Offensive Security

Your Humans Are
the Attack Vector.

We simulate real-world phishing attacks against your organisation — safely, ethically, and with full reporting — so you know exactly how susceptible your team is before a real attacker does.

GoPhishOSINTSpear PhishingSmishingVishingQR Code Attacks
Why phishing still works

Technology can't fix a human problem.

Email filters, spam gateways, and URL rewriting help — but they don't stop everything. Attackers invest in bypassing controls. A well-crafted spear phishing email that references a real colleague, a real project, and a plausible scenario will fool most people who haven't been trained to look for it.

Anatomy of a phishing email

From:IT-Support@company-helpdesk.net
To:you@yourcompany.com
Subject:Urgent: Password expiry in 24h
Dear Employee, your password will expire tonight. Click below to renew access immediately...
→ Reset password now

Urgency + authority + plausible pretext = 30% average click rate on untrained employees.

36%

of all data breaches in 2024 involved phishing as the primary attack vector

Verizon DBIR 2024
$2.9B

lost to Business Email Compromise (BEC) phishing in 2023 — the costliest form of cybercrime

FBI IC3 Report 2023
1 in 3

employees will click a phishing link in a well-crafted spear phishing simulation with no prior training

IBENCY Baseline Average
Attack simulations

Every vector. Zero real damage.

Email Phishing

Mass phishing and spear phishing campaigns using realistic pretexts — IT helpdesk, finance, HR, and executive impersonation. Full click, credential capture, and attachment open tracking.

Spear Phishing / BEC

Targeted attacks using OSINT-gathered information about your organisation, projects, and personnel. Tests your most senior and highest-risk employees.

Smishing & Vishing

SMS-based phishing and voice call pretexting scenarios. Increasingly used by real attackers and rarely tested in standard phishing programmes.

QR Code Attacks

Simulated QR-code phishing campaigns (quishing) — placed in physical locations or sent digitally — that bypass email gateways entirely.

Credential Harvesting

Realistic fake login portals measuring how many users submit credentials. Tests MFA resilience and credential reuse behaviour.

Awareness Training

Immediate micro-training delivered to employees who click — reinforcing the lesson at the moment of failure. Long-form training modules also available.

After the simulation

Results you can act on.

01

Executive Report

Board-ready summary with click rates, credential submission rates, and comparison to industry benchmarks.

02

Department Breakdown

Per-department and per-role susceptibility metrics — identifying where targeted training is needed most.

03

Technical Findings

Email gateway bypass analysis, MFA coverage gaps, and technical recommendations to reduce future risk.

04

Training Programme

Tailored security awareness training content based on the specific pretexts your employees fell for.

Get in touch

Find out how phishing-resistant your team really is.

We scope your simulation campaign — attack vectors, target groups, pretexts — and run it end to end. You get the data. Your employees get better.

Get in Touch