CREST-Certified Phishing Assessment and Social Engineering for UK Businesses
Phishing assessment goes beyond annual click-rate metrics. We deliver realistic adversary-mode phishing campaigns: AI-generated lures, MFA-fatigue testing, OAuth phishing, vishing, smishing, and physical pretext attacks. CREST methodology, sector-specific TTPs, executive-tier scope.
Click-rate metrics measure awareness. Adversary-mode phishing measures resilience.
Most “phishing assessments” send a templated email, count clicks, and produce a percentage. That’s awareness training, not security testing. It doesn’t reveal whether your MFA holds up against real OAuth-consent phishing, whether your SOC catches a vishing-driven help-desk handover, or whether a sector-targeted lure compromises your finance team.
Our phishing assessment runs adversary-mode campaigns: AI-generated lures based on current threat-actor TTPs, MFA-fatigue testing, OAuth-consent phishing for cloud account compromise, vishing (voice phishing) of help-desk and finance, smishing (SMS phishing) targeting executives, and where authorised, physical pretext attacks. Reports satisfy ISO 27001 A.6.3 awareness-training requirements, FCA Operational Resilience scenario evidence, and provide CISO-ready findings on cultural and process gaps.
12 PHISHING ATTACK VECTORS
What We Test in Phishing Assessment
Multi-channel adversary mode. Modern TTPs. Sector-specific lure design.
Email Phishing
Targeted spear-phishing with sector-aware lures. Domain spoof / look-alike. Payload, credential harvest, or pretext-only.
OAuth Consent Phishing
Modern cloud account takeover via fraudulent OAuth consent. Bypasses MFA. Targets Microsoft 365 / Google Workspace.
MFA Fatigue
Repeated MFA push notifications until user accepts. Tests SOC alerting and user awareness of MFA bombing patterns.
Vishing (Voice)
Help-desk impersonation, finance-team payment-fraud calls, IT-team password-reset requests. Pretext, recorded if authorised.
Smishing (SMS)
Executive SMS phishing, mobile MFA reset attempts, banking-style mobile lures. Particularly effective against C-suite.
Physical Pretext
Office tailgating, USB drop, courier impersonation, RFID badge cloning, dropbox device deployment. Authorised in writing.
Whaling / BEC
Business Email Compromise targeting CFO, finance team, treasury. Wire-fraud lure design, supplier impersonation, M&A pretexts.
AI-Generated Lures
LLM-generated phishing lures matching real adversary writing style. Tests resilience against polished modern phishing not flagged by basic filters.
Domain Spoofing & Lookalike
Typosquat domain registration, IDN homoglyph attacks, look-alike Microsoft / Google portals, email-spoofing without DKIM/DMARC.
Adversary-in-the-Middle (AitM)
Evilginx-style AitM attacks against MFA. Captures session tokens. Bypasses TOTP / push MFA. Defeats by FIDO2 / hardware keys only.
Supply Chain Phishing
Pretexts simulating compromised suppliers, M&A counterparties, regulators. Tests cross-organisational trust assumptions.
SOC Detection Validation
Coordinates campaign with your SOC for blue-team measurement. SOC alerts, ticket queue, response time, communication-cascade quality.
FOUR-PHASE METHODOLOGY
Phishing Assessment: From Threat Profile to Cultural Insight
Sector-aware threat profiling. Multi-channel campaign delivery. SOC-coordinated for blue-team measurement.
Threat Profile
Lure Development
Campaign Execution
Report & Briefing
Verified Accreditations Auditors Accept
Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.
COMPLIANCE READY
Phishing Assessment Reports Mapped to Every Framework
Phishing assessment evidence accepted across compliance frameworks where social-engineering resilience is a control requirement.
ISO 27001 A.6.3
Awareness training and human-element control evidence. ISO 27001:2022 explicitly requires periodic phishing testing.
FCA / PRA Operational Resilience
Severe-but-plausible scenario evidence including human-element failure modes. SOC detection of social-engineering attempts.
NIS2 + DORA
Essential services and financial entities: human-element resilience is part of operational risk evidence.
SOC 2 Type II
CC1.4 entity values evidence (commitment to integrity), CC2.2 communication evidence: phishing assessments support both.
Cyber Essentials
Phishing readiness exceeds CE+ baseline and supports overall cyber maturity scoring during recertification.
NCSC Phishing Resistance
Aligned to NCSC phishing-resistance guidance: particularly important for FIDO2 hardware-key adoption recommendations.
TRANSPARENT PRICING
Transparent Phishing Assessment Pricing
All tiers include sector-specific threat profiling and SOC-coordinated delivery. Price varies by scope, channel breadth, and target population.
Depends on target population
Single-channel email phishing, ≤500 targets, sector-aware lures, basic SOC coordination. Typically 2-3 week delivery.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on scope + channels
Email + vishing + smishing + OAuth phishing + MFA fatigue, ≤500 targets, full SOC coordination. Typically 3-5 week delivery.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on scope + channels
All channels including physical pretext, full BEC scenarios, AitM testing, supply-chain phishing, integrated with red team or DORA TLPT cycle.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Phishing Assessment for Your Sector
Phishing TTPs vary by sector. We profile the actors targeting your industry and design campaigns matching their actual tradecraft.
Fintech
FCA-regulated firms, Open Banking, payment APIs, PCI scoping.
SaaS
Multi-tenant isolation, SSO/SAML/OIDC, customer-data perimeter, SOC 2 evidence.
Healthcare
NHS DSPT, NHS DTAC, EHR integration, telehealth, patient-data PII.
Insurance
FCA / PRA Operational Resilience, claims data, broker integrations, cyber underwriting evidence.
Law
Privileged-data confidentiality, partner-tier scrutiny, SRA Cyber Standard alignment.
Public Sector
CCS / G-Cloud framework, NCSC-aligned, SC-cleared testers available.
What You Actually Get
Five things that distinguish our service from automated scans and box-tick competitors.
What You Get From Phishing Assessment
AI-Aware Lure Design
OAuth + AitM Testing
SOC-Coordinated Metrics
UK CREST + IASME + ISO 27001 + ISO 9001
Frequently Asked
What is a phishing assessment?
A phishing assessment is a controlled simulation of phishing and social-engineering attacks against your organisation. Modern assessments go beyond email click-rate metrics to include vishing, smishing, OAuth consent phishing, MFA fatigue, and physical pretext attacks, measuring both user awareness and SOC detection.
How is your assessment different from a phishing-awareness platform?
Awareness platforms (KnowBe4, Proofpoint Security Awareness, etc.) deliver continuous low-fidelity phishing for training. Our assessment is adversary-mode: high-fidelity, sector-aware, multi-channel campaigns matching real threat-actor tradecraft. Use both: awareness platforms for ongoing training, our assessment for periodic resilience testing.
How long does a phishing assessment take?
Email-only campaign: 2-3 weeks (1 week setup, 1-2 weeks campaign). Multi-channel campaign: 3-5 weeks. Enterprise / red-team-adjunct campaign: 6-8 weeks including physical pretext component.
How much does phishing assessment cost in the UK?
Email-only £3,000-£6,000. Multi-channel (most commonly commissioned) £6,000-£15,000. Enterprise / red-team adjunct £15,000+. UK day rates for CREST + social-engineering specialists are £1,200-£1,800 per day.
Do you test MFA bypass via OAuth phishing?
Yes. OAuth consent phishing is the modern cloud account takeover vector: bypasses MFA entirely because the user grants legitimate-looking app permissions. Particularly effective against Microsoft 365 and Google Workspace tenants. Our assessment includes this if requested.
Do you test against MFA fatigue?
Yes. MFA-fatigue (push-notification spamming until the user accepts) is a real-world TTP behind the 2022 Uber breach and many subsequent incidents. We test MFA-bombing patterns, conditional-access policy effectiveness, and SOC detection of unusual MFA-prompt volume.
Do you do vishing (voice phishing)?
Yes. Vishing is particularly effective against help-desks, finance teams, and executive assistants. We deliver vishing as part of multi-channel campaigns: pretext development, recorded calls (where authorised), and post-campaign analysis of phone-handling resilience.
Do you do physical pretext attacks?
Yes, with extensive written authorisation. Physical pretexts include tailgating, USB drops, courier impersonation, RFID badge cloning, and dropbox-device deployment. Always paired with a “get-out-of-jail” letter for operators and pre-approved time windows.
Will phishing assessment damage employee trust?
No, when delivered well. We coordinate closely with HR and internal-comms teams. Post-assessment communications focus on collective improvement, not individual blame. Many of our clients see improved employee engagement on security topics after assessment.
Will assessments trigger our SOC?
Yes, by design. We coordinate with your SOC team to measure detection latency, triage quality, and communication cascade. SOC blue-team metrics are as important as user-side click-rate metrics. Some clients run “blind” SOC scenarios where the SOC team isn’t pre-warned.
Are your operators UK-based?
Yes, primarily UK-based with some international reach for specific language / regional coverage. SC-cleared operators are available for public-sector and regulated-financial engagements where vetting is required.
Do you sign NDAs?
Yes. Standard NDA before any threat-profile or target-list discussion. We operate under a project-specific master agreement that includes target-list IP protection, post-engagement data destruction, and white-team confidentiality.
Get a fixed Phishing Assessment quote in 24 hours
A CREST-certified social-engineering specialist will contact you within one business day with a fixed price, a realistic timeline, and the named consultant. No sales pipeline.
