Offensive Security · Social Engineering

Every technical control you have can be bypassed if your people aren’t part of the test.

Phishing, vishing, pretexting, and physical access engagements that test the human layer of your security programme. Calibrated to your sector and your environment. Designed to inform training and policy — not to embarrass employees.

Talk to an expert →

4

Engagement types

Sector-calibrated

Pretexts and scenarios

Policy-led

Findings and recommendations

Four engagement types

The human layer tested from every angle.

Social engineering engagements are scoped to reflect the actual tactics adversaries use against organisations in your sector — not generic phishing templates that everyone recognises. Each engagement type can be run independently or combined into a full human-layer assessment.

01 · Phishing

Email phishing campaigns

Targeted phishing simulations using pretexts calibrated to your organisation and sector — regulatory notifications, IT helpdesk resets, payroll updates, or vendor communications. Campaigns can target the whole organisation, a specific department, or high-value individuals. Results show click rates, credential submission rates, and reporting behaviour.

02 · Vishing

Voice phishing calls

Simulated calls to staff posing as IT support, auditors, vendors, or leadership. Tests whether employees disclose credentials, authorise actions, or take instructions from an unverified caller — a primary attack vector in business email compromise and fraud schemes. Particularly relevant for financial services and legal environments.

03 · Pretexting

Multi-channel pretexting

Extended engagements building a credible cover identity to gain trust over time — combining email, phone, and sometimes in-person contact. Tests the resilience of your processes and staff against sophisticated, patient adversaries rather than opportunistic attacks. Particularly relevant for organisations with high-value IP or sensitive client data.

04 · Physical

Physical access testing

Tailgating, visitor badge exploitation, document handling assessment, and on-site social engineering at offices, studios, data centres, or branches. Tests whether physical access controls hold up against a confident, prepared attacker — and whether staff challenge unknown individuals appropriately.

How we report

Findings that inform, not blame.

Social engineering results are reported at an organisational and departmental level, never attributed to individual employees. The goal is to identify process and policy gaps, not to create a list of who clicked what.

Get started

Test the layer attackers exploit most.

Social engineering is consistently the most successful initial access vector across every sector Convergent works in. Most organisations test their infrastructure annually and their people never.

Talk to an expert →
Consent Preferences