Human factor
Most incidents do not begin with a technical vulnerability, but with someone who clicks where they should not, takes a call that was not genuine or opens an attachment that looked like it came from a colleague. We simulate those attacks in a controlled way, by email, by phone and by message, to see how your people respond to real deception. Not to single anyone out, but to find out where attackers would really get in and to train exactly there.
Agreed and controlled exercises, throughout Spain.
Why
You can harden the technology down to the last port, but email, the phone and trust stay open. That is where the attacker in a hurry gets in, and that is where almost every incident begins.
The vast majority of intrusions begin with deception, not with an exploit. It is, quite simply, the shortest way in.
You can have the best email filter and the best second factor, and still a convincing message at just the right moment is enough.
Before writing, they research your organisation: who is who, which suppliers you trust and what tone you use among yourselves.
Falling for a simulation is not a personal failure: it is exactly the data we need to reinforce whoever needs it.
What we test
We do not use generic bait: we choose the channel and the excuse based on how an attacker would really get into your organisation. These are the fronts we put to the test.
Emails that mimic a service, a supplier or a colleague, with a link or an attachment that is not what it seems.
The same, but targeted: at a specific person or department, with bait tailored to them after studying them.
Calls in which someone poses as support, as a bank or as an executive to extract information or access.
Mobile messages and QR codes (qrishing), where people lower their guard and act fast because it looks like something everyday.
Posing as someone you are not, with a believable excuse, so that someone opens a door that should be closed.
Slipping into an office, leaving a tempting device behind or following someone through an access door, when the scope includes it.
And when it makes sense, we bring in what today's attackers already use: bait written with generative AI and cloned voices for a more believable call. Modern deception is hard to tell apart by eye, and that is the whole point.
How
Realistic on the outside, controlled on the inside. The scope, the limits and who to warn are agreed with you beforehand, so that the business never gets a genuine scare.
Like an attacker would, we study your organisation in the open: names, roles, suppliers and tone. The more believable, the more realistic the test.
We build the campaign tailored to you, choosing the channel and the pretext based on where attackers would really get in.
We run the simulated attack within the agreed scope and record every step: who opened, who clicked, who handed over data and who raised the alarm.
We hand you the full picture and, wherever someone fell for it, we turn that moment into learning rather than into blame.
What you get
No vague impressions: concrete, actionable data on how your organisation reacts to real deception, and where to start reinforcing it.
How many people opened, clicked or handed over their data, by area and by type of bait, with no names in the pillory.
Just as important: who spotted the attack and reported it, which is exactly the behaviour we want to reinforce.
The time between the bait arriving and someone raising the alarm says a lot about your real response capability.
Whether the email filter, the second factor or the internal alerts did their job, or fell short.
The areas and pretexts that are most dangerous for you, so that training goes to what hurts and not to the generic.
The starting point against which to check whether, after training, fewer people fall for it next time.
How we approach it
A social engineering exercise is not there to draw up a list of culprits. If you publish who fell for it, all you achieve is that next time nobody reports anything out of fear. We work the other way around: the data is aggregated, the focus is on learning and the behaviour we reward is that of the person who raises their hand and warns the rest. Anyone can fall for the right message at the wrong moment; that is precisely what training is about.
And there is a reward beyond the exercise itself: showing that you test and train your people is part of what frameworks like NIS2 and compliance schemes expect. Awareness stops being a ticked box and starts having evidence behind it.
Fits with
A social engineering exercise truly pays off when what it uncovers turns into action. That is why it feeds directly into awareness and training, to train exactly where people fell for it. It is also one of the pieces of a Red Team, where deceiving people is combined with technical intrusion to emulate a complete adversary. And while you train, Sondriva, our SOC, watches the real phishing attempts that keep reaching your organisation.
Questions
It is an attack that does not target your machines, but your people. Instead of looking for a technical flaw, the attacker manipulates someone into clicking, handing over a password, opening an attachment or granting access, usually by playing on urgency, trust or authority. Phishing is the best known case, but not the only one.
Phishing is one part, the most common one, but not all of it. A phishing simulation stops at email; a social engineering exercise also covers calls (vishing), mobile messages (smishing) and QR codes, impersonation and even physical intrusion. We choose the channels based on how an attacker would really get into your organisation.
No, and that matters. The data is always aggregated, by area and by type of bait, never as a list of culprits. If you publish who fell for it, all you achieve is that next time nobody reports anything out of fear. The goal is to measure and train, and the behaviour we reward is that of the person who spots the attack and raises the alarm.
Phishing and spear phishing by email, vishing by phone, smishing and QR codes by mobile, impersonation and pretexting, and when the scope includes it, physical intrusion: slipping into an office, leaving a device behind or following someone through a door. We adapt the channel and the pretext to your real context.
The whole point of the exercise is that people do not know the date or the specific bait, because that is how we measure the real reaction. What we do agree with you beforehand is the scope, the limits and who to warn inside the organisation, so that nobody in the business gets a genuine scare and the exercise stays controlled at all times.
The picture of how your people respond: how many fell for the deception and through which channel, how many spotted it and reported it, how long it took to react and which controls held up. And, above all, where to train first, so that awareness goes to what really exposes you and not to the generic.
Yes, when the scope includes it. Social engineering is not always digital: sometimes the shortest path is showing up at reception with a believable excuse, leaving a tempting USB in the car park or following someone through an access door. We always do it within what was agreed and in a controlled way.
When it makes sense, yes, because attackers already do. Generative AI makes it possible to write almost perfect bait and clone voices for a more believable vishing call. Bringing these techniques into the exercise measures whether your people are ready for the next generation of deception, not just the ones from years ago.
It helps. Frameworks like NIS2 and compliance schemes expect you to train and raise awareness among your workforce, and a social engineering exercise gives you the evidence that this training is tested and works. Awareness stops being a ticked box and starts having data behind it.
Shall we talk?
Tell us how your organisation communicates and who you want to put to the test, and we will design a social engineering exercise tailored to you, controlled and with no surprises for the business.
Get in touch