Pospíšil Petr | CyberPOPE Independent Consultant | Cyber Security Architect & vCISO
> ./launch_campaign.sh --realism max

Phishing Simulation
& Social Engineering

Find out who clicks before an attacker does.
Targeted. Realistic. Actionable.

Book Free Scoping Call Send a Question

01 // What I Can Simulate

Generic Campaign

Standard Pretexts

Classic phishing scenarios that work across any industry: IT helpdesk requests, password resets, invoice approvals, parcel delivery notifications, HR policy updates.

Faster to prepare, lower cost. The right choice if you want a baseline measurement — "what percentage of our employees would click right now?"

  • No prior company knowledge needed
  • Faster setup, lower price
  • Good as a first engagement or annual baseline
Recommended
OSINT-Targeted Campaign

Company-Specific Pretext

I research your company from publicly available sources — tech stack, cloud provider, SaaS tools your employees use (Microsoft 365, Slack, Jira, GitHub), job postings, LinkedIn profiles. The phishing scenario is built around tools and processes your team already trusts.

  • Dramatically higher realism
  • Landing page mimics your actual tooling
  • More representative, harder to dismiss as "obvious"
  • Whaling option: executive-only, individual pretexts
On whaling — why small targeted campaigns bypass even good protection

Your email gateway identifies mass phishing by patterns: same sender, same link, hundreds of recipients. A targeted campaign sending 6–10 carefully crafted, individualised emails to your executive team looks nothing like a campaign — it looks like a legitimate message from a known vendor or colleague. It will reach the inbox. That's the point, and also the lesson your leadership needs to learn from a simulation rather than from a real attacker.

02 // What You Need to Provide

Required inputs
Employee list

Name + email address. That's it — nothing else is needed to run a simulation.

Target scope decision

Full company, a specific department (finance, IT, management), or executive-only whaling. Scoping drives both pretext selection and price.

Full-company campaigns
Whitelist my phishing domain on your email gateway

When sending to your entire company, whitelisting ensures every employee receives the email and results reflect actual human behaviour — not your spam filter. Takes 5 minutes of IT configuration.

Small targeted groups / whaling
No whitelisting needed

A small number of individually crafted, realistic emails will reach inboxes even through proper email protection. That's the nature of targeted social engineering — and exactly why it's the most realistic test.

What the report shows

Results are presented per employee (anonymised in the executive report) across three metrics:

Click rate

Who opened the email and clicked the link.

Credential submission rate

Who went further and entered their credentials on the landing page. The highest-risk finding.

Report rate

Who recognised the phishing and reported it to IT. This is the real success metric.

03 // Indicative Pricing

Exact quote after scoping call. All campaigns include a full results report and debrief call.

Basic
from €600
Up to 50 employees
  • Generic phishing pretext
  • Standard landing page
  • Click-rate & credential submission report
  • Debrief call included
Most realistic
Targeted
from €1,400
Up to 150 employees
  • OSINT research on your company
  • Company-specific pretext & lure
  • Landing page mimics your tooling
  • Click, credential & report-rate report
  • Debrief call included
Whaling
from €1,200
Executive management only
  • Individually crafted pretexts per executive
  • High-realism domain & sender identity
  • No whitelisting required
  • Per-target results report
  • Debrief call included

All prices indicative. Exact quote after scoping call. Whitelisting required for full-company campaigns.

From simulation to culture change

A simulation shows you where the gap is. What closes it is consistent practice — not a one-time test. Ask about the Security Awareness Programme: quarterly simulations, micro-training modules, and printed awareness materials from CyberPOPE Academy delivered to your office.

See Awareness Programme

04 // How We Collaborate

01
Scoping call

We define the target group, campaign goals, and pretext approach — generic or OSINT-targeted. Usually 30 minutes.

02
Preparation

Technical setup and, for targeted campaigns, OSINT research. This phase takes time — campaigns should be planned 2–4 weeks ahead to ensure maximum realism and professional execution.

03
Campaign execution

Phishing emails are sent on the agreed schedule. Clicks, credential submissions, and report actions are tracked in real time.

04
Report & debrief

You receive a full results report: click rate, credential submission rate, and report rate — the metric that shows whether your team has security reflexes. Findings are presented in a format ready for management.

Plan 2–4 weeks ahead. Professional phishing simulations require proper preparation time. This is what separates a credible test from a mass-blast campaign your employees recognise immediately.

Ready to test your human firewall?

Start with a free 30-minute scoping call. We'll agree on the target group, pretext approach, and timeline — and you'll know exactly what to expect before committing.

Book Free Scoping Call Send a Question

Have questions? See the FAQ →