Phishing Simulation & Social Engineering
Realistic phishing and optional vishing campaigns tailored to UAE threat patterns — with before/after click-rate metrics you can actually report to the board. The measurement layer for any security awareness program.
What it is
Controlled phishing and social-engineering campaigns against your workforce — realistic scenarios, authentic-looking lures, tailored to UAE industry and threat patterns. We send; users click (or don't); we report with clear before/after metrics.
Using GoPhish as the core platform, we design 3 – 5 scenario variants per campaign, vary the difficulty across easy, medium, and hard, and produce a report that shows overall click rate, reporting rate (how many users flagged the phish), time-to-click distribution, and group-level comparisons (finance vs. dev vs. sales vs. exec). Pair with our Awareness Training for measurable behaviour change across 90-day windows.
Who this is for
What you get
- Campaign design — 3 – 5 realistic phishing scenarios varied by difficulty and theme.
- Controlled delivery — campaigns sent in waves, tracked via GoPhish telemetry, with safe-handling of clicked links (no malware, no credential capture beyond the first field).
- Results report — overall click rate, reporting rate, time-to-click distribution, group comparisons.
- Just-in-time training page — clicked users land on a page explaining the red flags in the lure they fell for.
- Executive summary — 1-page board-consumable metrics and recommendations.
How we deliver
Pricing
Published range
Per campaign. Price driven by user count, number of scenarios, and vishing add-on.
- Deposit: 50% at signing
- Net terms: Net-30
- Quarterly recurring: 20% discount on 4-campaign agreement
- Awareness Training bundle: 10% discount together
Your cert-backed lead
Lead Operator
Nelson Durairaj
OSCP · eJPT · CEH
Focus: Scenario design, infrastructure setup, telemetry, results analysis. Also runs the live demos in Security Awareness Training workshops — so the theory and the demonstration come from the same person.
Frequently asked questions
What do you actually send?
Realistic phishing scenarios tailored to your industry, common UAE attack patterns, and lookalike brand themes (DMCC, Emirates, HSBC UAE, Microsoft Teams, DHL, courier tracking, internal IT password-reset templates). We vary the difficulty — easy, medium, hard — and measure click rates per group.
Is this legal / ethical?
Yes — phishing simulations are standard industry practice and explicitly permitted under UAE employment and cyber law when conducted by the employer. You sign a rules-of-engagement document authorising the campaign. Employees aren't individually punished for clicks; results are used for program improvement.
How many users can you test?
From 10 to 5,000+ per campaign. Pricing scales gently with user count; the core effort is campaign design and reporting, not per-user.
Do you include vishing (voice phishing)?
Optional add-on — we can include a smaller-scale vishing campaign (10 – 30 calls) to key roles (finance, executive, IT help desk). Useful for measuring resistance to pretext calls. Adds ~AED 3 – 5k depending on scope.
You might also need
What's your actual phishing click rate?
From AED 8k. 2 – 3 weeks from scoping to board-ready results. Written quote in 48 hours.
