Independent Consultant | Cybersecurity Architect & vCISO

Currently fully booked. New engagements onboard from early 2027.Join the 2027 waitlist

Phishing Simulation
& Social Engineering

Find out who clicks before an attacker does.
Targeted. Realistic. Actionable.

Full company or whaling · click / credential / report rates · 2-4 weeks lead time · from €900

This simulation is available on its own - the better path is the Retained Security Partner retainer, where you get it automatically once your security maturity is ready.

Requirements

Inputs I need from you

Required inputs
Employee list

Name + email address. That's it - nothing else is needed to run a simulation.

Target scope decision

Full company, a specific department (finance, IT, management), or executive-only whaling. Scoping drives both pretext selection and price.

Full-company campaigns
Whitelist my phishing domain on your email gateway

When sending to your entire company, whitelisting ensures every employee receives the email and results reflect actual human behaviour - not your spam filter. Takes 5 minutes of IT configuration.

Targeted groups / Whaling
No whitelisting needed

Individually crafted emails reach inboxes through proper email protection - no whitelisting required.

What the report shows

Results are presented per employee (anonymised in the executive report) across three metrics:

Click rate

Who opened the email and clicked the link.

Credential submission rate

Who went further and entered their credentials on the landing page. The highest-risk finding.

Report rate

Who recognised the phishing and reported it to IT. This is the real success metric.

Pricing

Indicative pricing

Starting from
€900
exact quote after scoping
Always included
Custom pretext & branded landing page
Click-rate & credential-submission tracking
Report-rate measurement
Executive summary for management
Per-employee results (anonymised)
Written results report
Whitelisting guidance for full-company campaigns
Debrief call with your team

What affects the final price

Number of Targets

More employees means more infrastructure and tracking overhead. Campaigns scale from a handful of executives to the entire company.

Realism Level

Generic automated pretexts versus OSINT-targeted scenarios mimicking your internal tooling. Whaling requires individual research per executive.

Lead Time saves money

Plan 2-4 weeks ahead. Proper preparation is what separates a credible test from a mass-blast campaign your employees recognise immediately.

Process

How We Collaborate

01
Scoping call

We define the target group, campaign goals, and pretext approach - generic or OSINT-targeted. Usually 30 minutes.

02
Preparation

Technical setup and, for targeted campaigns, OSINT research. This phase takes time - campaigns should be planned 2-4 weeks ahead to ensure maximum realism and professional execution.

03
Campaign execution

Phishing emails are sent on the agreed schedule. Clicks, credential submissions, and report actions are tracked in real time.

04
Report & debrief

You receive a full results report: click rate, credential submission rate, and report rate - the metric that shows whether your team has security reflexes. Findings are presented in a format ready for management.

Plan 2-4 weeks ahead. Professional phishing simulations require proper preparation time. This is what separates a credible test from a mass-blast campaign your employees recognise immediately.

2027 waitlist

Scope a campaign

Start with a free 30-minute scoping call. We'll agree on the target group, pretext approach, and timeline - and you'll know exactly what to expect before committing.
Currently fully booked - onboarding new engagements from early 2027. Join the waitlist and I'll be in touch as slots open.

Have questions? See the FAQ →

Prefer a steady monthly rhythm over one-off invoices? See the Retained Security Partner retainer.

For long-term behaviour change, phishing is one part of the Human Risk Programme.