Currently fully booked. New engagements onboard from early 2027.Join the 2027 waitlist
Phishing Simulation
& Social Engineering
Find out who clicks before an attacker does.
Targeted. Realistic. Actionable.
Full company or whaling · click / credential / report rates · 2-4 weeks lead time · from €900
This simulation is available on its own - the better path is the Retained Security Partner retainer, where you get it automatically once your security maturity is ready.
Requirements
Inputs I need from you
Name + email address. That's it - nothing else is needed to run a simulation.
Full company, a specific department (finance, IT, management), or executive-only whaling. Scoping drives both pretext selection and price.
When sending to your entire company, whitelisting ensures every employee receives the email and results reflect actual human behaviour - not your spam filter. Takes 5 minutes of IT configuration.
Individually crafted emails reach inboxes through proper email protection - no whitelisting required.
What the report shows
Results are presented per employee (anonymised in the executive report) across three metrics:
Who opened the email and clicked the link.
Who went further and entered their credentials on the landing page. The highest-risk finding.
Who recognised the phishing and reported it to IT. This is the real success metric.
Pricing
Indicative pricing
What affects the final price
Number of Targets
More employees means more infrastructure and tracking overhead. Campaigns scale from a handful of executives to the entire company.
Realism Level
Generic automated pretexts versus OSINT-targeted scenarios mimicking your internal tooling. Whaling requires individual research per executive.
Lead Time saves money
Plan 2-4 weeks ahead. Proper preparation is what separates a credible test from a mass-blast campaign your employees recognise immediately.
Process
How We Collaborate
We define the target group, campaign goals, and pretext approach - generic or OSINT-targeted. Usually 30 minutes.
Technical setup and, for targeted campaigns, OSINT research. This phase takes time - campaigns should be planned 2-4 weeks ahead to ensure maximum realism and professional execution.
Phishing emails are sent on the agreed schedule. Clicks, credential submissions, and report actions are tracked in real time.
You receive a full results report: click rate, credential submission rate, and report rate - the metric that shows whether your team has security reflexes. Findings are presented in a format ready for management.
Plan 2-4 weeks ahead. Professional phishing simulations require proper preparation time. This is what separates a credible test from a mass-blast campaign your employees recognise immediately.
2027 waitlist
Scope a campaign
Prefer a steady monthly rhythm over one-off invoices? See the Retained Security Partner retainer.
For long-term behaviour change, phishing is one part of the Human Risk Programme.