31%→6%
Click Rate
Reduction in 6mo
90%+
Of attacks start with phishing
Click rate
Measured pre and post training
Realistic
Scenarios tailored to your org
Ongoing
Programme not one-off
Campaign Design & Scenario Development
We design phishing scenarios based on the attacks most likely to target your industry and employee profiles: IT support impersonation, HR announcements, urgent financial requests, fake package delivery notifications, and vendor invoice phishing. Scenarios range from generic awareness tests to highly targeted spear phishing against specific roles.
Targeted Spear Phishing for High-Risk Roles
Finance team members, executives, IT administrators, and HR staff are disproportionately targeted by real phishing campaigns. We design specific spear phishing scenarios for these roles using the same OSINT techniques real attackers use: references to real colleagues, vendors, projects, and organizational details that make attacks convincing.
Click Rate & Behavior Tracking
We measure email open rates, link click rates, credential submission rates, and attachment open rates across each campaign. Results are segmented by department, role level, location, and scenario type so you can identify which populations and scenarios represent the highest risk.
Immediate Training Intervention
Employees who interact with simulated phishing receive immediate, in-context training: a brief educational moment that explains what they just encountered and what to look for in future attacks. This just-in-time training is significantly more effective than annual awareness sessions delivered without context.
Phishing Susceptibility Report
Each campaign produces a detailed report showing click rates by department and role, scenario effectiveness comparisons, trend data across campaigns, and specific training recommendations for the highest-risk populations. Longitudinal data shows whether your overall susceptibility rate is improving over time.
Recurring Campaign Program
One-time phishing tests provide a snapshot. Recurring campaign programs: monthly or quarterly simulations with varied scenarios: provide continuous measurement and drive sustained behavior change. We manage the full campaign schedule, scenario rotation, and reporting cadence for organizations that want an ongoing program.
What Makes Us Different From Others
- Realistic, Industry-Specific Scenarios We build scenarios based on current attack trends in your industry, not generic reusable templates. Realistic scenarios produce accurate measurements.
- Spear Phishing Capability Most phishing simulation platforms only do generic campaigns. We include targeted spear phishing for high-risk individuals as a standard option.
- Immediate Training Integration Employees receive training at the moment they interact with a simulation: when the lesson is most impactful: not weeks later in an annual awareness session.
- Longitudinal Trend Tracking We track susceptibility rates over time so you can demonstrate improving security posture to your board, auditors, or cyber insurance provider.
- No Shaming, No Naming Individual results are reported to management confidentially. The program is positioned as protective, not punitive: which drives better employee engagement.
- Integration with Social Engineering Testing Phishing simulation programs can be extended to include vishing, smishing, and physical access testing as part of a comprehensive human-layer security assessment.
We started with a 31% click rate on our first phishing simulation. After six months of garrisonOne's recurring campaign program combined with targeted training for our finance team: who had the highest initial rate: we were at 6%. Our cyber insurance renewal came up three months later and the documented improvement contributed to a lower premium.
Client results
See how we have helped
Legal
Law Firm — Security Assessment
A 90-day remediation roadmap delivered after a full security assessment. The firm met enterprise client security requirements and avoided a regulatory incident.
90 days
Remediation roadmap
Critical
Risks addressed
100%
Client requirements met
Industry focus
Industries we serve
Related Services: Penetration Testing | Social Engineering Testing | Security Awareness Training | Red Team Services
Frequently asked questions
What is a phishing simulation?
A phishing simulation is a controlled test in which your organization's employees receive realistic-looking fake phishing emails designed to measure how many would click a malicious link, submit credentials, or take another action that would be harmful in a real attack. The goal is to measure susceptibility, not to trick or penalize employees.
What metrics do phishing simulations measure?
We measure email open rates, link click rates, credential submission rates, attachment open or download rates, and report rates (employees who correctly reported the email as suspicious). These are tracked by department, role, seniority level, location, and scenario type.
What happens when an employee clicks?
Employees who click are redirected to a brief educational page explaining what just happened and what to look for in future phishing attempts. This just-in-time training is more effective than after-the-fact awareness sessions because it is delivered with immediate context.
How realistic should phishing simulations be?
Simulations should be realistic enough to produce accurate measurements of real susceptibility: but not so targeted or sophisticated that they create unnecessary distress. For ongoing awareness programs, moderate realism with varied scenarios is appropriate. For higher-fidelity risk assessments, more targeted spear phishing against specific roles provides more accurate measurement of sophisticated attack susceptibility.
What is a good phishing click rate benchmark?
Industry benchmarks vary, but organizations with no prior awareness training often see click rates of 25-35% on initial campaigns. With regular training and simulation programs, organizations typically reduce this to below 10%, with mature programs reaching 5% or lower. The trend over time matters more than any single data point.
How often should phishing simulations be run?
Monthly or quarterly campaigns provide continuous measurement and drive sustained behavior change. Annual simulations only measure a point in time and do not create the repeated reinforcement needed for lasting behavior change. Most compliance frameworks (PCI DSS, HIPAA, SOC 2) recommend regular security awareness testing.
Can phishing simulations be combined with security awareness training?
Yes, and this is the recommended approach. Simulations measure susceptibility and identify high-risk populations; training addresses the specific gaps measured. When combined, the simulation data directly informs training content and subsequent campaigns measure whether training was effective.
Are phishing simulations required for compliance?
No framework explicitly mandates phishing simulations by name, but PCI DSS, HIPAA, SOC 2, and ISO 27001 all include security awareness requirements that phishing simulations are commonly used to satisfy. Cyber insurance providers increasingly request evidence of phishing simulation programs as part of underwriting.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
