure is.

    AI-generated spear phishing

    AI tools let attackers write hyper-personalized phishing emails using LinkedIn profiles, company news, and public data. A campaign that once required hours of manual research can now be deployed at scale in minutes. The quality of attacks has increased sharply while the cost for attackers has dropped.

    Deepfake voice and video

    Voice impersonation technology is commercially accessible. Video deepfakes have been used in multiple European fraud cases where attackers posed as executives in live video calls to authorize wire transfers. The barrier to entry is low and the attacks are convincing enough to deceive experienced employees.

    Multi-channel CEO fraud

    Combining email, SMS, and phone calls into one campaign makes attacks far more credible. An employee who receives the same request across three channels from an apparent manager is significantly more likely to comply than one who receives a single message. Multi-channel attacks are harder to recognize and harder to train against without realistic simulation.

    What do you get after a social engineering test?

    Who clicked, submitted credentials, and response times
    Which teams score well and which are at risk
    Awareness level per employee
    Concrete actions to train vulnerable groups
    Your score versus industry average
    Combine with PentestingTry Swishing
    campaign_results.json
    Emails Sent2,547
    Open Rate68.4%
    Click Rate23.1%
    Credential Submission8.7%
    High
    Risk Level
    IT
    Best Dept
    Sales
    Needs Focus

    NIS2 Article 21 and the human factor

    NIS2 Article 21(2)(g) requires cybersecurity awareness as a mandatory measure. A social engineering test validates whether your program actually works.

    Awareness measures are mandatory under NIS2

    NIS2 Article 21(2)(g) explicitly requires cybersecurity awareness practices and basic cyber hygiene measures as mandatory technical and organisational measures for essential and important entities. A social engineering assessment validates whether your awareness measures produce measurable behavioral change rather than just a completed training module.

    Testing produces evidence, not just findings

    The results of a social engineering assessment show supervisory authorities that your organisation actively measures human vulnerability, tracks improvement over time, and takes targeted action based on evidence. Test results, remediation steps, and retest comparisons document a program that improves, not just one that exists.

    Audit-ready campaign reporting

    We deliver structured campaign results that document which vectors were tested, what click and submission rates were observed, and which groups received remedial action. This documentation can be directly referenced in your NIS2 compliance reporting and audit evidence package.

    Frequently asked questions

    How it works

    01

    Reconnaissance

    We gather information about your organisation and employees, exactly as a real attacker would.

    02

    Campaign design

    We create scenarios tailored to your industry, current threats, and organisational structure.

    03

    Controlled execution

    Attacks are launched in waves with real-time monitoring and safety measures.

    04

    Analysis and reporting

    Comprehensive results with concrete improvement points and action plan.

    Ready to test your human firewall?

    Discover how vulnerable your organisation is to social engineering.

    Start AssessmentView All Services