4/5
Vishing Calls
Succeeded
Phishing and vishing
And pretexting covered
Workforce
The most targeted attack surface
Click rate
Measured and benchmarked
Training
Integrated into findings
OSINT & Target Profiling
Effective social engineering starts with intelligence. We collect publicly available information about your organization, employees, and business relationships to craft pretexts that are plausible and specific: the same research real attackers conduct before targeting your people.
Phishing & Spear Phishing Campaigns
We design targeted phishing campaigns ranging from broad-based awareness tests to highly targeted spear phishing against specific individuals: executives, finance team members, IT administrators, or HR staff. Campaigns include credential harvesting attempts, malware delivery simulations, and business email compromise scenarios.
Vishing (Phone-Based Attacks)
Attackers frequently bypass technical controls by calling employees directly: impersonating IT support, vendors, regulators, or colleagues. We conduct vishing calls designed to extract sensitive information, credentials, or to social engineer employees into taking actions they should not take.
Physical Access Testing
For organizations that include physical security in scope, we test whether unauthorized individuals can gain physical access to your premises: through tailgating, visitor impersonation, badge cloning, or other pretexting techniques. Physical access to a workstation or network port often bypasses all remote security controls.
Pretexting & Impersonation
We develop detailed pretexts: impersonating IT support, vendors, auditors, or executives: and use them across multiple attack vectors simultaneously to simulate sophisticated multi-channel attacks. This tests whether your verification procedures hold against a persistent, well-prepared attacker.
Human-Layer Risk Report
We provide a detailed report showing click rates, credential submission rates, and callback rates by department, role, and seniority level. Individual results are handled sensitively. The report identifies your highest-risk populations and processes, and provides specific training and procedural recommendations.
What Makes Us Different From Others
- Realistic Scenarios, Not Generic Tests We invest in building plausible pretexts specific to your organization, industry, and current events: not reusable generic phishing templates.
- Multi-Vector Testing We combine phishing, vishing, and physical access in coordinated campaigns that simulate how sophisticated attackers actually operate.
- Sensitive Result Handling Individual click and submission data is aggregated for reporting purposes. We follow responsible disclosure principles with your HR and management team on how individual results are shared.
- Training Recommendations Results are mapped to specific training interventions for the employee groups and scenarios that had the highest failure rates.
- Process Verification Testing Beyond individual behavior, we test whether your organizational processes: IT helpdesk verification, wire transfer approvals, vendor onboarding: are robust against social engineering.
- Integration with Awareness Training Social engineering testing works best as part of an ongoing awareness program. We can integrate testing with garrisonOne Security Awareness Training for a complete human-layer security program.
Our IT helpdesk failed four out of five vishing calls: giving out password reset links and even temporary credentials to a caller who claimed to be a new employee locked out of their account. garrisonOne's report showed us exactly which verification steps our helpdesk was skipping and why. We rewrote our helpdesk procedures and retested three months later with dramatically better results.
Client results
See how we have helped
Legal
Law Firm — Security Assessment
A 90-day remediation roadmap delivered after a full security assessment. The firm met enterprise client security requirements and avoided a regulatory incident.
90 days
Remediation roadmap
Critical
Risks addressed
100%
Client requirements met
Industry focus
Industries we serve
Related Services: Penetration Testing | Phishing Simulation Services | Red Team Services | Security Awareness Training
Frequently asked questions
What types of social engineering do you test?
We test phishing (email), spear phishing (targeted email), vishing (phone calls), smishing (SMS), physical access attempts, and pretexting across all channels. The scope of each engagement is defined based on your threat profile and what you want to measure.
Will employees know they are being tested?
For most engagements, employees are not informed in advance: because awareness of the test would invalidate the results. Senior management and HR are always informed. Some organizations prefer announced exercises for training-focused programs, which we can also support.
How are results reported to avoid embarrassing individual employees?
Individual results are handled sensitively. We report aggregate statistics by department, role level, and scenario type. Individual performance is discussed confidentially with HR or management, not included in general-circulation reports. Our goal is to improve security, not to create personnel issues.
What is a spear phishing test?
Spear phishing is targeted phishing that uses specific information about the recipient: their role, colleagues, ongoing projects, or vendors: to make the message more convincing. We conduct spear phishing tests against high-risk individuals such as executives, finance team members, and IT administrators where targeted attacks are most likely to occur.
What does physical security testing involve?
Physical security testing involves attempting to gain unauthorized physical access to your premises using social engineering techniques: tailgating behind employees, impersonating IT contractors, claiming to be a delivery person or auditor, or cloning access badges if badge cloning is in scope. Physical access testing reveals whether technical controls can be bypassed by simply walking in the door.
How do you measure the success of a social engineering test?
We measure click rates (percentage who clicked a phishing link), credential submission rates (percentage who submitted login credentials), callback rates (percentage who called back a vishing number), compliance rates (percentage who followed social engineering instructions), and physical access success rates. These are compared against industry benchmarks.
How often should social engineering testing be done?
Annual testing is a common baseline. Organizations undergoing significant growth or workforce changes, or those in high-risk industries like financial services and healthcare, often test quarterly or semi-annually. Regular phishing simulations (monthly or quarterly) provide more continuous measurement than annual point-in-time tests.
Can social engineering testing be combined with security awareness training?
Yes, and this is the most effective approach. Testing identifies your highest-risk populations and scenarios; training addresses those specific gaps. We can design a combined program where testing results directly inform training content and measure improvement over successive test campaigns.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
