Quite the opposite: A professional social engineering pentest is an investment in your team, not a trap. The goal is never to 'blame' individuals but to uncover systemic gaps in your processes.

We always present results on an aggregated level (e.g., by department or location) without putting names on a 'wall of shame.' In the follow-up, we use those 'aha moments' to constructively strengthen the security culture. If an employee 'falls' during the test, it is the safest environment to learn—because here, there is no real data loss and no extortion by ransomware. We turn affected staff into active participants who know exactly what to look for after the test.

Especially if click rates are high, a methodical pentest is vital. Without objective measurement, your risk remains just a 'gut feeling.' We help you strategically build your 'Human Firewall.'

Often, the problem isn't employee ignorance, but rather stressful processes or unclear reporting channels. A social engineering pentest provides you with reliable KPIs: How high is the click rate? How many actually enter their credentials on a fake site? And most importantly: How many actively report the incident to IT? Only with this data can you decide whether you need technical filters (email security), better awareness training, or simply a clearer process for 'urgent requests.'

Legal compliance is the foundation of our work. Before we start, we define the exact scope together with you, HR, and—if applicable—the works council. We work with strict NDAs and liability clarifications.

Regarding data protection, we ensure that no personal data is stored improperly. While we simulate the theft of passwords (e.g., through fake login masks), we never store them in plain text; we only register the success of the action. Our scenarios are realistic, but we stick to ethical guardrails (e.g., no exploitation of extreme private fears) to preserve the psychological integrity of your team while achieving maximum learning effects.

Our reporting is audit-ready and serves as direct evidence for regulatory requirements such as ISO 27001, NIS2, or SOC2, which mandate regular awareness testing.

You receive a detailed evaluation of the attack vectors (phishing, vishing, USB baiting) including a profound risk assessment. We don't just show you where the fire is; we provide the fire extinguishers: from 'quick wins' like introducing a phishing report button to long-term strategies for your security culture. This report is your most important tool for proving the progress of your security measures to management in black and white.

Absolutely—and that is the gold standard. A full-chain attack scenario is the most realistic: We call an employee (vishing) to gather information, use it for a targeted email (spear phishing), and simultaneously try to gain physical entry to the building (physical testing).

This 360° view uncovers vulnerabilities at the interfaces between people, technology, and facilities. For example, you’ll find out if an employee trusts a supposed IT technician on the phone and then physically opens the door to the server room for them. These combined tests provide the most valuable insights for your holistic resilience.

Security is not a state, but a process. A one-time test is a snapshot, but awareness fades over time. We recommend a hybrid approach: One deep, individual social engineering pentest annually to test complex attack scenarios.

Additionally, smaller, recurring phishing simulations throughout the year are useful to keep awareness high and observe trends. This allows you to measure whether your measures are bearing fruit and if the reporting rate is continuously increasing. The goal is for the identification of social engineering attempts to become routine for your team—like wearing a seatbelt.

Vishing stands for Voice Phishing. In this case, we use the phone to put employees under psychological pressure or gain their trust. Attackers often pose as IT support, external auditors, or even colleagues from executive management (CEO fraud).

The phone is a powerful tool because the threshold to contradict a friendly voice on the other end is much higher than with an anonymous email. We test whether your team reveals sensitive information like passwords, internal responsibilities, or details of the tool landscape over the phone. Since AI-powered voice cloning attacks (deepfakes) are on the rise, awareness of this vector is more critical today than ever before.

Then you have achieved exactly the goal of the pentest: found a critical vulnerability before a real attacker exploited it. A 'weak' culture is simply a sign that previous processes didn't fit the workflows or communication didn't stick.

We don't leave you alone after the test. We support you in changing the error culture positively. Security shouldn't be a hurdle, but an integral part of daily work. With our recommendations, you build an environment where employees feel comfortable reporting suspicious cases immediately instead of hiding them for fear of consequences. That is the strongest protection you can build.