Your people are your largest attack surface. We run realistic phishing and social engineering campaigns to measure your real exposure — and pair the results with focused training that actually reduces click-through rates over time.
What is Phishing & Social Engineering Testing?
Phishing and social engineering testing measures your organization’s exposure to attacks targeting people rather than systems — the email campaigns, voice calls, text messages, and in-person tactics that bypass every technical control by exploiting human trust.
The output is a defensible measurement of your real human attack surface plus targeted training to reduce it. Real measurement, not theatrical “awareness.”
Why this work matters more than ever
Technical defenses against phishing have improved dramatically. Authentication is harder to bypass. Email security gateways catch most known-bad senders. Browser warnings are loud. And yet — phishing remains the #1 initial access vector in nearly every breach report year over year.
Why? Because attackers have adapted. The phishing emails that work in 2026 aren’t the cartoonish templates from a decade ago. They’re:
- Highly targeted — pretexts match the recipient’s actual role, current projects, and known communication patterns
- Industry-specific — using real vendor names, regulatory references, and event timing relevant to the target organization
- Multi-channel — an email followed by a voicemail, or an SMS followed by a Teams message, building credibility through repetition
- Built around real internal events — payroll changes, IT migrations, leadership turnover, M&A announcements
A generic awareness program tests employees against templates that have nothing to do with what real attackers send them. You measure the wrong thing and get false confidence.
Real testing matches the attacker’s playbook.
CyberBullet’s methodology
1. Reconnaissance & Pretext Design
We start with OSINT on your organization — public information about leadership, vendors, products, recent news, and any visible internal communication style. This drives pretext design: we craft phishing emails (or vishing scripts, or physical pretexts) that mirror what real attackers would actually use against your specific organization.
2. Coordination & Authorization
Before any campaign sends, we agree on: target population, pretexts and exact content, success metrics, escalation procedures (if someone flags it as a real attack to law enforcement), and post-campaign disclosure timing. Executive and HR sign-off is mandatory.
3. Campaign Execution
We send campaigns from infrastructure that mimics what real attackers use — not from “knowbe4.com” addresses every employee recognizes. Email campaigns include landing pages that mimic legitimate login flows; clicked links and submitted credentials are captured (without storing actual passwords).
4. Multi-Vector (Optional)
For organizations wanting deeper measurement: vishing campaigns target help desk and IT support, smishing tests mobile-based attacks, physical social engineering tests facility access controls. Each vector gets its own campaign with its own metrics.
5. Post-Campaign Analysis
We analyze results by department, role, and individual — identifying patterns (which pretexts worked, which failed; which roles are most vulnerable; which individuals are repeat-clickers) and producing the data needed for targeted follow-up training.
6. Targeted Micro-Training
Generic security awareness training has minimal effect on click-through rates. Targeted micro-training — short modules matched to specific failure patterns, delivered in the moment — does. We pair campaign results with training programs designed to actually move metrics.
Frameworks we map findings to
- NIST SP 800-50 — security awareness and training
- NIST CSF 2.0 — Protect (PR.AT) — Awareness and Training
- CIS Critical Security Controls v8 — Control 14 (Security Awareness and Skills Training)
- PCI DSS 4.0 Requirement 12.6 — security awareness program
- HIPAA Security Rule §164.308(a)(5) — security awareness and training
- SOC 2 CC1.4 — workforce competence
Who this is for
- Organizations whose technical defenses against phishing are mature but human exposure remains the weak link
- Compliance-bound organizations (PCI 12.6, HIPAA, SOC 2) with awareness program requirements
- Companies preparing for cyber insurance renewal — carriers increasingly ask about phishing test results
- Post-incident organizations that experienced a phishing-driven breach and need to validate they’ve actually fixed it
- Any organization with a help desk or IT support function — the highest-value target for vishing
Our methodology
Every engagement runs through the same six phases. Manual validation isn't a finishing step — it's the product.
Scope & Authorize
We define the engagement boundary precisely before testing starts — in-scope assets, out-of-bounds targets, testing windows, and emergency-stop procedures.
- Written authorization letters exchanged before any packet leaves our infrastructure
- Signal / Slack channel established for real-time findings during the engagement
- Explicit rules of engagement reviewed with legal, IT, and business stakeholders
Passive Reconnaissance
Before a single packet touches your infrastructure, we map your external footprint using public sources only — DNS, CT logs, code repos, internet-wide scan data.
- Typically discovers 15-30% more attack surface than the client originally provided
- Certificate transparency, BGP, and GitHub exposure reporting
- OSINT profile for social engineering vectors if in scope
Active Discovery
We enumerate live services across in-scope assets — ports, software versions, auth mechanisms, and protocol configurations — correlated against current vuln data.
- Hand-tuned scanning profiles — not the default Nessus run
- Protocol-level inspection for TLS, SSH, SMB, Kerberos, LDAP
- Service fingerprinting to ground truth before any exploitation
Manual Validation
Every potential issue is validated by hand before it makes the report. No CVE-dumping. No false positives. This is what separates the engagement from a scan.
- Manual exploitation attempts for any finding of High severity or above
- Business-logic testing on top of the technical layer
- Chained vulnerabilities analyzed as a single attack path
Exploitation & Impact
For confirmed vulnerabilities with attacker value, we attempt exploitation to prove impact — not just that a CVE applies, but what it gets you.
- Proof-of-exploit captured for every confirmed critical finding
- Pivot paths mapped to the actual crown-jewel data
- Interim notification inside 24 hours for anything critical
Report & Remediate
Every finding is paired with severity rated on real exploitability, reproducible proof-of-exploit, and remediation guidance your team can ship this sprint.
- Executive summary and technical deep-dive in a single report
- Findings mapped to CIS, NIST CSF, and relevant compliance families
- Retest included — we confirm the fix before we close the finding
What you walk away with
Frameworks we map to
Findings ship mapped to the control families your regulators and auditors actually check. Governance clients use these crosswalks directly in their program documentation.
- CIS Controls v8
- NIST CSF 2.0 / 800-53
- PCI DSS 4.0
- HIPAA Security Rule
- SOC 2 Type II
- OWASP ASVS
Questions we get asked
What's the difference between this and the awareness training tools we already use?
Most awareness platforms (KnowBe4, Proofpoint Security Awareness, Hoxhunt) run generic phishing tests with templates pulled from a public library. Sophisticated attackers craft custom pretexts based on your specific industry, current events, and target individual roles. We do the latter — campaigns that match what real attackers would actually run against you, measuring real exposure rather than awareness-platform exposure.
Will this damage employee trust or morale?
Done well, no — done badly, yes. We coordinate with HR and leadership beforehand, debrief campaigns transparently afterward, and frame the work as 'we're testing the system you're inside, not testing you personally.' Click-through is treated as a learning moment, not a discipline issue. Repeat-clicker patterns get focused training, not punishment.
Do you do vishing (voice phishing) and physical social engineering?
Yes. Vishing campaigns target your help desk, IT support, and customer service teams — exactly where real attackers hit hardest. Physical social engineering (tailgating, USB drops, vendor impersonation, badge cloning) tests your facility security. These are typically scoped as add-ons to the email phishing campaign.
How realistic do you make the pretexts?
Realistic enough to actually measure exposure. We model current attack tactics — not the cartoonish 'Nigerian prince' templates that most awareness platforms still ship. Pretexts can include: fake internal IT communications about a real IT change, fake HR communications about benefits enrollment timing, fake vendor invoices matching your real vendor list. Pretexts are agreed with you in advance.
How do you measure if employees are actually getting better?
We run campaigns periodically (typically quarterly) and track click-through, credential-submission, and report rates over time per department, per role, per individual repeat-clickers. The metric that matters is: are click rates going down quarter over quarter while report rates go up? That's the signal that your security culture is actually maturing.