What is a phishing assessment?
A phishing assessment is a controlled simulation of real email-based attacks against your organisation. We craft phishing emails, send them to your staff, and track what happens. Who clicks. Who enters credentials. Who reports it. Who does nothing.
Phishing is still how most breaches start. Not zero-days, not supply chain attacks. Someone clicks a link they shouldn’t and types in their password. A phishing assessment shows you exactly how that plays out in your organisation before a real attacker does it for you.
What we test
We run credential harvesting campaigns where staff receive emails directing them to convincing login pages that capture usernames and passwords. We build the landing pages to look like your actual portals, register lookalike domains, and make the pretext fit your industry.
Payload delivery campaigns test whether your endpoint controls catch simulated malicious attachments and links. More importantly, they test whether staff open them anyway.
Spear-phishing exercises target specific individuals. We use OSINT and publicly available information to build pretexts tailored to particular people, usually senior staff, finance, or anyone with elevated access.
We also run business email compromise scenarios, impersonating executives or suppliers to test whether staff follow verification procedures before actioning financial or sensitive requests. These tend to be the most revealing.
If you want something more realistic, we run multi-stage campaigns that escalate over time. The first wave might be a generic pretext. The second uses information gathered from the first. This tests whether staff stay alert once they think the campaign is over.
Throughout all of this, we’re also testing your technical controls. Email gateways, spam filters, link protection, endpoint detection. If our emails are landing in inboxes without being flagged, that tells you something.
How it works
We start by agreeing on scope and objectives. Are you testing the whole organisation or a specific department? Do you want a broad awareness baseline or a targeted exercise against high-value targets? The campaign design follows from there.
Once we know what we’re doing, we build the pretexts. Emails, landing pages, payloads, whatever the campaign needs. Everything mirrors real phishing campaigns we’ve seen in the wild, adapted to your sector and organisation.
Then we send. Emails go out in controlled waves. We track opens, clicks, credential submissions, attachment executions, and reports to your security team in real time. All data is handled in line with data protection requirements.
After the campaign, we analyse results across departments, roles, seniority, and locations. You get granular visibility into where human risk actually sits in your organisation, not where you assume it sits. If you’ve run campaigns before, we compare against your previous results and industry benchmarks.
The report includes full campaign metrics, anonymised breakdowns, trend analysis for repeat testing, and recommendations for both technical controls and awareness training.
Why this matters
Awareness training teaches people what to do. Phishing assessments show you what they actually do when an email lands in their inbox. There’s usually a gap.
Testing identifies which departments and roles are consistently more susceptible, so you can target training where it will have the most effect rather than putting everyone through the same generic module.
It also pressure-tests your technical stack. If our phishing emails are bypassing your email filtering and link protection, you want to know that before a real campaign hits.
Organisations that run regular phishing assessments develop faster reporting habits. Staff who have been caught out once tend to report suspicious emails more quickly next time, which directly shrinks the window a real attacker has to work with.
And if you need to show auditors, regulators, or the board that you’re actively managing human risk, phishing assessment results are harder to argue with than a slide deck completion rate.