Phishing Simulation & Social Engineering

Phishing Simulation
& Social Engineering

Find out who clicks before an attacker does.
Targeted. Realistic. Actionable.

Supportive service · part of the retainer

This assessment is mainly delivered inside the Retained Security Partner retainer, where the work is scheduled at the right time for your budget - a small monthly cost instead of a large one-off invoice.

Requirements

Inputs I need from you

Required inputs

Employee list

Name + email address. That's it - nothing else is needed to run a simulation.

Target scope decision

Full company, a specific department (finance, IT, management), or executive-only whaling. Scoping drives both pretext selection and price.

Full-company campaigns

Whitelist my phishing domain on your email gateway

When sending to your entire company, whitelisting ensures every employee receives the email and results reflect actual human behaviour - not your spam filter. Takes 5 minutes of IT configuration.

Targeted groups / Whaling

No whitelisting needed

Individually crafted emails reach inboxes through proper email protection - no whitelisting required.

What the report shows

Results are presented per employee (anonymised in the executive report) across three metrics:

Click rate

Who opened the email and clicked the link.

Credential submission rate

Who went further and entered their credentials on the landing page. The highest-risk finding.

Report rate

Who recognised the phishing and reported it to IT. This is the real success metric.

Pricing

Indicative pricing

There is one engagement - a phishing simulation. The price depends on the scope we define together. Final quote issued after a free scoping call.

Starting from

€600

exact quote after scoping

Always included

Custom pretext & branded landing page

Click-rate & credential-submission tracking

Report-rate measurement

Executive summary for management

Per-employee results (anonymised)

Written results report

Whitelisting guidance for full-company campaigns

Debrief call with your team

What affects the final price

Number of Targets

More employees means more infrastructure and tracking overhead. Campaigns scale from a handful of executives to the entire company.

Realism Level

Generic automated pretexts versus OSINT-targeted scenarios mimicking your internal tooling. Whaling requires individual research per executive.

Lead Time saves money

Plan 2-4 weeks ahead. Proper preparation is what separates a credible test from a mass-blast campaign your employees recognise immediately.

Send a Question Encrypted Call

Fixed-price quote issued after the call. No surprises.

Process

How We Collaborate

Scoping call

We define the target group, campaign goals, and pretext approach - generic or OSINT-targeted. Usually 30 minutes.

Preparation

Technical setup and, for targeted campaigns, OSINT research. This phase takes time - campaigns should be planned 2-4 weeks ahead to ensure maximum realism and professional execution.

Campaign execution

Phishing emails are sent on the agreed schedule. Clicks, credential submissions, and report actions are tracked in real time.

Report & debrief

You receive a full results report: click rate, credential submission rate, and report rate - the metric that shows whether your team has security reflexes. Findings are presented in a format ready for management.

Plan 2-4 weeks ahead. Professional phishing simulations require proper preparation time. This is what separates a credible test from a mass-blast campaign your employees recognise immediately.

Scope a campaign

Start with a free 30-minute scoping call. We'll agree on the target group, pretext approach, and timeline - and you'll know exactly what to expect before committing.

Send a Question Encrypted Call

Have questions? See the FAQ →

Prefer a steady monthly rhythm over one-off invoices? See the Retained Security Partner retainer.