Social engineering penetration testing that tests the human firewall.
Your people are the primary target. SubRosa safely simulates the multi-channel campaigns real attackers run, phishing, vishing, smishing, and on-site pretexting, to measure how your team detects, reports, and resists them.
Phishing · Vishing · Smishing · Pretexting · Tailgating
What is social engineering penetration testing?
Social engineering penetration testing safely simulates the manipulation attacks real adversaries use to trick people into granting access or giving up information: phishing emails, vishing calls, smishing texts, and physical pretexting. Rather than blaming users, it measures how well your detection, reporting, and verification controls hold up, and turns the results into targeted awareness improvements.
Every channel an attacker uses.
We test across all the channels and scenarios real attackers exploit.
Phishing campaigns
Realistic spear-phishing built from OSINT and pretexts tailored to your organization, testing detection, judgment, and reporting workflows.
Vishing & smishing
Voice and SMS attacks that probe identity verification, help-desk protocols, and how employees respond to phone and text threats.
On-site pretexting
Physical pretexting, tailgating, and USB-drop scenarios that test lobby, badge, and escort controls the way a real intruder would.
Reporting & response
We assess the full chain, detection, reporting, escalation, and verification, so you learn where the process breaks, not just who clicked.
Realistic, not punitive.
Multi-channel campaigns
Real attacks blend email, phone, and physical vectors. We simulate them together to expose the gaps a single-channel test would miss.
OSINT-driven realism
Pretexts are built from real open-source intelligence about your organization, so the test reflects what a motivated attacker could actually pull off.
Control-focused results
We measure your detection and response controls rather than assigning individual blame, and hand back targeted awareness and process improvements.
From campaign to coaching.
Your social engineering results land in Sable: detection and reporting rates, the controls that failed, and the follow-up actions, tracked over time so you can prove your human firewall is getting stronger.
- Phishing42% clicked · 24% reported
- Vishing31% clicked · 12% reported
- Smishing27% clicked · 9% reported
- Pretexting18% clicked · 6% reported
Test your human firewall.
Let us design a realistic social engineering campaign that shows exactly how your people and processes respond to a real attack.