Offensive Security · Social Engineering
Phishing, vishing, pretexting, and physical access engagements that test the human layer of your security programme. Calibrated to your sector and your environment. Designed to inform training and policy — not to embarrass employees.
Talk to an expert →4
Engagement types
Sector-calibrated
Pretexts and scenarios
Policy-led
Findings and recommendations
Four engagement types
Social engineering engagements are scoped to reflect the actual tactics adversaries use against organisations in your sector — not generic phishing templates that everyone recognises. Each engagement type can be run independently or combined into a full human-layer assessment.
01 · Phishing
Targeted phishing simulations using pretexts calibrated to your organisation and sector — regulatory notifications, IT helpdesk resets, payroll updates, or vendor communications. Campaigns can target the whole organisation, a specific department, or high-value individuals. Results show click rates, credential submission rates, and reporting behaviour.
02 · Vishing
Simulated calls to staff posing as IT support, auditors, vendors, or leadership. Tests whether employees disclose credentials, authorise actions, or take instructions from an unverified caller — a primary attack vector in business email compromise and fraud schemes. Particularly relevant for financial services and legal environments.
03 · Pretexting
Extended engagements building a credible cover identity to gain trust over time — combining email, phone, and sometimes in-person contact. Tests the resilience of your processes and staff against sophisticated, patient adversaries rather than opportunistic attacks. Particularly relevant for organisations with high-value IP or sensitive client data.
04 · Physical
Tailgating, visitor badge exploitation, document handling assessment, and on-site social engineering at offices, studios, data centres, or branches. Tests whether physical access controls hold up against a confident, prepared attacker — and whether staff challenge unknown individuals appropriately.
How we report
Social engineering results are reported at an organisational and departmental level, never attributed to individual employees. The goal is to identify process and policy gaps, not to create a list of who clicked what.
Get started
Social engineering is consistently the most successful initial access vector across every sector Convergent works in. Most organisations test their infrastructure annually and their people never.
Talk to an expert →