Test your people and your premises.

The strongest firewall does not help if someone holds the door open or clicks the wrong link. We test your people, your processes and your premises the way a real intruder would, safely and under agreed rules, then show you where the gaps are and how to close them.

Social engineering

Phishing, vishing and pretext contact that targets your people, built from real information an attacker could find about your organisation.

  • Phishing & vishing
  • Pretext development
  • OSINT-driven targeting
  • Payloads & landing pages

Physical access

Getting into your building and reaching what matters: tailgating, cloned badges, and bypassing locks, doors and reception.

  • Tailgating & pretext entry
  • Badge cloning
  • Lock & door bypass
  • Reception & process gaps

Workstation & kiosk breakout

Breaking out of locked-down workstations, kiosks and shared terminals once inside, to reach the network behind them.

  • Kiosk & terminal breakout
  • Locked-down desktops
  • USB & peripheral attacks
  • Reaching the network

We test the whole chain.

Real attackers do not stick to one trick. They phish to get a foothold, then walk in, or they walk in and plug into the network. We chain the human, physical and digital together to show what a determined attacker could actually achieve.

  • Realistic pretexts built from OSINT on your organisation
  • Phishing and vishing that mirror a genuine campaign
  • On-site entry, tailgating and access-control bypass
  • A clear read on how your people and processes responded

How an engagement runs.

A physical and social engagement runs in six phases, from signed authorisation through to the debrief. Here is how each one works.

  1. 01

    Scope and rules of engagement

    We agree the targets, objectives and boundaries, and put a signed authorisation letter in place, before anyone is contacted or approached.

  2. 02

    OSINT and pretext

    We build the picture and the cover story from public information, the way an attacker researching you would.

  3. 03

    Social engineering

    We test your people with phishing, vishing and pretext contact, and see how your training and processes hold up.

  4. 04

    Physical entry

    With authorisation, we attempt on-site access: tailgating, bypassing controls and talking past reception to reach the objective.

  5. 05

    Objective and breakout

    We reach the agreed goal, a room, a workstation or data, and show how far an attacker could take it from there.

  6. 06

    Report and debrief

    You get a clear report and a debrief with your team: what worked, what your people did well, and how to close the gaps.

What you get.

You get an honest account of what happened and practical steps to put it right, framed to help your team rather than catch them out.

  • A senior, CREST-certified tester leading the engagement
  • An executive and technical report within 48 hours of finishing
  • Findings rated by real business impact and likelihood
  • Clear, prioritised fixes for your people, processes and premises
  • Evidence for every finding: screenshots, photos, call notes and captured data
  • A debrief with your team to walk through exactly what happened

Physical and social engineering, answered.

Straight answers to what clients ask most before a people-and-premises test.

What is the difference between a phishing simulation and full social engineering?

A phishing simulation sends a batch of test emails and measures who clicks, which is useful for a baseline. Full social engineering is a targeted, goal-based exercise: we build a pretext from real information about your organisation and use phishing, phone calls and in-person contact to actually reach an objective. One measures a click rate; the other proves what a determined attacker could achieve.

Do you do physical, on-site testing?

Yes. With your authorisation we attempt to get into your premises the way an intruder would: tailgating through doors, talking past reception, cloning access badges and bypassing locks, then reaching an agreed objective such as a server room, a desk or a network point. It is always scoped, authorised and safe.

Is this legal and safe?

Yes, because it is authorised. Before anything starts we agree the scope, targets and boundaries in writing, and every tester carries a signed authorisation letter (a get-out-of-jail letter) to show if challenged. We do not damage property, and we agree in advance how far we go and what is off limits.

Will you name and shame the staff who fall for it?

No. The goal is to test your processes and defences, not to catch people out. We report on what happened and why, not on who, and we frame the debrief so your team learns from it rather than feeling blamed. Where an individual detail matters, we agree how to handle it with you first.

Can you combine phishing and physical into one engagement?

Yes, and it is often the most realistic option. A real attacker might phish their way to a foothold, then walk in, or walk in and plug into the network. We can chain the human, physical and digital together into a single goal-based exercise, closer to a small red team than a one-off test.

Do you help our staff improve afterwards?

Yes. Every engagement ends with a debrief that walks your team through exactly what we did, what worked, and where the gaps were. You get clear, prioritised fixes for your people, processes and premises, so the exercise leaves you stronger rather than just scored.

Ready to test your people and premises?

Tell us what you are worried about and what a win looks like for an attacker. We will come back within one working day with a suggested approach and a straight, fixed-price scope.

Book a scoping call